What's new

OpenVPN performance of the RT-AC86U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

And also add this to the custom settings:

Code:
txqueuelen 1000

From the OpenVPN documentation.

--txqueuelen n
(Linux only) Set the TX queue length on the TUN/TAP interface. Currently defaults to 100.

Don't you just love explanations like this. :)

Reminds me of all that wonderful documentation you find in the BIOS settings.
 
Last edited:
From the OpenVPN documentation.

--txqueuelen n
(Linux only) Set the TX queue length on the TUN/TAP interface. Currently defaults to 100.

Don't you just love explanations like this. :)

Reminds of all that wonderful documentation you find in the BIOS settings.

They provide little details because it's a Linux networking parameter really, not an OpenVPN one. Try a Google search on "Linux txqueuelen" for a number of articles on the topic.
 
I use the AC86U since a bit less than two years. Soon i'll upgrade my internet plan, so i'm wondering if there's any new Asus router model that has better OpenVPN performance, or is my AC86U still the fastest for VPN usage?
 
I use the AC86U since a bit less than two years. Soon i'll upgrade my internet plan, so i'm wondering if there's any new Asus router model that has better OpenVPN performance, or is my AC86U still the fastest for VPN usage?

The AC86U (and the similarly specced RT-AX88U) are still their fastest products in terms of OpenVPN throughput.
 
Unsure why the multicore version doesn't fully load all four cores however - maybe it might be the case if more than one client was connected at once.
It looks bcmspu has it own queue.
I confirmed "Message send failures" increased when high load.

After one speedtest with default IPsec server. (on 500/500mbps connection)
Message send failures..4188

bcmspu of router is closed source but linux tree has its source code. (maybe they are slightly different)
https://github.com/torvalds/linux/blob/master/drivers/crypto/bcm/util.c#L448
https://github.com/torvalds/linux/blob/master/drivers/crypto/bcm/cipher.c#L247
 
Would like to share the good news that RT-AC86U is actually capable of 270Mbps with OpenVPN.
Speedtest by Ookla, Total Server Solutions to Fiber Stream servers, both in the same city, ping 10ms.

I have upgraded my ISP plan recently and I can see now up to 277Mbps down speeds using NordVPN local server UDP connection, AES-256-GCM cipher. CPU load reaches 100% on Core 2, so this must be the hardware limits with current OpenVPN software version.

The router is running Asuswrt-Merlin 384.12 firmware.
IPv4 only, IPv6 disabled, no TrendMicro services, no User Scripts, Runner and Float Cache enabled.
 
Last edited:
I've hit 341 on the upload side. This is PIA with AES-128-GCM.
upload_2019-9-25_21-27-10.png
 
Fun stuff - WG over MIPS...

Code:
root@mipsbox:~# cat /proc/cpuinfo
system type : Atheros AR9330 rev 1
machine : GL.iNet GL-AR150
processor : 0
cpu model : MIPS 24Kc V7.4
BogoMIPS : 265.42
wait instruction : yes
microsecond timers : yes
tlb_entries : 16
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa : mips1 mips2 mips32r1 mips32r2
ASEs implemented : mips16
Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit nan_legacy nan_2008 perf
shadow register sets : 1
kscratch registers : 0
package : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available

WG is fast... not just on ARM..

Code:
root@mipsbox:~# iperf3 -c 192.168.1.20 -M 1400 -N -l 64K -t 30 -Z
Connecting to host 192.168.1.20, port 5201
[  5] local 192.168.1.145 port 40534 connected to 192.168.1.20 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  9.55 MBytes  80.1 Mbits/sec    0    210 KBytes      
[  5]   1.00-2.00   sec  10.1 MBytes  85.1 Mbits/sec    0    224 KBytes      
[  5]   2.00-3.00   sec  9.95 MBytes  83.5 Mbits/sec    0    224 KBytes     
[  5]   3.00-4.00   sec  10.1 MBytes  85.1 Mbits/sec    0    234 KBytes     
[  5]   4.00-5.00   sec  9.89 MBytes  83.0 Mbits/sec    0    263 KBytes      
[  5]   5.00-6.00   sec  10.0 MBytes  84.0 Mbits/sec    0    263 KBytes      
[  5]   6.00-7.00   sec  10.2 MBytes  85.6 Mbits/sec    0    263 KBytes      
[  5]   7.00-8.00   sec  9.95 MBytes  83.5 Mbits/sec    0    263 KBytes      
[  5]   8.00-9.00   sec  9.95 MBytes  83.4 Mbits/sec    0    263 KBytes      
[  5]   9.00-10.00  sec  9.95 MBytes  83.6 Mbits/sec    0    263 KBytes      
[  5]  10.00-11.00  sec  10.2 MBytes  85.9 Mbits/sec    0    396 KBytes      
[  5]  11.00-12.00  sec  10.0 MBytes  84.0 Mbits/sec    0    396 KBytes      
[  5]  12.00-13.00  sec  10.0 MBytes  84.2 Mbits/sec    0    396 KBytes      
[  5]  13.00-14.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  14.00-15.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  15.00-16.00  sec  10.2 MBytes  85.6 Mbits/sec    0    396 KBytes      
[  5]  16.00-17.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  17.00-18.00  sec  10.1 MBytes  84.6 Mbits/sec    0    396 KBytes      
[  5]  18.00-19.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  19.00-20.00  sec  10.0 MBytes  84.0 Mbits/sec    0    396 KBytes      
[  5]  20.00-21.00  sec  10.1 MBytes  85.1 Mbits/sec    0    396 KBytes      
[  5]  21.00-22.00  sec  9.89 MBytes  82.9 Mbits/sec    0    396 KBytes      
[  5]  22.00-23.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  23.00-24.00  sec  10.3 MBytes  86.1 Mbits/sec    0    396 KBytes      
[  5]  24.00-25.00  sec  10.0 MBytes  84.0 Mbits/sec    0    396 KBytes      
[  5]  25.00-26.00  sec  9.95 MBytes  83.5 Mbits/sec    0    396 KBytes      
[  5]  26.00-27.00  sec  10.0 MBytes  84.0 Mbits/sec    0    396 KBytes      
[  5]  27.00-28.00  sec  10.0 MBytes  84.0 Mbits/sec    0    396 KBytes      
[  5]  28.00-29.00  sec  10.1 MBytes  84.4 Mbits/sec    0    396 KBytes      
[  5]  29.00-30.00  sec  10.1 MBytes  84.5 Mbits/sec    0    396 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec   301 MBytes  84.0 Mbits/sec    0             sender
[  5]   0.00-30.00  sec   300 MBytes  84.0 Mbits/sec                  receiver
iperf Done.

Board is 100Base-T, so looks good enough..

Openssl performance - not such a big deal... I'll leave your head scratching here..

Code:
root@mipsbox:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 592413 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 218047 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 61929 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 15967 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 2019 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 1011 aes-128-cbc's in 3.00s

OpenSSL 1.1.1d  10 Sep 2019
built on: Fri Oct  4 18:42:26 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr) 

compiler: ccache_cc -fPIC -pthread -mabi=32 -Wa,--noexecstack -Wall -O3 -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM -DOPENSSL_SMALL_FOOTPRINT

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc       3159.54k     4651.67k     5284.61k     5450.07k     5513.22k     5521.41k

Cool, eh?
 
Last edited:
I have a query about policy rules on an openvpn connection say nordvpn or any vpn provider on the AC86u, if I used policy rules and set my satellite box to use WAN instead of openvpn or nordvpn will it use the ISP DNS ?

Or is there a way to set this manually.

I have not bought the AC86u but just tempted but certain devices or tablets I need the real ISP ip and especially isp dns otherwise it won't work.

appreciate any advise, not so network savvy but I like the ease of use and set up of AC86u.
 
Or is there a way to set this manually.

Yes.

1. Connected through VPN tunnel devices may use:
a) VPN's own DNS exclusively
b) DNS servers set in WAN DNS Settings only
c) Both VPN's own and the ones set in WAN DNS Settings
This is what "Accept DNS Configuration" setting in OpenVPN Client configuration do.

2. Connected through WAN devices may use:
a) DNS listed in WAN DNS Settings
b) Different DNS servers per device, set on the router (with the help of DNSFilter or YazFi Script)
c) DNS servers set on the devices, if devices have DNS settings available

Many options are available.

First, make sure you really want to run the VPN Client on the router. It has both advantages and drawbacks.
 
Yes.

1. Connected through VPN tunnel devices may use:
a) VPN's own DNS exclusively
b) DNS servers set in WAN DNS Settings only
c) Both VPN's own and the ones set in WAN DNS Settings
This is what "Accept DNS Configuration" setting in OpenVPN Client configuration do.

2. Connected through WAN devices may use:
a) DNS listed in WAN DNS Settings
b) Different DNS servers per device, set on the router (with the help of DNSFilter or YazFi Script)
c) DNS servers set on the devices, if devices have DNS settings available

Many options are available.

First, make sure you really want to run the VPN Client on the router. It has both advantages and drawbacks.


Thank you very much, had no idea the AC86u would give me the ability to have so many options, I prefer the VPN client on the router since I have multiple devices that could benefit from being under a VPN.
 
It will give you other "options" too:
https://www.snbforums.com/threads/rebooting-and-stability.60611/#post-532765
I do not recommend purchasing RT-AC86U anymore.

ouch, just when I thought I had found the perfect solution in the AC86u I was just thinking if this router would be stable STABLE the kind of thing you just want to set up and get back to everything else, still it does appear that other chap flashed his twice and reset defaults.

I wonder if the problem exist with the stock Asus firmware or not.

Maybe the asus rt ax88u maybe more fixed and stable hardware wise.
 
Yes, all firmware versions, both Asuswrt and Asuswrt-Merlin.



Yes, less reported issues with this model. It's much more expensive though.

thanks always good to know about these issues before jumping on board, cheapest ax88u I can see is still around £255 so almost 2x the normal cost, double the ram so maybe that has helped a bit with the stability.
 
thanks always good to know about these issues before jumping on board

There is a Plan B using cheaper RT-AC86U:
Do not activate TrendMicro components and File Share services. Use the router as a router, this is what it does best. AiProtection is not the best software to protect your network; Adaptive QoS may not be needed if you have fast enough ISP connection; Parental Controls may be implemented using DNSFilter options; your router is not a NAS replacement device, etc. Basic setup with VPN Server/Client running is stable, RAM usage stays on about 55-60% utilization, no memory leaks, can go like this forever. You can't fix the reboot issue though. Just don't reboot the router when you have no physical access to it.
 
There is a Plan B using cheaper RT-AC86U:
Do not activate TrendMicro components and File Share services. Use the router as a router, this is what it does best. AiProtection is not the best software to protect your network; Adaptive QoS may not be needed if you have fast enough ISP connection; Parental Controls may be implemented using DNSFilter options; your router is not a NAS replacement device, etc. Basic setup with VPN Server/Client running is stable, RAM usage stays on about 55-60% utilization, no memory leaks, can go like this forever. You can't fix the reboot issue though. Just don't reboot the router when you have no physical access to it.


Cheers, I was just thinking of switching off those services but glad you mentioned its possible, I tend to stick with hard wired lan on all devices as possible apart from the mobiles/tablets, 50meg bb so its overkill with just one user and laptop ! Don't nas or share storage all hard wired storage only, I think with a bit of tweaking can manually disable half maybe all the options shown here also:

https://www.asus.com/support/FAQ/1012070/
 
I think with a bit of tweaking can manually disable half maybe all the options

Not much tweaking needed, you just need to withdraw from data sharing with TrendMicro in Administration -> Privacy and all TrendMicro components will get disabled automatically. Then you can use your router with no need to reboot it periodically due to low RAM, run VPN with no issues, run firewall enhancement and as-blocking scripts (Skynet, Diversion) if you like, set custom DNS with malware blocking and/or content blocking, experiment with Traditional QoS (works well, actually), use the built-in bandwidth monitor, etc. So, no real need to use TrendMicro services. Again, just don’t attempt to reboot the router when you have no physical access to it. The issue happens only during soft reboot. If you lose power, it will boot properly.
 
Having used the ac86u its still a nice powerful router and probably one of the best on the market and easy for anyone to really set up in 10-20 minutes and get on with everything else, but reading back the past 14 pages I can see why some may not advise this router.

With broadband speeds hitting 500Mbps and now 1Gb/s it sounds like the ac86u would not be able to handle this kind of speeds while under a OpenVPN client.

Has any Ac86u owner hit 500Mbps+ broadband speeds under openvpn client with say ExpressVPN or other?
 
I got 220+ Mbps as client through the RT-AC86U.
Running same connection through my PC with same encryption: 500 Mbps.

If you want higher speed than 220+ I advice you to go for VPN through Wireguard!

Having used the ac86u its still a nice powerful router and probably one of the best on the market and easy for anyone to really set up in 10-20 minutes and get on with everything else, but reading back the past 14 pages I can see why some may not advise this router.

With broadband speeds hitting 500Mbps and now 1Gb/s it sounds like the ac86u would not be able to handle this kind of speeds while under a OpenVPN client.

Has any Ac86u owner hit 500Mbps+ broadband speeds under openvpn client with say ExpressVPN or other?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top