OpenVPN performance of the RT-AC86U

[JoeBee]

Sabai Technology offers preconfigured mini PCs (VPN Accelerator). Not inexpensive but if you don't want to be bothered setting up a system on your own it is a possibility. You probably can expect to get up-to 95% of your line speed using a VPN appliance. Never tested my VPN appliance with a full gig connection but I have no problems getting close to 700 Mbps on a VPN client on my network.

thanks that does sound ideal, trying to get my head around this Sabia VPN accelerator Z device, so its basically a mini pc with Sabia OS similar to merlin or tomato, with policy routing, kill switch, openVPN support?

I see the VPN accelerator has only 2 ethernet ports, one for the router/modem isp connection I guess and the other for openvpn, could a switch be used to hook up other devices, Pc, consoles, tv?

Glad you are getting 700Mbps at least, at least its possible to have good speeds given the issues with VPN providers, OpenVPN, WG, singe core openvpn etc

 

[CaptainSTX]

It's a credit card accelerator - $620 with VPN Pre-Configuration.

Yes as I mentioned not inexpensive but if you go the roll your own approach using PCs such as Quotoms from China with an I5 processor and four Ethernet ports are also expensive these days. Using a full size PC will be more power hungry. A Quotom with a laptop processor uses 14 watts.

Everyone has to decide what their ability level is and the value of their time is worth. Pfsense or another OS is going to have a learning curve. To some people saving $100 - $200 isn't worth the hassle so a preconfigured option is worth it to them.

In the end if you want VPN speed it comes with a price.

 

[sfx2000]

It's a credit card accelerator - $620 with VPN Pre-Configuration.

That is a lot of mark-up for what is basically a Zotac Zbox CI329 - one can pick up a barebones box on Amazon for $210 (US), drop in a 4gb DDR stick, along with a 128gb SSD - install ubuntu on it, and bob is your uncle - should be a fairly performant box, whether it is OpenVPN, or Wireguard...

(oh, BTW - OpenWRT is available for x86/amd64, might be a good place to start)

 

[CaptainSTX]

thanks that does sound ideal, trying to get my head around this Sabia VPN accelerator Z device, so its basically a mini pc with Sabia OS similar to merlin or tomato, with policy routing, kill switch, openVPN support?

I see the VPN accelerator has only 2 ethernet ports, one for the router/modem isp connection I guess and the other for openvpn, could a switch be used to hook up other devices, Pc, consoles, tv?

Glad you are getting 700Mbps at least, at least its possible to have good speeds given the issues with VPN providers, OpenVPN, WG, singe core openvpn etc

With a powerful enough processor it is possible to get that speed either with WireGuard or OpenVPN. Some VPN providers may not be able to support higher speeds and as always your distance from the server will impact the speed.

If you are interested I suggest that you contact Sabai as their pre and post sale technical support is A+ superior. No script kiddies just very knowledgeable individuals. Ruth Petty can make anything and everything work and if you want assistance she will dial into your system and tweak anything and everything.

 

[JoeBee]

That is a lot of mark-up for what is basically a Zotac Zbox CI329 - one can pick up a barebones box on Amazon for $210 (US), drop in a 4gb DDR stick, along with a 128gb SSD - install ubuntu on it, and bob is your uncle - should be a fairly performant box, whether it is OpenVPN, or Wireguard...

(oh, BTW - OpenWRT is available for x86/amd64, might be a good place to start)

thanks that was one I missed with OpenWRT on x86/amd pc, had a quick check but it feels similar to pfsense and others so requires a bit of a learning curve, I was more looking for something user friendly and plug and play like Merlins firmware is.

I have used pfsense off a mini pc but its a steep learning curve for myself, especially when you factor in policy routing and kill switch and making sure its rock solid also. Lots of VPN providers have pfsense guides, but they are either out dated, not as secure or miss policy routing etc

 

[JoeBee]

With a powerful enough processor it is possible to get that speed either with WireGuard or OpenVPN. Some VPN providers may not be able to support higher speeds and as always your distance from the server will impact the speed.

If you are interested I suggest that you contact Sabai as their pre and post sale technical support is A+ superior. No script kiddies just very knowledgeable individuals. Ruth Petty can make anything and everything work and if you want assistance she will dial into your system and tweak anything and everything.

Thanks I will ask their support my questions see how it goes. As long as Sabai os is similar to Asusmerlin and plug and play with easy policy routing and kill switch its probably going to be the best solution for me.

 

[JoeBee]

It's a credit card accelerator - $620 with VPN Pre-Configuration.

Thinking about this a bit more you and sfx have a good point, sounds like this VPN accelerator is just a minipc box with OpenVPN client running, which one might be able to do with a much cheaper 2nd hand mini pc or nuc.

I think this accelerator might sit between the ISP router and the Asus 86u, so basically pumps out a full OpenVPN performance since the 86u wont be doing that no longer, maybe then the 86u can just do the policy routing and kill switch business.

Not as network savvy so might be off on that bit

I think I will try some experimenting, see what I can come up with at least I know I can simply set my PC or another device to WAN (clear net) and use my Client software with mullvad to get full VPN speeds of 350Mbps+.

 

[Tech9]

maybe then the 86u can just do the policy routing and kill switch business.

No. It has to be done on the box. I don't know what the software they offer is capable of.

 

[JoeBee]

No. It has to be done on the box. I don't know what the software they offer is capable of.

basically they said the VPN accelerator has 2 ethernet ports:-
Left network port (WAN) connects to the isp router/modem
Right network port (LAN) connects to the Asus router

All the VPN accelerator does is run Openvpn, rest of the firewall and routing stuff they said its handled by the Asus 86u, so I think that means the policy routing, kill switch and rest of features.

They quoted $400 for just the software, but this comes with no support or guarantee it would work on any PC, hardware or router set up, so its pretty much easier to buy the entire accelerator unit.

 

[Tech9]

so I think that means the policy routing, kill switch and rest of features.

No. You can’t have policy based routing. Your router won’t know you are running VPN. What’s the general idea with this VPN?

 

[JoeBee]

No. You can’t have policy based routing. Your router won’t know you are running VPN. What’s the general idea with this VPN?

Ok that was where I was getting confused with, their tech team were a bit vague when I asked them directly if the Asus still does the policy routing and kill switch alongside the vpn accelerator, since that was my main buying point.

General idea with my VPN set up was just to try and get my full bandwidth speeds with openvpn, losing a good 35-40% speeds in general. I prefer the Asus router handling the VPN work load with its kill switch, but sure I can set my PC to wan (clear net) and simply use the Client software to get max speeds. I think that is the easiest and cheapest option.

 

[Tech9]

I don't run VPN client on my firewall. VPN is used when needed and on-device. My advice to you is to do the same.

 

[PR3MIUM]

Got upgraded to 350Mbps free from my ISP today, Asus Ac86u still only getting 186Mbps while under MullvadVPN openvpn though. If I go with normal internet connection WAN and Mullvad software hit 340Mbps though so the server appears fine.

I take it there is not much I can do and limited by the Asus Ac86u processor here?

Have tried 384.19, 386.3, 386.4 beta firmware's also, qos and AI switched off also.

SIP and DOCSIS, users without VPN are coming first (called burning the wire/line).
For me 150Mbits over VPN max. with a 250Mbits without.

 

[BosseSwede]

Picking up this thread I just found...
I have two locations (home and cottage) where I have had fiber at home for 8 years and just got fiber at the cottage.
At home I use an ASUS RT-AC86U (the topic of this thread) and at the cottage I have set up an ASUS RT-AC68U.
Ther cottage LAN and the home LAN use different network IP ranges (192.168.117.x and 192.168.119.x)
The cottage router connects to my home OpenVPN server (an Ubuntu Server 20.04.3) in order to connect the cottage LAN to the home LAN for all devices there.
And I have a ccd directive that issues an iroute when the cottage LAN connects in order for the home LAN devices to be able to access the cottage LAN devices.
Finally I have a route entry on my home router to direct the 192.168.117.x traffic via the OpenVPN server.
The VPN connection is only for the home LAN so all other traffic on the cottage LAN will travel through the router gateway to the Internet.

This works well in principle but transfers are a bit slow...

This is what I have done in the server side conf regarding cipher and routing etc after reading posts on page 2 of this thread:

cipher AES-256-CBC
#Disable compression and push this to the client
comp-lzo no
push "comp-lzo no"
client-config-dir /etc/openvpn/ccdl
route 192.168.117.0 255.255.255.0
client-to-client
push "route 192.168.117.0 255.255.255.0"

Additionally I have this in the ccd directive for the cottage router client where I have changed the cipher according to page 2 of this thread:

iroute 192.168.117.0 255.255.255.0
#Disable compression and push it to the client
comp-lzo no
push "comp-lzo no"
#Set different cipher for the ASUS router client
cipher AES-128-GCM
push "cipher AES-128-GCM"

And finally I have this in the client ovpn file:

cipher AES-256-CBC
comp-lzo

The client ovpn file was installed in the router before I was aware of the transfer speed problems, that is why I have now changed it on the server side so it pushes the new cipher and comp settings on connection.

And this raises the question:
How can I check that this works?
The cottage is 100 km away and was set up with the fiber installation on Feb 9th, so now I have only LAN-LAN connectivity to it...

If I stop the VPN server service then the connection will obviously stop working, but I think that the client keeps on running for reconnection asap and I don't know if it will re-read the ovpn file content when it does.
Nor do I know if the server side will regard the reconnection as a new connection and push the new settings according to the ccd settings...

Any suggestions on how to proceed to get this working with the faster cipher?

 

[BosseSwede]

I got advice from the OpenVPN list:
Just restart the server service the connection is tied to and the connection cycle will be repeated.
So:

sudo systemctl restart openvpn-server@serverlocal

 

[doczenith1]

I'm no expert here so hopefully the smart folks will chime in and correct any erroneous statements that I may make.

In my limited research it seems as if the ChaCha20-Poly1305 cipher performs better on non-AES-NI capable routers (AC68U) than the GCM ciphers which perform better on AES-NI capable routers (AC86U). It may be worth a few minutes of your time to test the ChaCha20-Poly1305 cipher and see if you get any performance gains.

I also on occasion use my old 68U to connect to my 86U via a VPN and if my memory serves me correctly (it's been a while since I tested) the ChaCha20-Poly1305 cipher had similar speeds downloading from the 86 to the 68 but uploads were quite a bit faster.

 

[L&LD]

Small correction. It's just 'AES', AES-NI is for Intel CPUs.

 

[JTnola]

Remove those buffer tweaks, and make sure you use Client 1, 3 or 5 for best CPU allocation. Clients 2 and 4 will share CPU time with other network services

What’s the story with the buffer tweaks?
sndbuf
rcvbuf

 

[JoeBee]

I eventually did hop over and convert to openwrtx86 as recommended by sxf2000 a few years ago oddly.

Openwrtx86 to me it does require a bit of a learning curve but its easier then pfsense/opensense and it feels closest to the Asus merlin set up with ease of use, the layout screens looks like a router GUI at least and an uncomplicated menu system.

For simplicity nothing will beat the Asus merlin routers and Merlins great work on it though, but for performance and stability I went with the CWWK 6 port x 2.5g i226 ethernet mini router box roughly £200 for the kit and £60 for the ram/ssd. It was still similar priced going with the ASUS ROG Rapture GT-AX6000 which was the other option I had.

With everything set up with openwrtx86 though I can run my VPN provider with Wireguard and with pbr addon (policy routing) fairly easily at max speeds should have no issues with 1Gbps on it. Power draw was important I hit 8.5-9 watts idle, 15watt max. If anyone is interested in openwrtx86, I recommend checking out Vantech Corner YT videos.

An odd journey no doubt but somehow got there in the end.

 

[Tech9]

An odd journey no doubt but somehow got there in the end.

Your little box is more capable than any home router available today and perhaps years from now.