OpenVPN performance

[tyspeed42]

I have an Asus AC68U on FiOS 50M/50M and VPN Unlimted and I'm limited to around 30Mbps using "Default" encryption cipher. From reading this, it sounds like I might get some higher speeds using AES-128-CBC. Is that correct?

But, I've tried all of the AES options and I can't connect to the VPN using any of them. The only option that seems to work other than default is BF-128.

Does that mean that VPN Unlimited doesn't support AES and only supports Blowfish?

When using AES

Yes, that makes sense, but I can't get OpenVPN to work using another other than Default or Blowfish encryption cipher. I assume default must be blowfish then. If I choose any of the AES options, I can't access the internet and the VPN disconnects after a few seconds or so. Would that be normal that I can't use any of the AES options?

Try looking at my settings above, port 1196 for AES.

 

[LexLuthor]

When using AES

Try looking at my settings above, port 1196 for AES.

I'm away for a few days, so I'll try that when i get back. In the meantime, here's what vpn unlimited support said. Not quite sure what it means.
___
You can check the instructions published on our web site:
https://www.vpnunlimitedapp.com/ddwrtsetup

We use Blowfish CBC as Encryption Cipher, however, AES is used for TLS Cipher

 

[kvic]

I'm away for a few days, so I'll try that when i get back. In the meantime, here's what vpn unlimited support said. Not quite sure what it means.
___
You can check the instructions published on our web site:
https://www.vpnunlimitedapp.com/ddwrtsetup

We use Blowfish CBC as Encryption Cipher, however, AES is used for TLS Cipher

It means they only support Blowfish CBC for data encryption (which is same as "default" when you pick in the drop-down GUI in asuswrt/merlin).

You can try with encryption set to "none" and see if your provider supports it. As mentioned in a few places and by quite numerous knowledgeable individuals, most likely people don't need encryption between your router and your VPN provider.

Or you can request VPN Unlimited to support AES-128-CBC... it's fastest encryption algorithm at the moment on Asus ARM routers.

 

[wacko911]

I grabbed the low hanging fruit by setting "Hardware NAT" to Disable. Seems to me TUN device and Broadcom's CTF module not only cannot get along in the little kernel but get into intense litigation. My tests done on 378.55

For people having similar performance issue, may give it a try. Please provide feedback on your results. I would like to hear if you observe the same, in particular

1. Openvpn Server throughput is much lower when "Hardware NAT" is set to Auto
2. CPU utilisation is much higher (mostly by SIRQ up to 90%) when "Hardware NAT" is set to Auto (and Tool's page indicate it's indeed enabled).

EDIT: A better way to show CPU utilisation is to telnet/ssh/putty into Asus, type "top -d1" and then press "1". Please report both CPU0 & CPU 1 utilization at the top of the screen.

OMG. THANK YOU THANK YOU THANK YOU!!!!

I have the ac68u and after trying every trick in the book, I could never get over 20mbps down over openvpn. Turning off hardware NAT and boom! problem solved. It's now using my full down link ~36Mbps.

You don't know how happy this has made me. I thought i had hit the cpu limit of this router and had given up.

Also I noticed using merlin (380.57) build (thanks Rmerlin, already donated to your worthy cause) that openvpn was sitting on CPU0 and this has been discussed in this thread that on merlin builds VPN client 1 is supposed to be on CPU1. I changed it with taskset -p 2 and noticed it was originaly set to 3, ie auto.

Tried moving it to VPN client 2 and it's now using cpu1.

 

[easyriider]

Or you can request VPN Unlimited to support AES-128-CBC... it's fastest encryption algorithm at the moment on Asus ARM routers.

The newest ARM cpu's have hardware accelerated crypto, according to a test on Anandtech the A53 is more than 1800% quicker with AES than the A7.

 

[LexLuthor]

It means they only support Blowfish CBC for data encryption (which is same as "default" when you pick in the drop-down GUI in asuswrt/merlin).

You can try with encryption set to "none" and see if your provider supports it. As mentioned in a few places and by quite numerous knowledgeable individuals, most likely people don't need encryption between your router and your VPN provider.

Or you can request VPN Unlimited to support AES-128-CBC... it's fastest encryption algorithm at the moment on Asus ARM routers.

None didn't work when i tried that and i don't see them adding a new encryption cipher just for me, so i guess I'll be at the speed an at whilst using this combo.

 

[kvic]

OMG. THANK YOU THANK YOU THANK YOU!!!!

You don't know how happy this has made me.

You remind me the joy of my eureka moment. Glad to hear it helps you too

 

[kvic]

The newest ARM cpu's have hardware accelerated crypto, according to a test on Anandtech the A53 is more than 1800% quicker with AES than the A7.

Insane performance improvements.

I'm afraid OpenVPN cannot keep up with the speedy encryption. So we will end up with much lower CPU utilisation but not categorically faster throughput.

 

[kvic]

None didn't work when i tried that and i don't see them adding a new encryption cipher just for me, so i guess I'll be at the speed an at whilst using this combo.

Not adding only for you..but for the benefit of VPN Unlimited customers.

By the fact that this provider thinks blowfish fastest since least computationally intensive, I'm afraid they're an amateur provider like we (this thread's participants) were a few months back.

 

[_MAK_]

Hi just some feedback from a AC68U user.

Previously I had 8-9 Mbps with OpenVPN on PIA. After Disabling hardware NAT, Using VPN client 2 (hence the openVPN process runs on the second core) and overclocked it to 1200/800Mhz the speed has increased to 50Mbps+. It maxes out my connection.

I am running ASUSWrt-Merlin 380.57.

Thanks a lot for your pointers.

 

[LexLuthor]

Hi just some feedback from a AC68U user.

Previously I had 8-9 Mbps with OpenVPN on PIA. After Disabling hardware NAT, Using VPN client 2 (hence the openVPN process runs on the second core) and overclocked it to 1200/800Mhz the speed has increased to 50Mbps+. It maxes out my connection.

I am running ASUSWrt-Merlin 380.57.

Thanks a lot for your pointers.

I may be wrong, but didn't rmerlin say he changed VPN client 1 to use CPU 2? Odd clients use CPU 2, even clients use CPU 1, no?

 

[_MAK_]

I may be wrong, but didn't rmerlin say he changed VPN client 1 to use CPU 2? Odd clients use CPU 2, even clients use CPU 1, no?

Well Core 2 goes to 95% when using VPN connection. And I am using VPN Client 2.

 

[ronan_zj]

Hi just some feedback from a AC68U user.

Previously I had 8-9 Mbps with OpenVPN on PIA. After Disabling hardware NAT, Using VPN client 2 (hence the openVPN process runs on the second core) and overclocked it to 1200/800Mhz the speed has increased to 50Mbps+. It maxes out my connection.

I am running ASUSWrt-Merlin 380.57.

Thanks a lot for your pointers.

Would you share your PIA setup?
I have PIA on my Merlin AC88U, and my cable is 150/10. However, my openVPN performance is capped at 30Mbps. When I use PIA software, I have no problem to hit 170Mbps

 

[_MAK_]

My settings...

 

[Goobi]

My settings...

View attachment 5266 View attachment 5267

Where exactly do you disable the HW NAT on the router?

 

[_MAK_]

Advanced settings -> Lan -> Switch control -> NAT acceleration = Disabled

 

[kvic]

Hi just some feedback from a AC68U user.

Previously I had 8-9 Mbps with OpenVPN on PIA. After Disabling hardware NAT, Using VPN client 2 (hence the openVPN process runs on the second core) and overclocked it to 1200/800Mhz the speed has increased to 50Mbps+. It maxes out my connection.

I am running ASUSWrt-Merlin 380.57.

Thanks a lot for your pointers.

Hooray! That's tonnes of performance increase. Glad to see another happy OpenVPN user.

 

[EnF70]

This issue has puzzled me ever since my discovery. With luck, I found a cure.

The issue was with HW NAT on, speedtest.net shows 5Mbps/15Mbps over OpenVPN (wire speed 100Mbps full duplex). With HW NAT off, speedtest net goes back to normal (60-ish Mbps down/up).

I had a weird idea last night and found a couple of CTF drivers in the firmware repository. What if playing a mix&match..? Boom, indeed one set is better!

I come to realise turning off HW NAT is really not a cool thing regardless how you may think it's not absolutely necessary. Now, I don't have to.

CPU utilisation of speedtest.net over OpenVPN. The chart is taken when speedtest net reports ~68Mbps down/up (core 2 runs OpenVPN server. CPU clock 1.4GHz).

Originally without HW NAT, I can achieve similar speed but core 1 will be near 100%.

I can't be happier with the little AC56U. Just not sure on its successor..

I registered to say a big THANK YOU for this post!
This issue has bugged me since I got my Asus RT-AC87U router.
I have a Linux based satellite box acting as an OpenVPN server in my network and I was getting around 20mbit/sec VPN speed from it (on a 24 mbit link) but only around 6-7 mbit/sec from the Asus RT-AC87U router.
After turning HW NAT off I can confirm I am getting around the same 20 mbit/sec VPN speed from the Asus router with lower CPU usage.

 

[bayern1975]

Advanced settings -> Lan -> Switch control -> NAT acceleration = Disabled

is this safe? i disabled this and got much better speed but why i have problem with connecting over wifi with my other devices?

 

[EnF70]

I think it's safe, the documentation says that the NAT traffic will be processed by the CPU.
So the only thing you should experience is increased CPU usage.