OpenVPN performance

[sfx2000]

CTF is closed source, and completely out of my control. I don't even know how it works exactly, only Broadcom does.

Something inside the switching fabric black box...

 

[RMerlin]

Something inside the switching fabric black box...

It's more than that. There's some kernel-level stuff as well (that part is partly visible since they're kernel patches).

 

[sfx2000]

It's more than that. There's some kernel-level stuff as well (that part is partly visible since they're kernel patches).

Yep...

 

[MoBlues]

OMG. THANK YOU THANK YOU THANK YOU!!!!

I have the ac68u and after trying every trick in the book, I could never get over 20mbps down over openvpn. Turning off hardware NAT and boom! problem solved. It's now using my full down link ~36Mbps.

You don't know how happy this has made me. I thought i had hit the cpu limit of this router and had given up.

Also I noticed using merlin (380.57) build (thanks Rmerlin, already donated to your worthy cause) that openvpn was sitting on CPU0 and this has been discussed in this thread that on merlin builds VPN client 1 is supposed to be on CPU1. I changed it with taskset -p 2 and noticed it was originaly set to 3, ie auto.

Tried moving it to VPN client 2 and it's now using cpu1.

Could someone tell me where this "Hardware NAT" is?
Edited: [Advanced settings -> Lan -> Switch control -> NAT acceleration = Disabled]

Ahhh.... already have it Disabled. Same place where "Jumbo Frame" is located but no luck on that one.

I am running 380.57 on AC-66R. I'm only getting 9.5Mb/down [Paying 50Mb Down/4Mb Up] and I'm forced to use AES-256-CBC by my VPN Provider (PureVPN), but they recommended I go to PPTP if I want to reduce the cipher down to 128. I cannot do that since I have policy based routing in place which is really great to have! I have disabled QoS and tried the Jumbo Frames on the LAN side but that made the VPN fail to connect. My annual on my VPN expires June 2016 so I'll definitely be shopping for a better VPN provider then.

 

[RMerlin]

PPTP is nowhere close to AES-128-CBC in terms of security. For all intents and purposes, consider PPTP as having zero encryption, since it's been cracked years ago... Sounds like an odd recommendation from a company providing security services IMHO.

 

[MoBlues]

PPTP is nowhere close to AES-128-CBC in terms of security. For all intents and purposes, consider PPTP as having zero encryption, since it's been cracked years ago... Sounds like an odd recommendation from a company providing security services IMHO.

Good to know on PPTP, but really steering clear from it now since you enlighten me on that one! I'm only pay $3.75/mo. for PureVPN so guess that's about worth their security advice! I think I've optimized as much I can squeeze out of this router and VPN provider combo.

Now, my next little project is getting RMerlin's VPN_Flush script to be automated so that this "cosmetic" always behaves like this image attached as opposed to SSHD to run the nvram get and set (Thank you RMerlin!):

 

[DomFel]

@MoBlues use UDP protocol not TCP. Way faster.

 

[EnF70]

You don't need to change the CTF binary blobs or the kernel configuration anymore due to the commit I posted.

I applied the latest code to my AC87U but I don't see any improvement in OpenVPN with CTF enabled.
kvic mentioned that he managed to get better performance making those changes in 378.55 with CTF enabled.
So, question is, how can I replicate this with the latest code?
Are you sure no changes are needed? Not even CTF_PPTP_L2TP=n in "src-rt-6.x.4708/target.mak"?

 

[RMerlin]

I applied the latest code to my AC87U but I don't see any improvement in OpenVPN with CTF enabled.
kvic mentioned that he managed to get better performance making those changes in 378.55 with CTF enabled.
So, question is, how can I replicate this with the latest code?
Are you sure no changes are needed? Not even CTF_PPTP_L2TP=n in "src-rt-6.x.4708/target.mak"?

I never said anything about performance, only that you no longer needed to manually change these files to get the firmware to compile.

 

[EnF70]

I never said anything about performance, only that you no longer needed to manually change these files to get the firmware to compile.

I know you didn't
@kvic said he managed to get better performance with a different CTF driver and he mentioned some changes.
I assumed those changes were needed to select a different CTF driver (not to get the firmware to compile).

 

[MoBlues]

@MoBlues use UDP protocol not TCP. Way faster.

Going to try that out. Thanks @DomFel

 

[RMerlin]

Might be interesting to experiment with having all the OpenVPN traffic marked, to force it to bypass CTF.

 

[EnF70]

Might be interesting to experiment with having all the OpenVPN traffic marked, to force it to bypass CTF.

Any easy way to do that? I can test it.

Btw. OpenVPN doesn't work properly with CTF at all.
I did some more testing and even transferring a file from a HTTP server inside the VPN causes a VPN disconnect.
I didn't look at the router logs but the VPN connection goes down and then up again.
This doesn't happen when CTF is disabled.

 

[RMerlin]

Any easy way to do that? I can test it.

Ain't that simple to do unfortunately, it involves creating custom firewall scripts on the router.

 

[EnF70]

Ain't that simple to do unfortunately, it involves creating custom firewall scripts on the router.

That would be easy. Can you send me an example of how to mark the packets? I can write the firewall scripts.

 

[EnF70]

That would be easy. Can you send me an example of how to mark the packets? I can write the firewall scripts.

It seems to be working like this:

iptables -t mangle -A PREROUTING -i tun21 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i tun22 -j MARK --set-mark 1

Before
Speedtest Download speed: 6Mbit/sec, Upload speed: 10Mbit/sec
CPU usage

(first bump is download test, 2nd bump is upload test)

After
Speedtest Download speed: 20Mbit/sec, Upload speed: 10Mbit/sec
CPU Usage

Note: Speedtest executed on a VPN client routing all traffic through the VPN server.

 

[RMerlin]

Thanks for testing. That way, you can keep CTF enabled, just need to mark the VPN traffic so it can bypass it.

Now the big question is whether this is a temporary bug that will eventually be fixed by Broadcom, or if it would be better to implement this as a long-term solution in the firmware itself.

 

[spopinski]

It seems to be working like this:

iptables -t mangle -A PREROUTING -i tun21 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i tun22 -j MARK --set-mark 1

Before
Speedtest Download speed: 6Mbit/sec, Upload speed: 10Mbit/sec
CPU usage
View attachment 5590
(first bump is download test, 2nd bump is upload test)

After
Speedtest Download speed: 20Mbit/sec, Upload speed: 10Mbit/sec
CPU Usage
View attachment 5591

Note: Speedtest executed on a VPN client routing all traffic through the VPN server.

I want to try too. Where do I put the script, is it in the firewall-start folder?

Thanks

 

[EnF70]

I want to try too. Where do I put the script, is it in the firewall-start folder?

Thanks

This is my script:

cat /jffs/scripts/firewall-start

#!/bin/sh

iptables -t mangle -A PREROUTING -i tun21 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i tun22 -j MARK --set-mark 1

Verify after reboot that you have the rules in the PREROUTING chain by running:
iptables -L -t mangle -vn

Chain PREROUTING (policy ACCEPT 1974K packets, 1492M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK set 0x1
188K   26M MARK       all  --  tun22  *       0.0.0.0/0            0.0.0.0/0            MARK set 0x1

 

[joegreat]

Hi,

I tested the pre-routing on my AC87U and have not seen any difference in CPU usage and VPN speed with it or without.

The only thing I recognize is that there is another pre-routing entry for vlan2 (WAN) in iptables - which I did not put in:

 pkts bytes target     prot opt in     out     source               destination
  181 11236 MARK       all  --  !vlan2 *       0.0.0.0/0            xxx.yyy.zzz.www        MARK set 0xb400

vlan2      Link encap:Ethernet  HWaddr 14:DD:A9:xx:yy:zz
           inet addr:xxx.yyy.zzz.www  Bcast:xxx.yyy.zzz.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:772058 errors:0 dropped:0 overruns:0 frame:0
           TX packets:835517 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:92394731 (88.1 MiB)  TX bytes:810119084 (772.5 MiB)

Is this already the entry which makes my CPU usage already low and VPN speed fast?