What's new

Please suggest best VPN to use that has a Wireguard config file on GT-AXE11000 w/388 firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Runner and Flow Cache are part of NAT acceleration in newer routers. If your ISP line is >350Mbps, this "fast" Wireguard VPN is perhaps slowing down the entire network, the WAN throughput. This is what I'm trying to find out and eventually warn the users with too high Wireguard expectations:

 
I just bought a ax86U this week and installed the new beta firmware, I am actually interested in finding what the most up to date workaround for the nordvpn wireguard is, I am very excited to try to get it working, my network is gigabit and very much needs their vpn
 
my network is gigabit and very much needs their vpn

Did you read the post just above yours?

You're not getting anywhere near Gigabit on VPN with home router and commercial VPN subscription for few dollars a month.
 
Did you read the post just above yours?

You're not getting anywhere near Gigabit on VPN with home router and commercial VPN subscription for few dollars a month.

So the general consensus is that if you want a VPN its better to put on whatever component you want going through the VPN with an app? Especially true with speeds of 1 gb

Also I had wireguard installed, I have since deleted the profile . Will the NAT automatically return to on?
Somehow the networks feels a little sluggish even after the deletion?

CC
 
Will the NAT automatically return to on?

Unclear at the moment. You may need to reboot your router.

I can eventually test all of the above and report the results, but (1) I'm waiting for 388 stable release for AX86U because I don't want to test with beta firmware and (2) I have some 16.000km flights scheduled this month and limited time. Someone else may do it before me on AX88U with stable 388.
 
So the general consensus is that if you want a VPN its better to put on whatever component you want going through the VPN with an app? Especially true with speeds of 1 gb
It depends on your use case - how you plan to use it.

If you are someone who has one VPN tunnel, and everything is redirected down it, I can see how that might become an issue.

But I run multiple tunnels. I’m currently limited to 2 - but I need 3 or even 4.

Is this 350M limitation per tunnel? If so, then not an issue.

With the AXE16000 and a 6 GHz iPad, I plan on running 4 tunnels 24x7 so that they are always available when I need them. Just a matter of choosing the right SSID.

That is my use case.

FYI: I had a problem with the quoting, that’s why it states:

cc666 said:

It depends on your use case - how you plan to use it.

It was me, not you, cc666.
 
This has been my holy grail for years. It will soon be possible.

First of all, Asus will need to increase the maximum number of concurrent connections to 3 or 4 - it’s currently 2.

The VPN Fusion FAQ states that 4 is the max. number of concurrent connections, so I’m hoping that the current 2 is a result of the h/w, ie. AX88U, I’m using.

Secondly, there’s a really cool iOS feature that I stumbled across: Private WLAN Address. By enabling this, each Wifi interface gets a virtual MAC address - that means that each WiFi interface gets its own DHCP IP address.

That means that one 6 GHz iPad is seen as 3 seperate devices by VPN Fusion, and can have 3 seperate tunnels assigned to it. By changing the SSID on the iPad, you change the tunnels.

Some iPads will be configured for Switzerland, some for UK - for instance. I don’t need all 4 tunnels per iPad - 3 will be enough.

As each iPad is setup in the local language, with local Apple IDs, it is very clear from a user’s perspective.

I only need one TorGuard account to achieve this, and one router (AXE16000) should be enough.

You might think I’m mad, but I speak 6 languages well - and a couple of others fairly well. Those cultures are part of my life, so having access to digital content in those languages is important to me.

I might add that my TV has 4 Apple TVs connected to it. Each configured in the language of the tunnel it’s connected to.
 
Last edited:
The whole VPN juggling you are planning is not really necessary. Your iPads can process VPN locally much faster than your router and you can change the location with few clicks only without breaking the Wi-Fi connection. I don't understand the VPN obsession and why it has to be active 24/7.
 
Last edited:
I call it “just like being there”.

It’s also a family solution, not just for me.

I like to keep the complexity and configuration “server side” - this includes the router.

I want the user experience to be “just like being there”, and for me, I would prefer a set & forget setup.

My 13 year-old daughter, who’s already on her 5th language, has grown up with the idea: different SSIDs for different countries, and I want to keep it that way.

If VPN Fusion supported 6 concurrent connections, I would add a Japanese and Italian Apple TV to my setup - but for now, 4 is my core. Apple TV is one very good reason why it needs to be router-based.
 
You can do everything you want on your current AX88U router, Asuswrt-Merlin firmware, 4x OpenVPN clients and YazFi custom script.
 
Yes, I know that.

But I’ve become a lazy GUI user, even though I started out programming machine code.

And I’m getting 2-3 times the performance out WireGuard than I got with OpenVPN - using the same provider, location and router!

Now that I’ve got my head around VPN Fusion, I will keep heading down that path until I encounter a roadblock.

By that time, Merlin should be running solidly on 388 with WireGuard. No doubt he will work his magic on that platform too.
 
Yes, I know that.

But I’ve become a lazy GUI user, even though I started out programming machine code.

And I’m getting 2-3 times the performance out WireGuard than I got with OpenVPN - using the same provider, location and router!

Now that I’ve got my head around VPN Fusion, I will keep heading down that path until I encounter a roadblock.

By that time, Merlin should be running solidly on 388 with WireGuard. No doubt he will work his magic on that platform too.

I did some testing, had WireGuard with Proton VPN. I did NOT have all devices under the VPN only a handful.

I ran the following speed tests:

1 - Laptop - NOT on VPN but VPN was switched ON d/l speed was averaging around 400
2 - Laptop - NOT on VPN but VPN was switched OFF d/l speed was averaging around 520
3 - Laptop - ON VPN and VPN was ON d/l speed was around 290

Laptop in same exact location using OoKla. I am convinced that the NAT is off for all clients if the VPN is switched on. Really affects the speed of clients NOT under the VPN. The 290 was faster than Nord Not using wireguard but UDP. Nord was around 225.

Feel free to run these of your setup and report back.

CC
 
All my devices are assigned to tunnels. My default connection is a tunnel.

So this is one test I won’t be able to take part in.

I noticed an interesting difference between Merlin/OpenVPN and Stock388/WireGuard,

If you connect to a VPN on Merlin and run the built-in Ookla speed test, it shows you servers based on your VPN location.

If you assign a device to a tunnel using Stock388, and run the built-in Ookla speed test, it shows servers based on your true location.

This seems like the perfect way to test the assumption that WireGuard limits your WAN speed. If I don’t get around 600 Meg, something has changed.
 
On newer (AX) HND models, the HW acceleration status can be seen with the following command:

Code:
fc status

-----
admin@stargate:/tmp/home/root# fc status
Flow Timer Interval = 10000 millisecs
Pkt-HW Activate Deferral rate = 1
Pkt-HW Idle Deactivate = 0
Pkt-SW Activate Deferral count = 0
Flow Low Pkt Rate = 10
Acceleration Mode: <L2 & L3>
MCast Acceleration IPv4<Enabled> IPv6<Enabled>
IPv6 Learning <Enabled>
L2TP Learning <Enabled>
GRE Learning <Enabled>
4o6 Fragmentation <Enabled>
TCP Ack Prioritization <Enabled>
ToS Multi Flow <Enabled>
Notify Processing Mode <Hybrid>
OVS Flow Learning <Disabled>
HW Acceleration <Enabled>
Flow Ucast Learning Enabled : Max<16383>, Active<129>, Cumulative [ 236294 - 236165 ]
Flow Mcast Learning Enabled : Max<1152>, Active<0>, Cumulative [ 0 - 0 ]
-----

HW Acceleration is runner/archer, and Flow * Learning is Flow Cache.

Things are different on the RT-AC86U and GT-AC2900 as it's an earlier version of the SDK. I think for HW acceleration the only way I found how to monitor it is by checking if the pktrunner kernel module is loaded.
 
On newer (AX) HND models, the HW acceleration status can be seen with the following command:

Code:
fc status

-----
admin@stargate:/tmp/home/root# fc status
Flow Timer Interval = 10000 millisecs
Pkt-HW Activate Deferral rate = 1
Pkt-HW Idle Deactivate = 0
Pkt-SW Activate Deferral count = 0
Flow Low Pkt Rate = 10
Acceleration Mode: <L2 & L3>
MCast Acceleration IPv4<Enabled> IPv6<Enabled>
IPv6 Learning <Enabled>
L2TP Learning <Enabled>
GRE Learning <Enabled>
4o6 Fragmentation <Enabled>
TCP Ack Prioritization <Enabled>
ToS Multi Flow <Enabled>
Notify Processing Mode <Hybrid>
OVS Flow Learning <Disabled>
HW Acceleration <Enabled>
Flow Ucast Learning Enabled : Max<16383>, Active<129>, Cumulative [ 236294 - 236165 ]
Flow Mcast Learning Enabled : Max<1152>, Active<0>, Cumulative [ 0 - 0 ]
-----

HW Acceleration is runner/archer, and Flow * Learning is Flow Cache.

Things are different on the RT-AC86U and GT-AC2900 as it's an earlier version of the SDK. I think for HW acceleration the only way I found how to monitor it is by checking if the pktrunner kernel module is loaded.

Merlin do you have any Idea on the GT-AXE11000 if it is enabled when a VPN tunnel is present? I have since did a reset and have no VPN on my router based on my observations. Also when enabling the Proton VPN there was a toggle for NAT, on or off if that helps?

CC
 
If you connect to a VPN on Merlin and run the built-in Ookla speed test, it shows you servers based on your VPN location.

If you assign a device to a tunnel using Stock388, and run the built-in Ookla speed test, it shows servers based on your true location.

This seems like the perfect way to test the assumption that WireGuard limits your WAN speed. If I don’t get around 600 Meg, something has changed.

Sorry for the delay: 5G router wasn‘t working this morning.

Using my method as described above, I achieved 628 Mbps down while having two WireGuard sessions active.

The built-in Ookla Speedtest on Stock388 tests the actual WAN connection, not via any tunnel.

So I wasn’t able to confirm the assumption that using WireGuard cripples your total WAN throughput. 628 Mbps is my max.

I get approximately 350 Mbps from a tunnel, maybe that is where the limitation is. But I only ever achieved 120 Mbps from the same config when using Merlin and OpenVPN.
 
Merlin do you have any Idea on the GT-AXE11000 if it is enabled when a VPN tunnel is present? I have since did a reset and have no VPN on my router based on my observations. Also when enabling the Proton VPN there was a toggle for NAT, on or off if that helps?
I don`t know, I only have 388 installed on my RT-AX86U_Pro, and I don`t have any Wireguard server to test with.
 
All my devices are assigned to tunnels. My default connection is a tunnel.

So this is one test I won’t be able to take part in.

I noticed an interesting difference between Merlin/OpenVPN and Stock388/WireGuard,

If you connect to a VPN on Merlin and run the built-in Ookla speed test, it shows you servers based on your VPN location.

If you assign a device to a tunnel using Stock388, and run the built-in Ookla speed test, it shows servers based on your true location.

This seems like the perfect way to test the assumption that WireGuard limits your WAN speed. If I don’t get around 600 Meg, something has changed.

Princi,

How do you set that up? Do you set up 2 separate VPN tunnels on VPN Fusion, then assign your network devices to certain tunnels? Or is there a way to have multiple tunnels on one config.

CC
 
Correct the first time. But there are a couple of tricks. It‘s quite possible that I’m using it in a way that was not intended - but it works, and it does what I need.

One trick is to make a tunnel your default connection. All devices will have access to this tunnel without being assigned to it - if that suits your use case.

Then you can individually assign access to the 2nd tunnel where required.

If you’re using an Apple device, make sure you have Private WLAN or Private WiFi Address enabled for at least one of the bands. Then each WiFi band gets its own IP address.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top