QNAP and VPN?

[Ola Malmstrom]

I expect something like that. We'll see what happens. There will be a bottleneck somewhere, either the connection speed, the VPN server or something else. Really fun & interesting to try to figure this out and actually get it to work.

If there are problems with the first backup, I will abort. I could of course run a full backup with the old NAS in my house first - that way only the deltas will need to be transferred.

If my brother-in-law's connection is choked, I could throttle the transfer speed.

 

[Ola Malmstrom]

Before moving the old NAS to my brother-in-law I made some testing on my internal network. I synced a 2.5 GB file to the remote NAS and got the following results:

• Using internal IP addresses (ie no VPN server involved) ==> 17 MB / sec (disappointing - expected at least 45-50 MB / sec)
• Using the router as VPN server ==> 1.2 MB / sec (more disappointing)
• Using the new NAS as VPN server ==> 0.97 MB / sec (even more disappointing)

I expected considerably lower performance using VPN but nothing like this.

The router's CPU load increased somewhat - from about 3-4 % on both cores to 30% on one, 5% on the second. Memory usage increased from about 60% to 65%.

The NAS's CPU load increased from about 5% to about 8% on the 4 cores. Very small increase in RAM usage.

My conclusion is that my idea to connect through VPN for backup to a remote NAS will not work. The problem seems to be the VPN server even if I can't detect any significant load increase there. Maybe a lot of IO?

Can this be correct? If it is, then the only usable solution for me is to open needed ports in the router manually and use SSL to encrypt the traffic. VPN can be used for administrative tasks but not for file transfers.

I have also considered running an OpenVPN server on a PC with 4 cores at 3.4 GHz, 16 GB RAM and an m.2 disk. However after reading through the instructions for installing I gave up - it is just too much for me.

Any thoughts from anyone? Did I mess up somewhere? Should I move the old NAS to my brother-in-law anyway and hope for better result there? I'm not 100% sure my initial testing above was done correctly (with the server on my internal network) even if I could see a definite increase in the server loads.

The hard disks on the old NAS are Samsung hd154ui. Should give a write speed of between 25 and 75 MB / sec according to the reviews I have found.

 

[Ola Malmstrom]

I gave up om VPN. Tried the setup below:

However didn't work either!! Couldn't create jobs to the remote NAS01.

What am I doing wrong? Is it as simple as my port numbers here? Should I have used port numbers above 49 153? However I have used 10 001 - 10 006 for my cameras for several years now...

One thing positive though: The connection between my brother-in-law's 2 NASes provided between 15 and 20 MB / sec. So my 17 MB / sec on average is probably rather OK.

 

[Callinc]

Sorry for the delay. I think your port forwards are correct. What is the error message your getting? Could it be a permission issue? I know that I use two qnaps locally and to get the main one to sync to the second I had to use the admin account. Usually I disable admin ASAP as it’s the first username people try to brute force. Unfortunately Qnap has a limitation that only admin can rsync.


Sent from my iPhone using Tapatalk

 

[Ola Malmstrom]

Thanks! No error message really - just that it can't connect to NAS01. I get the same problem for both rsync and rtrr.

You do mean that RTRR needs the admin account don't you? I have tried with different user names with rsync and it works - at least on my local network.

I have cleaned up things even more. Removed rsync and associated ports on the router to have as few settings to play around with as possible.

The qnap DDNS (myqnapcloud) doesn't work correctly for NAS02. My ISP changes my external IP address more or less every night. This is correctly reflected both in the ASUS and the qnap NAS01 ddns entries. However sometimes not in my NAS02 DDNS entries. So I have resorted to use the ASUS ddns instead when possible which seems to be more consistent.

Will move NAS01 to my brother-in-law in a couple of days. Will use his DDNS for NAS01 when on his network if the qnap one doesn't work. His external IP also changes regularly....

 

[Callinc]

Yes sorry I believe your correct. I use Rtrr and need the admin on the destination nas to be on. Definitely use the DDNS on the router rather than on your Qnap. Hope you get it all setup with decent performance!


Sent from my iPhone using Tapatalk

 

[Ola Malmstrom]

So got it to work. Simplified like this:

Transfer speed is 17 MB / second. 60 GBs was transferred in 1 hour 6 minutes.

Will try with VPN once more now when I got this to work.

Update:

Tests completed. Resulting transfer speeds:
- No VPN, no SSL. Open port 8899 (RTRR) on Mike's router ==> 17 MB / second
- No VPN, no SSL. Open port 873 (rsync) on Mike's router ==> 4 MB / second
- SSL encryption. Open port 8899 on Mike's router ==> 2 MB / second
- VPN tunnel. No open ports on Mike's router ==> 1 MB / second

I was surprised by the difference between RTRR and rsync. VPN and SSL works fine for admin work but not for large scale data transfers. My ISP speed is 500 mb/sec, Mike's 250 mb/sec

Would be interesting to know if someone else has similar experiences...!!

 

[Callinc]

Are you using the vpn on your routers? If so what routers are they? I’m sure your tests are good but that transfer speed taking such a hit is rough. I’m just wondering if it’s a cpu bottle neck. Your max of 17 MB seems pretty good out of a max of 30 MB due to your brothers limiting internet.


Sent from my iPhone using Tapatalk

 

[Ola Malmstrom]

I have tried two VPN server setups:

1. On my main router, an ASUS RT-AC3200. 2 cores@1 GHz, 256 MB of RAM. This provided better performance despite fewer cores, lower speed and very little RAM. The CPU usage on one of the cores increased from about 2-3 % to 40%. The other core seemed to be unaffected. RAM usage increased from about 65% to 75%.
   
2. On my QNAP 231P2 with 4 cores@1,8 GHz, 8 GB of memory. CPU usage increased from an average of maybe 3-4% on all cores to 8-9%. RAM usage also increased somewhat. From about 1 GB to 1.2 GB if I remember correctly. Despite better specifications on paper, the data transfer speed was about 50% of the speed obtained with the OpenVPN server on the router.

I also tried to setup a separate VPN server on a PC but failed. I don't want to run a separate PC just for the VPN part, so I skipped this.

My conclusion is that I need to either (1) setup an OpenVPN server on entryDNS or some other supplier, or (2) get myself a better main router with higher HW specifications (AX11000?) including support for AX and OFDMA. However the price for such a router is right now somewhat high.......

 

[Callinc]

I have tried two VPN server setups:

1. On my main router, an ASUS RT-AC3200. 2 cores@1 GHz, 256 MB of RAM. This provided better performance despite fewer cores, lower speed and very little RAM. The CPU usage on one of the cores increased from about 2-3 % to 40%. The other core seemed to be unaffected. RAM usage increased from about 65% to 75%.
   
2. On my QNAP 231P2 with 4 cores@1,8 GHz, 8 GB of memory. CPU usage increased from an average of maybe 3-4% on all cores to 8-9%. RAM usage also increased somewhat. From about 1 GB to 1.2 GB if I remember correctly. Despite better specifications on paper, the data transfer speed was about 50% of the speed obtained with the OpenVPN server on the router.

I also tried to setup a separate VPN server on a PC but failed. I don't want to run a separate PC just for the VPN part, so I skipped this.

My conclusion is that I need to either (1) setup an OpenVPN server on entryDNS or some other supplier, or (2) get myself a better main router with higher HW specifications (AX11000?) including support for AX and OFDMA. However the price for such a router is right now somewhat high.......

Thanks for the good info and testing you have done!


Sent from my iPhone using Tapatalk

 

[Ola Malmstrom]

Got myself an AX88U. Installed latest Merlin FW, reset to factory and configured what I can in advance. Will switch main router early tomorrow morning. The primary reason for this was to be able to run a OpenVPN server, but also to install Yazfi which doesn't work on my current AC3200. Will update results once the testing has been completed.

 

[L&LD]

YazFi should work on the RT-AC3200?

 

[Ola Malmstrom]

Maybe YazFi works on the RT-AC3200. However not together with SmartConnect. I got it to work really well after some tweaking....

I am rather disappointed...... Replaced the RT-AC3200 with a RT-AX88U. Set it up as an OpenVPN server and ran another test job across the network. 1.5 GBs was synced using RTRR in 25 minutes. This gives about 1 MB/sec which is far from what I would deem acceptable.

Doing it without VPN relying on opening ports on my brother-in-law's router instead
provides 20-22 MB per second which is what I expect based on his ISP speed (250 Mbit/sec).

There is no noticeable load on the cores. One of them 6%, the others almost nothing. I don't know where the bottleneck is.....

Isn't there supposed to be HW acceleration for OpenVPN in the RT-AX88U? Is there some config I have failed to do correctly? Would change the encryption from 256 to 128 bits make any difference?

 

[Callinc]

Your isp may be throttling vpn traffic. Since net neutrality ended here in the US internet service providers may now favor or punish some types of traffic. Based on what your saying and showing I think it’s intentionally be slowed. Do you have a paid vpn you could test. See if PIA or express vpn give you the same speeds.

 

[Ola Malmstrom]

Thanks to the suggestion!! Might be, but I doubt it. The bottleneck seems to be that the old NAS01 doesn't have enough CPU power. Ran more careful tests:

Confirms (at least to me...) that AES-NI is working on the AX88U. Also that NAS01 is choked with CPU load and that NAS02 is close to being choked.

Lesson learned for me is that VPN traffic is CPU heavy. Any NAS involved in VPN traffic for shuffling data needs to have (1) a proper multi-core 64 bit CPU, and (2) AES-NI HW acceleration.....

 

[L&LD]

@Ola Malmstrom, the lessons learned (additionally) should be that VPN should not be enabled on a NAS at all. No matter how powerful it is.

I feel that your brother-in-law is due for an RT-AC86U upgrade to his network (to match the OpenVPN performance of your RT-AX88U).

 

[Ola Malmstrom]

Thanks! Agree! I have tried to convince him, I will try more later today...... He agrees that the best way forward is a new AX router. But.... he also needs to convince his wife...... She is sometimes grumbling that they have very bad connectivity particularly in their kitchen so it's not a totally lost cause. However the cost of an AX88U is about 450 USD here right now which is a little bit too much. Particularly since he has recently renovated his old guitar for a lot more....

I have a question though. I assume he will eventually get an AX88U or similar with AES-NI.

When running the OpenVPN client on his new router instead, how do we access the clients attached to each router?

I understand I will need to add a route command to both the server and client configurations, but what exactly should be written?

This is the setup I assume we will have:

 

[L&LD]

@Ola Malmstrom, I don't think a route command is needed, per se. Once connected to the OpenVPN Server, you would just access it like you would if you were at his home.

That old guitar must be something to see/hear now?

 

[Ola Malmstrom]

It's his pride and joy. He also plays it very well!!

Something is missing though, something I don't understand. The only way I can access NAS01 today (with the OpenVPN client on NAS01) is by using 10.8.0.2. I can't use his internal IP address (10.0.1.186), I can't use the old one from when it was connected to my local network (192.168.0.6).

When the OpenVPN client is running on his router instead, I will not be able to access NAS01 by using 10.8.0.2. I will only get to his router.

Is there some setting I need to change for the OpenVPN client? I have selected both
- "Use default gateway on remote network", and
- "Allow other network devices in the same subnet to connect to the VPN through the NAS"

Or something in the server settings?

Grateful for all suggestions!!

 

[L&LD]

I'm not sure you can change that if the OpenVPN client is running on the NAS (01). The OpenVPN server needs to be running on his router instead. Then, once connected to the router via OpenVPN, you could use the internal IP address (10.0.1.186) to access the NAS (01).