Recommendations for VPN provider

[Just Checking]

You can't. You have to build your own, around something like pfsense/Shorewall/etc... Newer CPUs also typically have hardware-accelerated AES support. That's why for instance a 1.8 GHz RT-AC86U is able to reach 200 Mbps through an OpenVPN tunnel. If you build your own firewall around pfsense, you have to ensure that the CPU has hardware AES support - most Atoms don't.

Note that for our tests, we usually use something like iperf through the tunnel, which is a best-case scenario. Performance can vary depending on the type of data you transfer, how many separate streams, and whether you enable or not LZO compression.

Only other thing I can suggest is to make sure you configure the router to use VPN client 1, 3 or 5. Client 2 and 4 will use the same CPU core as the router's switch, so you will lose some performance.

Merlin, Thanks for taking the time to respond to these posts.

Do you really think that an RT-AC86U router with OpenVPN implementation will be able to provide 200Mbps with AES-128-CBR, SHA-1, RSA-2048 encryption?

Does that router allow me to put John's Fork firmware or other DD-WRT/Tomato custom firmware on it? I thought new model Asus routers have locked firmware.

Do you think that, if I put PFSense on a HP Elitebook 8440p with an i5 Dual core 2.6GHz processor, it would be faster for OpenVPN performance than the RT-AC86U with the 1.8GHz CPU? I have one of these just lying around and I could task it to running PFSense for a firewall and VPN .

Could I just implement a proxy server and IP mask for the whole site to minimize speed loss while masking the IP to prevent infringement notices? I have several different users on the network that I have no control over and I need a way to stop getting infringement notices to the site.

 

[RMerlin]

Do you really think that an RT-AC86U router with OpenVPN implementation will be able to provide 200Mbps with AES-128-CBR, SHA-1, RSA-2048 encryption?

I actually achieved between 195-205 Mbps when I sent traffic through a tunnel with the server running on an RT-AC86U. As usual, your results may vary based on the type of traffic you send through the tunnel - my test was with a single stream iperf connection.

BTW, you'd want AES-128-CBC, not CBR.

Does that router allow me to put John's Fork firmware or other DD-WRT/Tomato custom firmware on it? I thought new model Asus routers have locked firmware.

The only third party firmware currently in development for that router is mine (still at an alpha stage). No idea what DD-WRT's plans are, and Tomato will most likely never support it (they still don't support even the Broadcom SDK7 platform from last year). John's Fork will also most likely never support it, as it focuses on much older firmware code.

Do you think that, if I put PFSense on a HP Elitebook 8440p with an i5 Dual core 2.6GHz processor, it would be faster for OpenVPN performance than the RT-AC86U with the 1.8GHz CPU? I have one of these just lying around and I could task it to running PFSense for a firewall and VPN .

Definitely. Even at equal clock rate, an Intel i5 is much faster than any ARM CPU out there. It's a much more powerful architecture, and Intel has a very optimized AES-NI implementation. It might be a power guzzler however compared to some of the embedded alternatives discussed here on SNB. One of these low-power alternative running an i3 might suit you well, at a fairly reasonable price. Try a forum search, I can't remember the brand recently discussed here for those fanless products.

Plus, pfsense might provide you with some interesting bells & whistles if you are trying to protect a site that's more complex than a regular home network.

Could I just implement a proxy server and IP mask for the whole site to minimize speed loss while masking the IP to prevent infringement notices? I have several different users on the network that I have no control over and I need a way to stop getting infringement notices to the site.

I suppose you could always rent a VPS somewhere, and host a proxy there (or an IPSEC/L2TP tunnel). But then the VPS provider might decide to take action if it receives any infringement notice.

 

[doczenith1]

I re-ran the test several times connecting to alternate servers to find the maximum speeds possible. Without encryption, I get pings in the range of 10 ms. With encryption enabled, I get pings in the range of 90-100 ms. I connect to PIA servers in the USA. The default connection is to the USA Midwest. I also tried USA Chicago, Canada Toronto, Canada Montreal (these all seem to connect to the same server). I tried US East Coast, US Florida, US Texas, and US Silicon Valley. The later ones give slightly lower transfer rates with longer pings.

I actually saw better pings for some locations when using the PIA Chicago location (closest PIA server to me). Values are based on many (15-20) test runs per location with the best and worst 2 values thrown out.

When I test the transfer speed using a Samsung Galaxy S7 with a 2.1GHz Quad Core Snapdragon CPU connected by 5GHz wireless to an Asus RT-AC68 router, I can get 190Mbps Down and 27Mbps Up without VPN encryption (as measured by the Speedcheck Pro app). After turning on the PIA VPN encryption, I measured 10-17Mbps Down and 15-20Mbps Up (These numbers are highly variable).

On my Moto X3 with a Snapdragon 808 I get around 300 Mbps both ways with no VPN. With the Android PIA VPN app using the default settings listed above I get around 100 Mbps down and 145 up. I'm using the DSLReports speedtest website as I find it to be the most accurate and it automatically chooses the best servers to use based on ping and will use multiple servers in different locations.

 

[Iclark31]

Currently, I am using vypr VPN. But HMA, ExpressVPN, Nord VPN, Pure VPN these are few good options too.