RT-AC88U / Open VPN speeds

[G F]

It’s pretty pointless to compare OpenVPN speeds on the router vs on your PC; your PC CPU is way more powerful and almost guaranteed to have a crypto chip to speed up the encryption, so it’s gonna blow Asus performance out the water most of the time.

What we could investigate further though, is if two routers of the same model (so same CPU), with the same firmware version (so same OpenVPN+OpenSSL version) to have different speeds. Then we can be pretty confident that either the config or the VPN provider is the causing the slowdown, and it’ll probably be down to which cipher suite the client and server end up using for the tunnel.

This is the reason i tested both the 68u and 88u. Both routers have different CPU's but i'm getting approximately the same speed using the same settings. It makes me think that the CPU isn't the bottleneck in this case.

 

[kfp]

This is the reason i tested both the 68u and 88u. Both routers have different CPU's but i'm getting approximately the same speed using the same settings. It makes me think that the CPU isn't the bottleneck in this case.

I see your point, and that’s reasonable. Though I wonder if the difference is simply the overhead for doing all the crypto work.

I also have 68U and PIA, I just don’t have it in router mode to easily replicate your configuration.

Edit: maybe compare the OpenVPN logs from Windows vs 68U? Maybe the tunnels are using different cipher suites and we can further tweak the configuration to make them match..

 

[G F]

I see your point, and that’s reasonable. Though I wonder if the difference is simply the overhead for doing all the crypto work.

I also have 68U and PIA, I just don’t have it in router mode to easily replicate your configuration.

Edit: maybe compare the OpenVPN logs from Windows vs 68U? Maybe the tunnels are using different cipher suites and we can further tweak the configuration to make them match..

Thanks kfp. Appreciate your thoughts.

I'm actually using a higher encryption on the windows machine running the PIA app (which uses openvpn). Its using AES-256/SHA256/4096

 

[kfp]

Thanks kfp. Appreciate your thoughts.

I'm actually using a higher encryption on the windows machine running the PIA app (which uses openvpn). Its using AES-256/SHA256/4096

I don’t remember if it’s possible to force a downgrade from the server side, and the logs would contain a lot more than the cipher suite used.

Edit: the logs will give you a more accurate running state of the tunnels

 

[G F]

the windows PIA/Open VPN client is definitely using the higher encryption standards.
Thu Jul 12 06:48:33 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Jul 12 07:48:34 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Thu Jul 12 07:48:34 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Thu Jul 12 07:48:34 2018 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Thu Jul 12 07:48:34 2018 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Thu Jul 12 07:48:34 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul 12 07:48:34 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jul 12 07:48:34 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul 12 07:48:34 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

Any other ideas or things i could check?

I understand i dont have alot to work with in terms on internet speed but i would have though that ~40% reduction in speed is pretty excessive between standard traffic and traffic through openvpn. Would you agree or am I being unreasonable and expecting to much from my 88u?

 

[kfp]

I understand i dont have alot to work with in terms on internet speed but i would have though that ~40% reduction in speed is pretty excessive between standard traffic and traffic through openvpn. Would you agree or am I being unreasonable and expecting to much from my 88u?

Like you said, it’s hard to tell with the small pipe you have. And even with Windows you’re also seeing ~15% reduction in speed.

I would still think this is just the overhead of router CPU doing all the crypto work than a configuration issue. Maybe someone with a similar Internet speed can chime in?

PS. Not ding’ing you for small pipe, I’m from Canada so I understand but you guys have it way worse for sure.

 

[Lancairone]

You are still lucky. I get up to 70mbps/100 from my desktop openvpn (linux) and I get 7mbps/100mbps for my ASUS openvpn!

Ouch!

 

[Xentrk]

Wish I had a nickel for every time the "Poor OpenVPN" performance topic comes up. I also have an AC88U and experienced the same slow download and upload speeds when using OpenVPN connection to a server half way across the globe. It has to do with the CPU in the AC88U. I was able to fix the issue by converting an old Windows 7 PC to a pfSense router with an Intel i5 CPU that supports AES-NI. You can read about it here: https://x3mtek.com/openvpn-performance/

 

[G F]

Thanks everyone for your replies. I appreciate your input.

Very interesting post thanks Xentrk. Very nice and comprehensive article you have written there.

pfSense may be an option i can explore. I have a decent home lab where i could run a pfSense VM which supports AES-NI.

Can you explain your config at a high level. Are you still using your RT-AC88U in a wireless router mode and still using custom scripts/firewall etc? I really like merlin and added functionality and security.

I'm just thinking about this config would look at my end and possible issues.

Hypervisor connected to Asus 88u.
Hypervisor connected to Modem (internet).

Standard ethernet/Wi-Fi clients connect to Asus 88u (internal network)
↓
Asus 88u gateway
↓
pfsense VM (internal facing 88u network)
↓
pfsense VM (outer facing modem network)
↓
modem (internet)

Did you just configure the 88u WAN settings with a static IP and the gateway is the pfsense internal IP?

If I do something like this it will be going through a triple NAT/firewall which adds a fair bit of complexity if there are problems and i'm not around. Anything else to consider?

 

[G F]

Another interesting point that i have discovered is that i get approximately the same speed on the 88u whether i'm using AES 128/SHA1 or AES 256/SHA256.

If it was the CPU that was bottleneck you would expect a noticeable difference changing between them.

Likewise when i ran the tests on two different model routers and got similar results. Their CPU's a fair gap apart so you would also expect to see a difference.
68u - 800 MHz, 2 cores
88u - 1.4 GHz, 2 cores

 

[Xentrk]

Thanks everyone for your replies. I appreciate your input.

Very interesting post thanks Xentrk. Very nice and comprehensive article you have written there.

pfSense may be an option i can explore. I have a decent home lab where i could run a pfSense VM which supports AES-NI.

Can you explain your config at a high level. Are you still using your RT-AC88U in a wireless router mode and still using custom scripts/firewall etc? I really like merlin and added functionality and security.

I'm just thinking about this config would look at my end and possible issues.

Hypervisor connected to Asus 88u.
Hypervisor connected to Modem (internet).

Standard ethernet/Wi-Fi clients connect to Asus 88u (internal network)
↓
Asus 88u gateway
↓
pfsense VM (internal facing 88u network)
↓
pfsense VM (outer facing modem network)
↓
modem (internet)

Did you just configure the 88u WAN settings with a static IP and the gateway is the pfsense internal IP?

If I do something like this it will be going through a triple NAT/firewall which adds a fair bit of complexity if there are problems and i'm not around. Anything else to consider?

Despite the poor OpenVPN down and up performance of the AC88U, I was still able to stream media from half way across the globe without buffering issues. If I connect to a server near my geo location, then speeds are vastly improved. So distance is a big factor. I have a 200 Mbps fiber line.

I use an AC68U running Asuswrt-Merlin as the AP for the pfSense box.

Two of the AC88U's in my signature are used at sites I support. I am using the third one for some development work and as a test router. It can also be used as a back up router to my pfSense box if I need to. Even though they are different firmware and packages, I have them setup the same for policy rules and OpenVPN clients.

AB-Solution is the ad blocker on Asuswrt-Merlin. pfBlocker can be used as an ad and malware blocker on pfSense. I also use it to create IPv4 lists for my selective routing rules. Snort and Suricata can also be used to secure things similar to what Skynet does.

Others on the forum reported improved OpenVPN performance with the AC86U. I installed one for a friend and did not see the performance improvement others reported. I wish I had more time to experiment with it to understand why.

 

[G F]

Thanks Xentrk. Appreciate your time. I'm in a similar position. I.E I can also stream media through my connection pretty reliably. I was just chasing more bandwidth if it was available and looking to rule out any issues at my end. I'll try and set aside some time to have a play with pfSense using that config i described.

 

[Xentrk]

Thanks Xentrk. Appreciate your time. I'm in a similar position. I.E I can also stream media through my connection pretty reliably. I was just chasing more bandwidth if it was available and looking to rule out any issues at my end. I'll try and set aside some time to have a play with pfSense using that config i described.

Chasing the bandwidth was also my main reason for trying it out. There are two additional benefits I also discovered. I am able to configure my selective routing use case using the features of pfBlockerNG to create IPv4 lists and the Firewall rule functionality built in the GUI . On the Asuswrt router, I have to write scripts to do this, which I plan to publish on github soon. There is also support for the unbound dns resolver built into the GUI that is easy to configure. I configured it so all WAN queries use the DNS of the VPN tunnels. No DNS leaks either.