Slow OpenVPN on AC87r

[jazzy_jeff_81]

Just to update on this. I have Charter Internet and I finally tested the OpenVPN client on a device (phone) and I get slow 3-4 Mbps speeds, so I suspect they throttle the OpenVPN connections, which is too bad.

 

[Xerial]

The RT-AC68U with its 800 MHz dual core CPU should give you around 60 Mbps of OpenVPN throughput (I was doing some development work this weekend on it, so I happen to have some very fresh iperf benchmarks results for it), which should be enough for most. If you do need an extra oomph, the RT-AC87U has a 1 GHz CPU.

May I ask what level of encryption you were running?

 

[Hitman]

May I ask what level of encryption you were running?

If it helps i'm using an AC56U overclocked to 1100 and get ~53mbit/s using AES256 CBC encryption via OpenVPN

 

[Xerial]

If it helps i'm using an AC56U overclocked to 1100 and get ~53mbit/s using AES256 CBC encryption via OpenVPN

That's weird because I have the AC87U running OpenVPN with the exat same encryption and I never get more than 18-19. I have tried running a session on my PC with the same service provider and got like 80 Mbps. Something is amiss!

 

[Hitman]

I found that if I setup the VPN settings manually, then I would get around 8mbit/s, but if I uploaded my providers .ovpn file for the VPN server I wanted to use and slightly changed the VPN settings and custom config to the recommended values for router use, I got the higher speeds, looks like it maybe a small bug in merlins .55 latest build.

 

[Xerial]

Any tips on those slight changes you made? I got bad speeds in both the latest build and the one before that. Haven't tried any other FW:s.

 

[RMerlin]

May I ask what level of encryption you were running?

AES-128-CBC, my certificate was either 1024 or 2048 bit - can't recall for sure.

 

[Xerial]

AES-128-CBC, my certificate was either 1024 or 2048 bit - can't recall for sure.

Ok, then me getting 10-20 Mbps on OpenVPN on a AC87U running AES-256-CBC is normal? Same session but on my PC is running a lot higher.

 

[RMerlin]

Ok, then me getting 10-20 Mbps on OpenVPN on a AC87U running AES-256-CBC is normal? Same session but on my PC is running a lot higher.

Could be, I never benchmarked AES-256-CBC. If you control both endpoints, try downgrading to 128-bit just to see the performance difference.

 

[RMerlin]

Ok, then me getting 10-20 Mbps on OpenVPN on a AC87U running AES-256-CBC is normal? Same session but on my PC is running a lot higher.

Another thing to try is experimenting with the following setting:

"Let the OS manage socket buffers"

Some setups get better performance with it enabled, and for others it's the opposite (which is why I left that option user-configurable).

 

[cosmoxl]

you should get faster than 10-20mbit/s with the AC87. I get something over 35mbit/s with my AC68. max I don't know because my line speed is 35mbit/s.

 

[Hitman]

Any tips on those slight changes you made? I got bad speeds in both the latest build and the one before that. Haven't tried any other FW:s.

I tweaked my custom config by using the router log to verify connections, other than that the usual settings were provided by my VPN provider, this is my final CFG but be aware these are specific for my provider newshosting ....

resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
comp-lzo
verb 3
script-security 3
auth SHA256
keysize 256
tls-cipher DHE-RSA-AES256-SHA
auth-nocache


These are my final VPN settings....



I also added my cert key via Authorisation mode\content modification of keys/certs.

Note: As reported QoS kills the connection speed, so have mine off.

 

[Hitman]

@RMerlin

(off topic) Do you know how to configure policy rules for the VPN as I need to disallow 2 clients on my network from the VPN and to use my ISP instead, could I PM you rather than discuss in thread?

Thanks.

 

[RMerlin]

@RMerlin

(off topic) Do you know how to configure policy rules for the VPN as I need to disallow 2 clients on my network from the VPN and to use my ISP instead, could I PM you rather than discuss in thread?

Thanks.

Enable Policy-based routing, with the following rules:

192.168.1.0/24 through VPN
192.168.1.1 through WAN (so router isn't routed)
192.168.1.xxx through WAN (client1)
192.168.1.yyy through WAN (client2)

All done through the webui, fairly straighforward.

 

[Hitman]

Thanks, I know to do that but it was to do with the destination IP , should this be set to 0.0.0.0 (any IP)?

I test tried 1 IP client set to dest 0.0.0.0 via wan but all my clients are now connecting via the wan and not the VPN anymore, do I need to allocate all my clients into the table?

 

[RMerlin]

Thanks, I know to do that but it was to do with the destination IP , should this be set to 0.0.0.0 (any IP)?

That's correct.

 

[Hitman]

Edit: All sorted!

Thanks.

 

[Xerial]

Another thing to try is experimenting with the following setting:

"Let the OS manage socket buffers"

Some setups get better performance with it enabled, and for others it's the opposite (which is why I left that option user-configurable).

I don't seem to be able to find this settings on the OpenVPN Client page. Is it supposed to be in the GUI?

 

[RMerlin]

I don't seem to be able to find this settings on the OpenVPN Client page. Is it supposed to be in the GUI?

Yes, but only on the server, it's not available for clients, sorry.

 

[Xerial]

Yes, but only on the server, it's not available for clients, sorry.

It's quite alright, thanks for the reply. I disabled QoS and now I get around 30 Mbps. This is with AES-256-CBC enabled. Now I know you suggested me to turn it down to see the result but unfortunately I can't do that. I do think it's reasonable to assume that a twice as light encryption would result in double the speed = 60 Mbps, which is what you got.

Hitman I tried your settings but then the session wouldn't run at all. Thanks for the effort though!