What's new

Speed diff for OpenVPN on RT-AC68U and RT-AC86U?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BosseSwede

Regular Contributor
Is there a difference in transfer speed between the older RT-AC68U and RT-AC86U when using the built-in OpenVPN client to connect LAN-LAN?
Right now I have this setup:
Home LAN:
- RT-AC86U router on a 250/250 fiber connection
- Port forward to an Ubuntu Server 20.04.3 running the OpenVPN server

Remote LAN:
- RT-AC68U router on a 250/250 fiber connection
- Using router's OpenVPN client towards the Home LAN OpenVPN server
- VPN configured to only transfer LAN-LAN traffic, everything else uses router's gateway

When I check the upload speed on the remote LAN using speedtest I get 106 Mbit/s, which is rather low so I am complaining to the ISP.
On my home LAN the speedtest result is basically 250/250 so it is what I subscribe to.

But when I transfer an actual video file from the remote LAN to the home LAN I get transfer speed of only 13.6 Mbit/s using an NFS share on my home LAN server.

So now I wonder if the bottleneck could be the VPN client in the RT-AC68U router having too low performance? After all it is a number of years older...

In that case my alternative will be to replace it with another RT-AC86U router.
But only provided it has better VPN capacity?

Is there someone here who knows if this is the case?
 
Did you resolve your DNS issue? You never responded to this thread.

I would expect the RT-AC68U to be able to achieve ~50Mbps in ideal conditions and the RT-AC86U ~ 250Mbps. Maybe the Home LAN OpenVPN server is the limiting factor.
 
While processor speed is important for VPN encryption the biggest advantage the AC86 has is that it supports AES-NI.

For consistent Open VPN encryption speeds over 200 Mbps you will probably need at least an I5 processor. Going forward when WireGuard is a fully supported option, higher speeds using the more limited processors typically found in routers will probably be possible.
 
It does have AES capabilities. You could have stated that part too. Tripping over words and labels. Hmmm...

Maybe just gently correct instead of showing/highlighting a mistake?
 
Yes, I too was also one who incorrectly assumed that AES meant/equaled AES-NI a few months (year?) ago. But was more elegantly corrected by far more knowledgeable members.

It costs nothing to be nice. Except maybe, to one's ego.
 
Sorry, I don't use emotions in technology conversations. Nothing personal here. Thank you!
 
Being polite isn't being emotional. It is human. Even on an online forum, it's appreciated.
 
What exactly wasn't polite enough for you??
 
You two underestimate our reading comprehension. No debate you wage will change this. :)

OE
 
Did you resolve your DNS issue? You never responded to this thread.

I would expect the RT-AC68U to be able to achieve ~50Mbps in ideal conditions and the RT-AC86U ~ 250Mbps. Maybe the Home LAN OpenVPN server is the limiting factor.
1) No, I did not resolve the DNS issue so I gave up.
And I did not receive any email notification of that reply or any of the other either.

2) So the difference is there in the router hardware then. Today I bought me an extra RT-AC86U to use on the remote LAN.

3) Concerning the VPN throughput I expected the speed to be somewhat limited but not this much.
OTOH this is the first time I have used a router with built-in OpenVPN client capability, I normally have used VPN clients on devices so the router does not get into play then. But this time I wanted to connect together my home LAN with the remote LAN so I could access NAS devices etc on both LAN sections from any connected device on both LANs.
And using the router as the VPN client solves that problem.
Except I suffer a speed problem, which I have not yet pinpointed.
But it could be the encryption capability of the router...
I can only test this by driving 100 km to the remote site (one way) so it has to wait to be done.
 
No, it doesn't. AES-NI is Intel x86 instruction set.
I am aware of that and perhaps should have been more specific and not generalized, but I was talking both about routers and more powerful devices with Intel chips.

The key point I was trying to make for the OP's benefit is that a router's processor's speed only plays a small part in increasing VPN throughput and AES however it is implemented or simulated is the key to higher Open VPN speeds.
 
I am aware of that and perhaps should have been more specific and not generalized

Dear @CaptainSTX, how are you today?

How are the family members?

I hope everyone is in excellent health and mood!

I'm terribly sorry, if my correction offended you in any way.

Please, accept my sincere apology!

I hope you'll forgive me one day. I really do!

:)
 
I am aware of that and perhaps should have been more specific and not generalized, but I was talking both about routers and more powerful devices with Intel chips.

The key point I was trying to make for the OP's benefit is that a router's processor's speed only plays a small part in increasing VPN throughput and AES however it is implemented or simulated is the key to higher Open VPN speeds.
So what level of AES is used depends on the setting in the ovpn file for the client, right?
Here is parts of the router specific ovpn file:
Code:
client
dev tun
proto udp
remote mydomainname.com 11xx
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth-nocache
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
comp-lzo
verb 2
mute 20
explicit-exit-notify 1
So it uses AES-256-CBC, is that particularly tough compute-wise?
Could I perhaps lower the level to 128 to make an improvement in speed while sacrificing a bit of security?
 
Use AES-256-GCM instead. Not for better performance, but for better security. Please. :)
 
Or consider using Chacha20, it's less CPU-intensive than AES. That will require running my firmware however (for the newer OpenVPN).

And don't use compression. That increases the CPU load, while actually reducing security. Compression is considered deprecated by OpenVPN devs, and will be removed in a future release (2.6 or 2.7).
 
I have now modified the server side OpenVPN settings in the ccd dir for the router client so it pushes the following to the client on connect:
Code:
iroute 192.168.117.0 255.255.255.0
#Disable compression and push it to the client
comp-lzo no
push "comp-lzo no"
#Set different cipher for the ASUS router client
cipher AES-128-GCM
push "cipher AES-128-GCM"

With this I have clocked about 27 Mbit/s speed when copying a 200 Mbytes video file from local store on the remote LAN to an NFS share on a server at the home LAN. So the above changes did a bit of improvement, but the upload speed on the fiber at that time was about 200 Mbit/s as measured with a speed check utiity.

It was done using the RT-AC68U router at the remote site.
I have not yet been able to install the RT-AC86U router on location to verify if that hardware upgrade will make a difference. Still 200 km to drive round trip...

Regarding the hardware people above have suggested using Intel CPU and whatnot, which is bogus because the thread is specifically about the ASUS routers none of which use such CPU...

Regarding the firmware on the RT-AC86U router here is a screenshot from the router admin interface:
1646289742510.png

Is this the firmware you refer to?
 
Why are you running such old firmware?

Update the firmware, fully reset the router and then minimally and manually configure it.

Then it will be worth the small excursion to put it into play. If the remote location has similarly fast (or faster) ISP speeds as your home location does.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top