Best Router for fastest VPN speeds

[Fontie]

I have a Asus RT-N66u at the moment getting around 10MB/s down and 10Mb/s up using open vpn on the router and Private Internet access. I know the speed of vpn is dependant on the processor speed in the router, what's a router that's going to give me the best speeds for vpn. Would there be a way of having one computer on my network that doesn't connect through the vpn.

Thanks

 

[Sabatus]

Check out Turris Omnia if you are not in a hurry (estimated shipping in April). According to the last update:

"With Turris Omnia, acting as an OpenVPN server with recommended configuration with one client connected, we measured 100 Mbps in one direction. We expect this number to be a bit better in the future as we have still the crypto acceleration turned off."

You can always port-forward OpenVPN to an internal "real" computer that is set up as an OpenVPN server, which will crush practically any router.

 

[Nullity]

Use a device with a full-power PC CPU or possibly an Atom CPU, preferably with AES-NI.

pfSense, IPFire, or any other router-focused, open-source OS is a good choice.

 

[Fontie]

Thanks for the reply's guys, decisions decisions, I have Windows server 2012 running Plex and squeeze box, could I run say pfsense on that would the server be behind the VPN as its running the VPN or is it better to have another server behind the windows 2012 one. Would devices that connect via Wi-Fi be behind the VPN if its on the windows server is it a case of changing the DNS and ip address of my N66u to that of the server running the VPN and entering those numbers on my wireless devices. As you have probably guessed by now my knowledge is limited, is there a idiots guide how to do this. The Turris Omnia looks good ease of setup only downside of it my isp is soon doubling my download speed to 300Mb/s so a server based VPN would get me nearer those speeds.

 

[System Error Message]

You could run openVPN on windows server and also use that as a router. windows server is alright but pfsense is better. Make sure you secure it properly though.

 

[YeOldeStonecat]

What is your budget? Leading with "Best router for fastest VPN speeds"....you can start getting replies for some very high end enterprise grade hardware costing in the tens of thousands of dollars and higher. I'm a fan of Juniper/Pulse VPN appliances....dedicated VPN hardware but your bank account might not like it!

For "speed"....if you don't mind doing a little "built it yourself"....(or you can purchase some pre-installed units)....my favorite *nix router distro for raw speed is PFSense. You can get it pre-installed on some little Netgate appliances for very low cost.

If all out speed is important to you, IPSec VPN (depending on your hardware) is typically faster. OpenVPN has ease of setup and use, but it does come with some overhead which can chew into performance. And some versions do have some quirks like it does its own NAT...which can mess with certain types of traffic going through the tunnel.

I never...ever...run a VPN service on Windows Server..and expose that to the internet.

 

[CaptainSTX]

I have a Asus RT-N66u at the moment getting around 10MB/s down and 10Mb/s up using open vpn on the router and Private Internet access. I know the speed of vpn is dependant on the processor speed in the router, what's a router that's going to give me the best speeds for vpn. Would there be a way of having one computer on my network that doesn't connect through the vpn.

Thanks

Look at the routers that Sabai Technology offers pre configured with their modified Tomato firmware in combination with their VPN accelerator hardware.

I run a N66 with their firmware and a VPN accelerator an I get 95% of my 75/12 connection from Comcast connecting to a server 1,200 miles distant.

Sabai has changed their policy so you may be able to just purchase the firmware for your present N66 and purchase the accelerator.

 

[sfx2000]

If all out speed is important to you, IPSec VPN (depending on your hardware) is typically faster.

In my experience, L2TP/IPSec is always been faster than OpenVPN...

OpenVPN has louse performance compared to Lt2P/PPTP, mainly due to design issues (OpenVPN is userland, so every packet has to go to the kernel, get redirectly by the TUN driver back to OpenVPN, and then back out... sub-optimal perhaps, but it does make it very portable... doesn't help that the TUN driver is single threaded, so multiple cores don't help there...

 

[sfx2000]

In my experience, L2TP/IPSec is always been faster than OpenVPN...

And, while not kicking OpenVPN to the curb, one can get damn near wire speed with L2TP/IPSec...

 

[YeOldeStonecat]

In my experience, L2TP/IPSec is always been faster than OpenVPN...

Yah....while I love the ease of management/deployment of SSL and even OpenVPN....for road warriors and the like...and I don't miss the troubleshooting and needs such as reinstalling troublesome fat IPSec VPN clients......nothing beats the sheer performance advantage of IPSec VPN. And the OP did ask for best performance.

 

[kvic]

Without context e.g. make of router/hw the VPN server runs on, a blanket statement of IPSec/l2tp being faster than openvpn is pretty much meaningless...

 

[Nullity]

After hardware, I would think the choice of encryption cipher would be the most important decision when determining maximum speeds.

If OpenVPN & IPsec both use the same cipher (ex. AES), is IPsec still much faster?
I would expect OpenVPN & IPsec to have very similar maximums, unless different ciphers were used, which is not exactly a fair comparison.

 

[kvic]

Here is a comparison and let the numbers tell a story.

Someone benchmarked IPsec/L2TP on DS1513+ and DS215j:

• DS1513+: dual-core 4-thread 2.13GHz Atom D2700
• DS215j: dual-core 2-thread 800MHz Cortex A9 (Marvell) _with_ hardware crypto engine.
• 60Mbit/s on DS1513+; 30Mbit/s on DS215j.

To put the above numbers into perspective, let's look at OpenVPN throughput on a dual-core 2-thread Cortex-A9 (Broadcom) _without_ hardware crypto engine.

• At stock 800MHz CPU, some people found anywhere between 30 to 50Mbit/s (AES128 or AES256).
• At 1.4GHz CPU (overclocked), I found 70Mbit/s (AES128).

EDIT: worth noting that unknown encryption cipher for the IPSec tests.

 

[YeOldeStonecat]

Without context e.g. make of router/hw the VPN server runs on, a blanket statement of IPSec/l2tp being faster than openvpn is pretty much meaningless...

Err..not really, when many firewalls have a CHOICE of which type of VPN you want to setup. Soooo...setup one type...which is slower, or setup the other type...obviously running on the same "exact" piece of hardware...which is faster.

I have the luxury of seeing real world examples every day....on my clients dime.
As many of the forum members are home enthusiasts here...I'm going to out on a limb here and make a claim that..."they'll want to watch their budget"...and not keep buying a few dozen different hardware platforms to keep experimenting with different firewalls and VPN types on. Many will take some existing/used x86 computer and just install a *nix distro on it..and that's what they got! Hence...being given the advice of one being faster than the other (obviously assuming same hardware)....can be helpful for some members.

 

[Nullity]

Err..not really, when many firewalls have a CHOICE of which type of VPN you want to setup. Soooo...setup one type...which is slower, or setup the other type...obviously running on the same "exact" piece of hardware...which is faster.

I have the luxury of seeing real world examples every day....on my clients dime.
As many of the forum members are home enthusiasts here...I'm going to out on a limb here and make a claim that..."they'll want to watch their budget"...and not keep buying a few dozen different hardware platforms to keep experimenting with different firewalls and VPN types on. Many will take some existing/used x86 computer and just install a *nix distro on it..and that's what they got! Hence...being given the advice of one being faster than the other (obviously assuming same hardware)....can be helpful for some members.

As I mentioned though, is the maximum speed most reliant on the protocol or the encryption cipher(s) the protocol uses?

Though, without delving into the protocol's cipher settings, if one protocol is faster than the other, I understand your point.

 

[kvic]

Err..not really, when many firewalls have a CHOICE of which type of VPN you want to setup. Soooo...setup one type...which is slower, or setup the other type...obviously running on the same "exact" piece of hardware...which is faster.

IPSec/L2TP is better accelerated by hardware in business routers. OpenVPN doesn't enjoy such attention from these vendors. It's the hw acceleration for data encryption that speeds up most in IPSec/L2TP. Being equal class of citizens, IPSec or OpenVPN doesn't insanely outperform each other. I provided the examples..

 

[YeOldeStonecat]

IPSec/L2TP is better accelerated by hardware in business routers. OpenVPN doesn't enjoy such attention from these vendors. It's the hw acceleration for data encryption that speeds up most in IPSec/L2TP. Being equal class of citizens, IPSec or OpenVPN doesn't insanely outperform each other. I provided the examples..

However, we can neutralize that cut 'n paste Google-Fu opinion by taking the same x86 hardware platform (basically a PC...not a special piece of firewall hardware with a decicated IPSec CPU)..and installing various *nix firewall distros on them that run both VPN types.

...which..again, is what I do almost every day for various networks.
IP Phone support guys can't stand OpenVPN tunnels...because of the poor latency due to the built in NAT. . I recently just switched over an agencies wide area network from OpenVPN tunnels to IPSec tunnels...same bandwidth, same hardware, same *nix based firewall, just..different VPN technology. Their phone problems went away. No more garbled voice that sounded like a clock radio submerged in a fish tank. No more dropped calls. Their network share browser and transfer was even snappier and faster.

IP phone support people almost always tell you to stop using OpenVPN for site to site tunnels...once they find out it's being used. I recently went through that yet again with an agency that had multiple locations around my state. OpenVPN typically has its own internal NAT, which slows things down.

uhh...examples....from those that work it in every day....

Here is a thread at Untangles forums...one guy measured 2 megs throughput OpenVPN, 9.6 megs throughput IPSec.
http://forums.untangle.com/openvpn/35143-openvpn-site-site-performance-issues-ut-ng-11-a.html

Over on "enterprise networking" ...an article, and posts, by people who live and breath this every day...
http://www.enterprisenetworkingplan...penVPN-Is-Too-Slow-Time-to-Consider-IPSEC.htm

Forums of tech support guys that work with Astaro/Sophos UTM..."ipsec is faster than open"
https://www.astaro.org/gateway-prod...te-access-sophos-openvpn-client-vs-ipsec.html

The OP here is likely doing a *nix distro on x86 hardware here...not a specific VPN appliance piece of hardware with a second hardware accelerator just for the IPSec handling...like some Cisco appliance.

 

[sfx2000]

After hardware, I would think the choice of encryption cipher would be the most important decision when determining maximum speeds.

If OpenVPN & IPsec both use the same cipher (ex. AES), is IPsec still much faster?
I would expect OpenVPN & IPsec to have very similar maximums, unless different ciphers were used, which is not exactly a fair comparison.

Yes - it's due to design - L2TP/IPSec will always be faster than OpenVPN - OVPN will always use the TUN interface, and between the jumps up and down from User to Kernel space, and the subsequent memory thrashes... and this is with, or without, OpenSSL acceleration that some chips offer..

LT2P, along with PPTP, live in kernel space - they don't have the overhead there...

Folks that do VPN for a living - OpenVPN isn't really an option for B2B connections - the overhead there is just too expensive compared to L2TP/IPSec...

 

[kvic]

However, we can neutralize that cut 'n paste Google-Fu opinion by taking the same x86 hardware platform (basically a PC...not a special piece of firewall hardware with a decicated IPSec CPU)..and installing various *nix firewall distros on them that run both VPN types.

...which..again, is what I do almost every day for various networks.

I have no doubt with your experience and daily observations..

Comparison data is hard to come by...the numbers I provided are the closest I could gather on known hardware for a meaningful inference. The ipsec in Merlin build is broken at the moment or else I can provide first hand data from both sides.

 

[kvic]

Yes - it's due to design - L2TP/IPSec will always be faster than OpenVPN - OVPN will always use the TUN interface, and between the jumps up and down from User to Kernel space, and the subsequent memory thrashes... and this is with, or without, OpenSSL acceleration that some chips offer..

Again, would be good to see numbers..