OpenVPN performance

[repvik]

I've set up two AC68U routers with OpenVPN between them. Both are on fiber internet, with the slow end limited at 80mbit.
However, with OpenVPN I get around 20mbit.

Now, I understand that en/decryption is CPU intensive and that will limit speed. But when I'm getting 20mbit speeds, core 1 is below 50% on both ends (and core 2 does pretty much nothing). So there seems to be something other than bandwidth and CPU that limits the VPN speed.

Anyone got a clue if it's possible to speed it up?

 

[RMerlin]

I've set up two AC68U routers with OpenVPN between them. Both are on fiber internet, with the slow end limited at 80mbit.
However, with OpenVPN I get around 20mbit.

Now, I understand that en/decryption is CPU intensive and that will limit speed. But when I'm getting 20mbit speeds, core 1 is below 50% on both ends (and core 2 does pretty much nothing). So there seems to be something other than bandwidth and CPU that limits the VPN speed.

Anyone got a clue if it's possible to speed it up?

What is your upstream speed at both ends? Your tunnel performance will be limited to the slowest of the two, between down and upstream). If downstream is 80 Mbps but upstream is only 20 Mbps, then the bi-directional performance will be limited to 20 Mbps.

 

[repvik]

What is your upstream speed at both ends? Your tunnel performance will be limited to the slowest of the two, between down and upstream). If downstream is 80 Mbps but upstream is only 20 Mbps, then the bi-directional performance will be limited to 20 Mbps.

At home, 100 down, 200 up (supposed to be 100/100, but I'm not complaining). At remote location (16ms away), speed is 80/80. Bandwidth isn't the issue.

 

[repvik]

I've now specified encryption to be AES-128-CBC, and disabled compression. Everything else is default openvpn settings. iperf gives me 19.7mbps.

 

[cosmoxl]

have you tried both TCP and UDP? with such low latency it probably won't make a difference but doesn't hurt to try.

is the the same when in both directions? Could the ISPs and internet between the two routers be throttling openvpn? it's known to happen because "they" can see it's an openvpn connection with deep packet inspection.

have you tried using mssfix and mtu changes to see if that helps? since you can control both ends mtu changes are within your power.

 

[repvik]

have you tried both TCP and UDP? with such low latency it probably won't make a difference but doesn't hurt to try.

is the the same when in both directions? Could the ISPs and internet between the two routers be throttling openvpn? it's known to happen because "they" can see it's an openvpn connection with deep packet inspection.

have you tried using mssfix and mtu changes to see if that helps? since you can control both ends mtu changes are within your power.

I've tried adjusting MTU without any luck. I'll try mssfix later today.
Throttling by connection type is at best unusual where I live, so I don't suspect that. I'll try from my desktop to a server instead of router to router to see if that makes a difference.

 

[anannra]

really bad perf....

With stock fw, and stock configs, I was getting 20KB/s download speeds...

Using repvik's config, i'm now getting about ~120KB/s download speeds.

I'm connecting to my NAS at home through the vpn, and connecting using openvpn on and iphone 6.

Are these speeds expected ? They seem really really slow.

Thanks

 

[RMerlin]

With stock fw, and stock configs, I was getting 20KB/s download speeds...

Using repvik's config, i'm now getting about ~120KB/s download speeds.

I'm connecting to my NAS at home through the vpn, and connecting using openvpn on and iphone 6.

Are these speeds expected ? They seem really really slow.

Thanks

Your iPhone ain't the best CPU to handle OpenVPN crypto, and it will also be affected by the speed of your iPhone's internet connection. Do your test with an actual computer.

You didn't specify what router you had. MIPS-based routers should be able to hit up to about 20 MB/s with my firmware (somewhat less with stock FW, as Asus didn't optimize OpenSSL), and 50 MB/s with dualcore ARM-based routers.

The speed is also limited by the upstream speed of your Internet connection, which is typically quite slower than the downstream.

 

[repvik]

..., and 50 MB/s with dualcore ARM-based routers.

With what config, if I may ask? The slowest link between my AC68-U and the AC68-U on the other end is 80mbps.

 

[RMerlin]

With what config, if I may ask? The slowest link between my AC68-U and the AC68-U on the other end is 80mbps.

TCP, AES-128-CBC. The server router was sitting within my LAN, so that way I didn't have any WAN-related bottleneck (my LAN being gigabits). I can't remember the other settings, I did that test about a year ago. I was mostly using default settings from what I remember.

 

[anannra]

Your iPhone ain't the best CPU to handle OpenVPN crypto, and it will also be affected by the speed of your iPhone's internet connection. Do your test with an actual computer.

You didn't specify what router you had. MIPS-based routers should be able to hit up to about 20 MB/s with my firmware (somewhat less with stock FW, as Asus didn't optimize OpenSSL), and 50 MB/s with dualcore ARM-based routers.

The speed is also limited by the upstream speed of your Internet connection, which is typically quite slower than the downstream.

Fair enough... yes, iphone CPU ain't the greatest. My iphone lte link is typically at 30mbps down, 5mbps up. I was hoping to at least 1Mbps down with the vpn


Ok... I'm using the AC56U on comcast. I have 50mbps down and average 15mbps up. It's and all GE lan at home.

Connecting from a computer, iperf reports roughly 3mbps transfer speed of 500MB from my remote computer to a computer running the iperf server on the other end of the vpn.

Still seems kind of slow no ?

 

[RMerlin]

Fair enough... yes, iphone CPU ain't the greatest. My iphone lte link is typically at 30mbps down, 5mbps up. I was hoping to at least 1Mbps down with the vpn


Ok... I'm using the AC56U on comcast. I have 50mbps down and average 15mbps up. It's and all GE lan at home.

Connecting from a computer, iperf reports roughly 3mbps transfer speed of 500MB from my remote computer to a computer running the iperf server on the other end of the vpn.

Still seems kind of slow no ?

iperf results can greatly vary based on your iperf settings. Here's my own RT-AC56U results from a bit over a year ago:

[152] local 192.168.1.100 port 1841 connected with 192.168.10.130 port 5001
[ ID] Interval       Transfer     Bandwidth
[152]  0.0-30.0 sec  1.16 GBytes    333 Mbits/sec

My iperf settings were as follow:

iperf -c 192.168.10.130 -M 1400 -N -l 64K -t 30

This was done within my LAN (with computers on both sides of the router, one on LAN and another on WAN).

 

[hytekj]

I have an AC66U and followed the guide at: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

I am trying to route all the traffic on my laptop while its connected to public/work WiFi/4G through my home network.

I am stuck getting ~400kbps down and ~6mbps up. My home internet is 100/10 and my WiFi/4G connection is showing speed tests of about 10mbps both up and down.

Changing to UDP gets me up to 2mbps down and 9mbps up (almost hitting my max on the upload).

Any idea why the VPN is painfully slow on the down link? Pings are much higher on TCP (in the 1000s ms) and lower on UDP (100 or so ms).

Here are my Router settings:
Interface type: TUN
Protocol: UDP
Port: 1194
Firewall: Auto
Authorization Mode: TLS
Username/password auth: No
Extra HMAC authorization: Disable
VPN Subnet/Mask: 10.8.0.0 255.255.255.0
Poll interval: disable (0)
Push Lan to clients: Yes
Direct clients to redirect internet traffic: No (but I have this set in the OpenVPN client)
Responsd to DNS: Yes
Advertise DNS to clients: Yes
Encryption Cipher: AES-128-CBC
Compression: Disabled
TLS Renegotiation time: -1
Manage client-specific options: No

OpenVPN client settings:
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert NN.crt
key NN.key
ns-cert-type server
cipher AES-128-CBC
verb 4
redirect-gateway def1

Also, why is it basically impossible to manage the router while connected via VPN? Takes forever for pages to load and it times out both on PPTP and OpenVPN.

 

[hytekj]

I have an AC66U and followed the guide at: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

I am trying to route all the traffic on my laptop while its connected to public/work WiFi/4G through my home network.

I am stuck getting ~400kbps down and ~6mbps up. My home internet is 100/10 and my WiFi/4G connection is showing speed tests of about 10mbps both up and down.

Changing to UDP gets me up to 2mbps down and 9mbps up (almost hitting my max on the upload).

Any idea why the VPN is painfully slow on the down link? Pings are much higher on TCP (in the 1000s ms) and lower on UDP (100 or so ms).

Here are my Router settings:
Interface type: TUN
Protocol: UDP
Port: 1194
Firewall: Auto
Authorization Mode: TLS
Username/password auth: No
Extra HMAC authorization: Disable
VPN Subnet/Mask: 10.8.0.0 255.255.255.0
Poll interval: disable (0)
Push Lan to clients: Yes
Direct clients to redirect internet traffic: No (but I have this set in the OpenVPN client)
Responsd to DNS: Yes
Advertise DNS to clients: Yes
Encryption Cipher: AES-128-CBC
Compression: Disabled
TLS Renegotiation time: -1
Manage client-specific options: No

OpenVPN client settings:
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert NN.crt
key NN.key
ns-cert-type server
cipher AES-128-CBC
verb 4
redirect-gateway def1

Also, why is it basically impossible to manage the router while connected via VPN? Takes forever for pages to load and it times out both on PPTP and OpenVPN.

Anyone have any ideas? Something to do with compression/mssfix/mtu/fragment/float? Sorry I'm kind of new to this...

 

[cosmoxl]

usually when I see down speed low and up speed higher there is some throttling going on by the ISP.

also, I don't think the AC66 is going to be super good at VPN anyway. The CPU in that model just isn't up to the task of encryption/decryption.

 

[hytekj]

usually when I see down speed low and up speed higher there is some throttling going on by the ISP.

also, I don't think the AC66 is going to be super good at VPN anyway. The CPU in that model just isn't up to the task of encryption/decryption.

hmmm any sure fire wire to figure out if its being throttled?

which asus model do you recommend?

 

[kitsura]

hmmm any sure fire wire to figure out if its being throttled?

which asus model do you recommend?

Run this test.
http://www.measurementlab.net/tools/glasnost

 

[hytekj]

Run this test.
http://www.measurementlab.net/tools/glasnost

I don't see an option to test vpn there...

400kbps (TCP) to 2mbps (UDP) is a pretty big swing. I'm thinking its either a configuration issue or cpu/hardware limitation? But RMerlin said he was able to get some decent speed with the 56 model which is older than my 66..and a senior representative for my ISP says they don't traffic shape a single protocol.

 

[watusi]

Very disappointed with the PrivateTunnel VPN service. I set it up and funded with $20, thinking it ought to out-perform my home router.

No.

On ATT LTE (tested at 50mbps) I get 1mb or less down, 10mbps up.

That is the same strange result somebody reported earlier here. I don't understand the asymmetrical bandwidth, unless it is simply that PrivateTunnel is overloaded, and, of course, most customers are going to be using "down" bandwidth.

I get 2mpbs down with openVPN to my own router, so paying for the service makes no sense for me.

I haven't tried with a proper computer yet, just iPhone 5S. I have to take my Macbook to somewhere off my LAN with a good Internet connection.

 

[cosmoxl]

I don't see an option to test vpn there...

400kbps (TCP) to 2mbps (UDP) is a pretty big swing. I'm thinking its either a configuration issue or cpu/hardware limitation? But RMerlin said he was able to get some decent speed with the 56 model which is older than my 66..and a senior representative for my ISP says they don't traffic shape a single protocol.

age isn't the issue. the CPU architecture is what drives openvpn potential. I think the AC66 is a MIPS architecture, while the AC56 is ARM. am I right?