Regulair WAN traffic slow when using OpenVPN client on router

[miniterror]

New to using OpenVPN and al of its settings.
I can see there are a lot of possible variables but usually the default should be fine.
I am trying to use a Client VPN from a VPN sevice i bought named Windscribe on my AX-86U running Merlin 386.2_4.
On there website i can generate a OpenVPN file wich i have imported in the WebGui from the Asus and it actually connects.
Set it too Policy (Strict) and defined one client in the rules to go to the VPN, all other traffic should still be routed to my regulair ISP and not through the VPN, this all seems to be going well if it est with my Phone and laptop.
My laptop still goes through the regulair WAN and my phone goes through the VPN as set by the policy rule, at this point speeds on my laptop going through WAN are still good.
Using SPDMerlin i can do a speedtest for the VPN Client interface and i see this to be approx 80Mb down, my ISP provides me with 300/30 so i asume the VPN client can never ull the full 300Mbit.
As soon as i start the download of a Ubuntu torrent for example the problems start to happen.
Download speed of the torrent will be less then 1MB and verry slow, this doesnt add up with the 80Mbit of the speedtest in SPDMerlin and the biggest problem.
ALL other clients that are not routed through the tunel are starting to have serious problems, Youtube cant load anymore on the TV for example.
Internet radio stream on my laptop stops and the Phone of the misses Cant do Insta/FB anymore.
Turn off the download on my phone that is routed through the tunnel and all devices turn back to normal again, i can repeat this behaviour by switching the download on/off on my phone that is routed through the tunnel.
I have a second VPN provider (Ivacy) and when i use the OpenVPN files from them and do the above the exact same will happen, funny fact is that both the VPN providers seem to give equal speeds in SPDMerlin.
Not sure how to debug this or where to look for this specific matter, looking at the "network map" section i can see the internet traffic sliders not going over 1MB, with a 300Mbit connection that should be far from the limit.
Also CPU cores do not show100% usage.
Any ideas what might be causing the "outage" when i start downloadingthrough the tunnel.

Edit: My ISP delivers over Coax, the modem is set to bridge mode and i receive the WAN over DHCP on my Asus.
I personally think its a MTU problem but im not sure.


Config pic

 

[sbsnb]

Are you able to connect to the VPN service using TCP instead of UDP? I've been on networks where UDP was rate limited or blocked altogether and it might help to rule out that variable.

 

[Toink]

Why is your destination IP set to 0.0.0.0/0? You can just leave it blank.

 

[miniterror]

Are you able to connect to the VPN service using TCP instead of UDP? I've been on networks where UDP was rate limited or blocked altogether and it might help to rule out that variable.

Yes, they offer TCP too, doing this doesnt change the behaviour, as soon as i start the download all other traffic will "break"

Why is your destination IP set to 0.0.0.0/0? You can just leave it blank.

Does that really matter, you think that is the cause?

Edit: tried without the 0.0.0.0/0 and still the same problem.
You can see when it starts to transmit data PING shoots up to high numbers.
Loking back in my CONMON monitoring towards 1.1.1.1 i can always see it shoot up when i try to push data over the VPN tunnel.
Even saw 19xxMS latency

 

[eibgrad]

Given your initial post, it's my guess this isn't a performance problem so much as a problem of having DNS resolved over the VPN for clients that are otherwise NOT bound to the VPN.

One of the problems that's often under-appreciated is that many sites/servers these days are very sensitive to DNS. Take Netflix or Hulu for example. Even if you specifically configure the router to access these services over the WAN, if DNS for those services is being resolved over the VPN, you'll have all kinds of problems. Those services are able to detect the fact you are using resolved domain names over the VPN.

That's a fundamental flaw of using DNSMasq (a local proxy) w/ a VPN. You can end up having DNS and access based on DNS resolution occurring across different network interfaces. At least in some cases. A lot of these problems go away once you stop using DNSMasq and force all your clients to access public DNS servers directly, because now *all* the client's traffic, DNS or otherwise, uses the same network interface, at all times.

One way to tell for sure if this is the problem is to NOT use policy based routing, but instead route everything over the VPN (putting aside the fact some services won't work over the VPN, like Netflix or Hulu). If everything seems to return to normal (or at least as normal as can be expected given the slower speed of the VPN compared to the ISP), it's likely the problem is this issue of DNS and access based on DNS being across different network interfaces.

 

[miniterror]

Given your initial post, it's my guess this isn't a performance problem so much as a problem of having DNS resolved over the VPN for clients that are otherwise NOT bound to the VPN.

One of the problems that's often under-appreciated is that many sites/servers these days are very sensitive to DNS. Take Netflix or Hulu for example. Even if you specifically configure the router to access these services over the WAN, if DNS for those services is being resolved over the VPN, you'll have all kinds of problems. Those services are able to detect the fact you are using resolved domain names over the VPN.

That's a fundamental flaw of using DNSMasq (a local proxy) w/ a VPN. You can end up having DNS and access based on DNS resolution occurring across different network interfaces. At least in some cases. A lot of these problems go away once you stop using DNSMasq and force all your clients to access public DNS servers directly, because now *all* the client's traffic, DNS or otherwise, uses the same network interface, at all times.

One way to tell for sure if this is the problem is to NOT use policy based routing, but instead route everything over the VPN (putting aside the fact some services won't work over the VPN, like Netflix or Hulu). If everything seems to return to normal (or at least as normal as can be expected given the slower speed of the VPN compared to the ISP), it's likely the problem is this issue of DNS and access based on DNS being across different network interfaces.

Thanks for the detailed reply, hope i understood everything correctly as English isnt my native language.
If it would actually be a problem of client DNS going through the VPN tunnel towards the VPN DNS servers i do not fully understand how the behaviour can be noticable if pinging 8.8.8.8.
As far as i know pinging a specific IP doesnt require DNS, so even if the DNS of my laptop (not in policy rules so using regulair WAN) goes towards the VPN DNS servers it shouldnt affect my ping latency, should it?
Interesting fact though, i will have a look later when i have some time again and no one else is using the net to fiddle with this and see if the DNS of laptop is leaving my WAN interface or not towards 1.1.1.2 or 9.9.9.9 wich i have set under WAN.

My entire intention was, have one specific client going into the tunnel, as the tunnel cant use my full ISP speed i will never bother my other clients that i route outside of the tunnel when i do big downloads.
It wouldnt matter that they take a longer time on that one client.

 

[sbsnb]

It looks to me like a typical buffer bloat problem. If you have adaptive QoS enabled, that can still happen if the maximum speeds are set incorrectly. Are you certain the speeds set in your QoS are no more than 90-95% of the lowest speeds you can test for over your VPN? I wouldn't trust well known speed test sites since unscrupulous providers can optimize that traffic to boost test results. Try downloading something large from several sites and note the maximum speed. Try the same uploading, if possible.

 

[miniterror]

It looks to me like a typical buffer bloat problem. If you have adaptive QoS enabled, that can still happen if the maximum speeds are set incorrectly. Are you certain the speeds set in your QoS are no more than 90-95% of the lowest speeds you can test for over your VPN? I wouldn't trust well known speed test sites since unscrupulous providers can optimize that traffic to boost test results. Try downloading something large from several sites and note the maximum speed. Try the same uploading, if possible.

I have no QoS scripts active, i have tried it one time with my speeds set to 250/25 and used customized setting, highest priority was set to gaming and streaming to second.
This yielded a worse experience in watching youtube then not using it at all.
From my understanding on higher speeds these do not work correctly, and from wat i have read a 300/30 is already overkill for the various scripts so as it seemed to give me worse results i deactivated it again.

 

[miniterror]

For testing purposes i just enabled Cake-QoS and added the CakeQoS-Merlin v2.0.0 script posted by ttgapers, set my speeds to 275down of the 300 i have and 27.5 upload of 30 i have.
Started Ubuntu torrent and within a few seconds my internet radio stutterd, after a few (like 15) seconds late rthe entire stream died.
Something that doesnt happen when not testing it, i could also reproduce this multiple times in a row.
As for DNS, i checked the laptop that is runing the stream, it is connected with client VPN to my work network, DNS lookup is using my work DNS servers, so the router shouldnt see these DNS requests as they are encrypted for the router.
Still no idea wat is causing these problems for me.

Starting the problems its also visible in Connmon as the pings will shoot up, see the spike to 128MS, thats the point were i started the download over the tunnel.

 

[sbsnb]

What about using Flex QoS? Cake disables hardware acceleration. Might or might not be a factor here.

 

[miniterror]

Just installed the FlexQoS from AMTM menu option 3.
Have the speeds set too 275/27.5 from the 300/30 i actually have.
Radio stream dropped again and i lost ping to Google and have the insane high latency again.
With the VPN client disabled on the router and not forcing traffic i have a steady ping of approx 20ms
Also speeds of the Ubuntu torrent wont go over 100kbps wich should be able to fill a 300/30 line.
I have really no idea what is happening here, stopped the torrent download and within seconds my radio stream starts again.

Below a little walk of the ping towards Google.
See the VPN turned on and sending data over the VPN interface, then i stop the download and turn off the VPN Client on the router and ICMP goes back to normal

 

[sbsnb]

Have the speeds set too 275/27.5 from the 300/30 i actually have.

Is 300/30 the speed you actually get over the VPN? The QoS has to be set to 90-95% of the slowest actual speed through the VPN.

Just for testing purposes try setting QoS to something very low, like 5/5 and see what happens.

 

[miniterror]

Is 300/30 the speed you actually get over the VPN? The QoS has to be set to 90-95% of the slowest actual speed through the VPN.

No, the 300/30 is my ISP speeds, the speeds of the VPN are probably way lower.
Never seen anything above 10MB when using the client on my mobile phone, this should equal approx 80Mbit, so is hould have 200+ available for the othr devices in my network.
I have opened a ticket with the VPN provider and they state a higher speed should be possible but my phone isnt capabale enough
Hence im trying to get it running this way and hopefully get faster speeds.
ISP speeds seems steady to me, also have spdmerlin running wich shows the same line.
Sometimes a little bit lower but this could be due to me being in teams meetings at those moments or anything else work related.
I do a speedtest every 30 minutes from spdmerlin.
Small dip at 22:15 from the left adds up to the time yesterday evening i was working for a short period and downloading some stuff for work.
The a steady line during the night and you can see its start to fluctuate a little bit again when my kid woke up this morning and started YT before school at 07:45.
And then during the day my work shizzle, being in team meetings taking a little bit away and downloading other things for work.

Just for testing purposes try setting QoS to something very low, like 5/5 and see what happens.

If i set it too 5/5, that would effect my entire network.
Have to wait till the kids are in bed before i can test that and wait till my workday is over, think i will do 10/10 wich should also be well within my ISP speeds.

 

[sbsnb]

No, the 300/30 is my ISP speeds, the speeds of the VPN are probably way lower.

If all of your traffic is going through the VPN, and you want to keep large downloads from destroying other traffic, you're going to have to set QoS to 90% of that speed, not your ISP speed.

I do a speedtest every 30 minutes from spdmerlin.

Turn that off while testing. I'm pretty sure that speed test bypasses QoS and will mess things up while it's taking place. That's a huge bandwidth hog. On my system it generated about 500 MB of traffic for every test. If you're running every 30 minutes continuously that would be 720 gigabytes per month. That's more than double my total traffic with two kids who are seemingly always Youtubing, Tick Tocking, gaming, Face Timing, and watching Netflix/Disney+.

 

[sbsnb]

Another thing to check, what does your CPU usage look like when your phone is using the VPN?

 

[miniterror]

If all of your traffic is going through the VPN, and you want to keep large downloads from destroying other traffic, you're going to have to set QoS to 90% of that speed, not your ISP speed.

I think we have a misunderstanding coming up, possibly because my native langauge isnt English.
My ISP Speed is 300/30 wich i consistently get doing speedtest and not doing other things with internet, ofcourse if i have a download or teams meeting at the same time it will show a bit lower.
The 300Mbit download speeds should equal 37.5MB/s download speed.
Recently i bought 2 VPN providers (Ivacy and Windscribe) and used the Android application of both applications.
I have been trying some downloads and with both providers maximum download speed i have seen is 10MB/s, using the Android client all my other clients have no problems.
Opened a ticket with the VPN provider as i was expecting faster speeds for the VPN, they told me the hardware of my phone (Oneplus 6) isnt capable enough for faster speeds.
This made me think about the VPN client on the router, with probbaly better hardware for VPN traffic, i use the AX-86U.

So i downloaded the OpenVPN file from the VPN provider and imported this file into the router VPN client section and made a rule that only one device should be routed to the VPN tunnel.
Assumption here, if i get max 10MB/s over the phone application i should atleast get that over the router client, this should leave 27.5MB/s as a leftover for all my other devices that are not being routed into the VPN tunnel but use my regulair ISP as outbound line.

I started the tunnel and routed only my phone to the tunnel interface, started a download and speeds on my phone are less then 1MB/s, most testing attempts its still below 200Kb/s.
As a side result, all other clients in my LAN that are not routed through the VPN interface experience outages as seen on the pictures i posted above.

Maybe my assumptions are wrong, If my phone gets 10MB/s speeds with the application of the VPN provider i should be able to get this 10MB atleast on the router too.
If my total speed of my ISP is 37.5MB/s and i use 10 from the VPN client, all other clienst should still have 27.5MB/s left to use and shouldnt get these outages im seeying now.
Please correct me if my thoughts are wrong.

Another thing to check, what does your CPU usage look like when your phone is using the VPN?

Just did a test and see CPU usage, see below picture, on the yellow spike to 100% i turned on the VPN client.
Then i got my phone, opened the torrent application and started the Ubuntu iso download.
Speed was at 60Kb/s so really low and my music stopped playing again.
Took the snippet bewow right after the music stopped.

Turn that off while testing. I'm pretty sure that speed test bypasses QoS and will mess things up while it's taking place. That's a huge bandwidth hog. On my system it generated about 500 MB of traffic for every test. If you're running every 30 minutes continuously that would be 720 gigabytes per month. That's more than double my total traffic with two kids who are seemingly always Youtubing, Tick Tocking, gaming, Face Timing, and watching Netflix/Disney+.

The speedtests itself from SpdMerlin are being done at every 15th and every 45th minute of the hour.
I can easily do my testing outisde of these 2 frames as the tests itself only take approx a minute, probably even less.
As for bandwith, i do not have a usage cap from my ISP, so it shouldnt matter that i use a lot of traffic every month.



Edit: just tested with QoS set to 10/10 and still my radio dropped.
No difference in behaviour, ping to Google shows mega high latency, radio dropped out again and less then 100KB speeds on the torrent.

 

[Zulgrib]

Can you reproduce the problem by downloading the ubuntu ISO from https instead of torrent ?

If you cannot, I would recommend forcefully limiting upload speed on your torrent client to 1/10 of your speedtest-over-vpn upload score.
I would also limit the number of maximum seed per torrent to 10 to reduce the number of simultaneous open connections.

docsis is a pile of trash when maxing the outgoing bandwidth, which popular torrents will do.
(I assumed you have docsis because of 10 to 1 download versus upload bandwidth, and since you have 300Mbps download, there's very low chances you are en VDSL which cap at 150Mbps at most places)

 

[miniterror]

Sorry for the late reply, reall life caught u pand had some other things going on.
Been able to test a little bit though and the problem only seems to happen on the Ivacy VPN.
I tried this weekend again to download something with the app on my phone and within aminute my oldest son asked me if i turned off WiFi as his Playstation and TV didnt work anymore.
Dit a different test and downloaded the Ubuntu ISO over the Ivacy VPN app and amazingly this didnt seem to affect the network at all, no complaints from my kid.
Havent tested it with the VPN on router active yet.

On this behaviour i decided to change to my other VPN provider (Windwscribe) and started a torrent again, was steady at approx 6MB downloadspeed and all other devices did not seem to be affected.
So its starting to look like there is something in the Ivacy OpenVPN that is causing this, Windscribe app uses WireGuard.
Hope to find some time this week and test some more

 

[sbsnb]

I would suspect that they're using a cipher that is CPU intensive.

 

[miniterror]

I see this coming by when i activate te tunnel on the router itself, would that be considered as to heavy for the CPU of a AX-86U?