Save Asus CPU by letting PCs manage their own tunnels

[paulbates]

Here is something that may help if your OpenVPN is overwhelming your ASUS' CPU. (I use an OpenVPN client on my Asus RT-AC88 to PureVPN. )

I initially routed everything on my LAN but the Roku (Netflix does not work) through the Asus MerlinWrt openvpn client. It works, but the ARM CPU struggles to keep up when there is a lot of activity on many devices, especially since OpenVPN is one of the most demanding vpn protocols.

PureVPN lets me log into 5 non-mobile devices (PCs and Router) at the same time on one subscription. I now route my two windows PCs and Surface around the Asus OpenVPN tunnel and through the ISP. I installed OpenVPN clients on them and they create their own individual OpenVPN tunnels through the ISP to Purevpn.

This allows the PCs and surface to individually use their own processors and chop up the OpenVPN client load easily, keeping things secure while taking the OpenVPN load off of the Asus. Everything else (iot, tablets, phones, etc) use a single Asus Merlin OpenVPN tunnel. The PCs are back close to their original ~70mbs speed, that fell noticeably through the ASUS.

OpenVPN's Windows client reconnects automatically from standby, and if its more than ~10 minutes in standby, it gets a new IP address.. a rotating IP is perfect for my PC use. The OpenVPN client also allows configuration commands like buffering which has proved to help once the tunnel ~> 50mbs.

The OpenVPN windows clients can be a little clunky to get configured and installed for easy startup, but fairly simple to use once its in

Paul

 

[System Error Message]

the whole point of running vpn on the router isnt to save on devices that can access a vpn, rather for specific routing purposes and also for security (such as your own private vpn server if you're roaming or to access local resources without port forwarding or exposing your network).

Although on the ac88U it cant be that slow. OpenVPN can be tricky because it is relatively new with many different implementations.

 

[paulbates]

My requirement is to get through my ISP privately while not losing performance. I only need a VPN client, I no longer open any ports to the internet or require a VPN server into my LAN. I don't disagree with routing all required devices through the single VPN client, but it doesn't lower privacy for individual PCs to use their own tunnels. It does lower the amount of traffic having to be decrypted by that single pipe in the Asus and improve the PCs performance performance using their I5s for their own traffic vs ARM for all.

As for tricky, PureVPN provides their own configuration to me to use with the Asus router via OVPN files. Other that trying their TCP vs UDP OVPN configurations (difficult to enumerate difference between them for me), there weren't other options. All options through the 88 peg out at ~50mbs tops for me with PureVPN. I ran repeated tests to the same PureVPN server... PC -> router-> purevpn, and PC -> purevpn.

I love the 88, but this a case where I found its limits. Its much faster for the desktops to go direct, lower use and few degrees cooler on the router.

 

[System Error Message]

if not needed for routing its better to use vpn on the pc rather than router.

 

[paulbates]

The cases that do need the asus vpn client are the remainder of iot type devices ( harmony hub, sprinkler controller, thermostats, HA controller, Dots, AMI Energy bridge, printer, media servers). Plus any mobile / tablet devices. Those all default through the Asus OpenVPN client and handled well by it.

The Roku (netflix issue with purevpn), the pcs and my work laptop (Junos VPN) all bypass and go straight out

 

[doczenith1]

All options through the 88 peg out at ~50mbs tops for me with PureVPN. I ran repeated tests to the same PureVPN server... PC -> router-> purevpn, and PC -> purevpn.

I was able to get slightly faster speeds on my 3100 using PIA. What level of encryption are you using? Did you have CTF enabled?

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
DL :74 Mbps with core 1 at 30%, core 2 at 85% with mods*
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client (i5-2500K) I'm able to attain 250 Mbps down and 350 Mbps up on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

*Adding the following lines to the custom configuration bumped the DL speeds to 74 Mbps.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

 

[paulbates]

I was able to get slightly faster speeds on my 3100 using PIA. What level of encryption are you using? Did you have CTF enabled?

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
DL :74 Mbps with core 1 at 30%, core 2 at 85% with mods*
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client (i5-2500K) I'm able to attain 250 Mbps down and 350 Mbps up on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

*Adding the following lines to the custom configuration bumped the DL speeds to 74 Mbps.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

So I did test my iphone a few days ago and got 91.16 mb (WLAN AC). This was through the Asus and its VPN tunnel, and the fastest I've ever seen my comcast, even with no VPN and wired. I have the "Blast Tier" Comcast service, supposed to be 75mbs, but provisioned to 90.75 mbs. Not bad for good old DOCSIS 3

I've done some repetitive testing, typically through the Asus + VPN, 30mbs - 45mbs. The upload speed is 10, provisioned to 12... pretty much 11mbs.... VPN, No VPN.

The using the standalone windows clients routed around the asus vpn, but with OpenVPN client software, 40mbs - 65mbs typically.

AES-256-CBC
LZO Adaptive Compression
TCP (I've had a hard time proving UDP is faster)
SHA1
Not sure what the handshake is
CTF ON

I picked up the ovpn buffering commands from you earlier, thanks again, it does help!

EDIT: Ok, the more I test, the more bizarre it gets. Just re-tested an AC windows client (433mbs to the Asus WLAN/AC, OpenVPN Client) 98.78mbs with a peak to 105! Never saw that non VPN before!