Slow VPN speed - QOS issue ?

[creatine]

I have an AC3100 running asusmerlin 384.10_2 and FreshJR QOS script v8.8. I have a 50\10 DSL internet connection. I have an issue with slow VPN speeds using the built in IPSEC router client.

My testing all done from the same PC (speedtest.net):

Adaptive QOS ON (NO VPN) = Full speed (about 50Mbit)
Adaptive QOS ON (NordVPN client or IPSEC client installed on PC with ovpn file) = Full speed
Adaptive QOS ON (using same ovpn file on router ) = slow speed (about 20Mbit)
Adaptive QOS OFF (using same ovpn file on router ) = Full speed

CPU cores are not being used. Can anyone explain this behavior and any setting I should change to fix it ?

 

[L&LD]

Are you able to pick different (faster) servers on your preferred VPN?

The router is a known weak spot for OpenVPN performance, but it should be able to do better than 20Mbps.

Others may be able to assist you with specific settings that you may need to tweak too.

 

[creatine]

I have tried multiple VPN servers, they display the same behavior (fast when using various software clients on PC) , slow when using VPN client on router with QOS enable. I suspect QOS is the culprit

 

[L&LD]

I have tried multiple VPN servers, they display the same behavior (fast when using various software clients on PC) , slow when using VPN client on router with QOS enable. I suspect QOS is the culprit

How have you configured QoS?

 

[creatine]

I'm using FreshJR (default settings) script with adaptive QOS.

 

[L&LD]

I'm using FreshJR (default settings) script with adaptive QOS.

Did you put the categories in the suggested order? Have you verified that the script installed and is working as expected?

 

[CaptainSTX]

I have an AC3100 running asusmerlin 384.10_2 and FreshJR QOS script v8.8. I have a 50\10 DSL internet connection. I have an issue with slow VPN speeds using the built in IPSEC router client.

You should be able to do a little bit better but the issues are.

1. The processor in this router is only 1.4 Ghz and I don't believe that it supports AES-NI which is built into the chips to support faster encryption.

2. OpenVPN is a process that only runs on a single core. Be sure you are not running it on the same processor that is supporting the router's main functions. I don't know if QOS is a single or dual core process. If it is single core only be sure you have the VPN and QOS on different cores as QOS is also very processor intensive.

3. If you have the option with your VPN provider reduce encryption to AES-128-CBC. Also be sure your ovpn config file is designed to run with the latest version of openVPN which is incorporated in Merlin 10.2.

 

[creatine]

I am convinced there is a "bug" with the combination of QOS and router VPN client. When looking at QoS - WAN/LAN Bandwidth Monitor and connected to VPN download traffic is displayed as upload. Traffic is properly categorized when either QOS or VPN are off.

My QOS setup has been in place for several months and working correctly, I tried adding VPN client functionality to the router today. CPU usage on both cores is below 40% when performing tests.

 

[sone]

Thanks for posting this creatine.. this is very interesting info you've discovered.

 

[FreshJR]

Are your VPN speeds limited to the upload limit defined in QOS.

You said you can achieve 20mbps. This is weird as its higher than the upload limit in the QoS screenshot.

 

[creatine]

As a test, I actually set my qos limits to 50/50, waited 10 min to make sure the script reloads and tested. No change in vpn client performance with qos enabled. Also power cycled router. If it is a hardware/CPU limitation, it is not displayed in CPU usage graphs

 

[sinshiva]

try with vpn traffic unclassified.

 

[FreshJR]

The only change my script makes with reguards to VPN functionality, is that it includes a rule that does NOT subject "download/incomming" VPN traffic to the "upload" QoS limit.

I thought that maybe the fix might be not functioning, but since you tested with limits set to 50/50, it doesn't seem to be the case.
(Merlin has implemented this mentioned VPN fix from the script to be present for all users on recernt RMerlin firwwares. It is present for users that don't have FreshJR_QOS installed)

--

Check the status of

Tools --> SysInfo --> HW Accleration

when the slowdowns happen.

The proper value should be

"Enabled (CTF only)" if HW acceleration is enabled.

--

Maybe retest without the FreshJR qos script, but the script doesn't make any changes with regards to internal traffic routing.

--

Are you using ipv6?? (VPN fix only applied to ipv4 traffic)

 

[creatine]

I am only using IPV4. I will try adaptive QOS without FreshJR script this evening. Attached is what i see for HW acceleration.

I am downloading fron NNTP with QOS\VPN and see the following. Download seen as upload in graph. Though traffic is properly categorized as NNTP and file transfering. The graph issue is not present when VPN client is off

 

[FreshJR]

The meters show QoS results before the fix/modifications.

The FIX puts the “upload” traffic back into “downloads” as expected.

Since you gave ipv6 disabled, I am out of ideas.

 

[creatine]

I uninstalled your script, and rebooted. Disabled QOS and enabled QOS again. This time download speed tests capped out at 9 Mbit when connecting to VPN. Which is what I had set as QOS upload limit. So it seems that ASUS QOS is mixing up VPN download\upload. I then set my QOS limit to 50/50 and hit the 20mbit VPN throughput issue in my original post. So either the router doesn't have the processing power to handle VPN and QOS at the same time or there is an other issue. My next step will be to factory reset and start from scratch.

 

[sinshiva]

You should be able to do a little bit better but the issues are.

1. The processor in this router is only 1.4 Ghz and I don't believe that it supports AES-NI which is built into the chips to support faster encryption.

2. OpenVPN is a process that only runs on a single core. Be sure you are not running it on the same processor that is supporting the router's main functions. I don't know if QOS is a single or dual core process. If it is single core only be sure you have the VPN and QOS on different cores as QOS is also very processor intensive.

3. If you have the option with your VPN provider reduce encryption to AES-128-CBC. Also be sure your ovpn config file is designed to run with the latest version of openVPN which is incorporated in Merlin 10.2.

sorry, this. i should have checked the cpu for that model; you are probably getting all that you can out of it.

Sorry @FreshJR - hope you didn't start tearing hair out; managing QoS can be daunting in itself without somebody sending you on a wild goose chase