VPN Client Setup - Performance Issues

[Ghaperlordan]

Hi,

I have a ASUS AC5300 router and am using it's openVPN client. I've tried using services like PIA, Buffered, and expressVPN services, but none of them will let me get over 32Mbps in download speeds on a cable connection that I get 134Mbps without VPN. I realize there is some overhead with using VPN, but I think only getting about 1/4 to 1/3 of my purchased throughput is a little high.

I've worked with these companies tech support and none of them could get any better performance. In fact, I was told that my ASUS router is the bottleneck, that it cannot perform the 'modern day' type processes to get better performance. Since I have over 15 devices at home, I have to stick with a network solution as VPN providers don't allow very many connections.

So, if this router is the issue, what options do I have to move the VPN processing from the client in the router to another piece of hardware, so that I can utilized the bandwidth I am paying for? Are their VPN hardware devices that will allow a much higher Mbps, if this truly is an issue on my end of the connection.

Is my router which is being used as a client, really the issue?

 

[RMerlin]

Yes. You will never get anywhere close to 134 Mbps of encryption/decryption out of a 1 GHz router CPU. 30 MB/s is close to the max you can get out of an RT-AC5300 indeed.

To get anything faster out of OpeNVPN, you will need a desktop-class CPU.

 

[yorgi]

Hi,

I have a ASUS AC5300 router and am using it's openVPN client. I've tried using services like PIA, Buffered, and expressVPN services, but none of them will let me get over 32Mbps in download speeds on a cable connection that I get 134Mbps without VPN. I realize there is some overhead with using VPN, but I think only getting about 1/4 to 1/3 of my purchased throughput is a little high.

I've worked with these companies tech support and none of them could get any better performance. In fact, I was told that my ASUS router is the bottleneck, that it cannot perform the 'modern day' type processes to get better performance. Since I have over 15 devices at home, I have to stick with a network solution as VPN providers don't allow very many connections.

So, if this router is the issue, what options do I have to move the VPN processing from the client in the router to another piece of hardware, so that I can utilized the bandwidth I am paying for? Are their VPN hardware devices that will allow a much higher Mbps, if this truly is an issue on my end of the connection.

Is my router which is being used as a client, really the issue?

The router can't handle it, the cpu's they use are not as good as desktop pc's
I wish one day they will put better CPU but the way I see it for what they where designed to do they do the job just right.
the only advice I can offer you is use AES-128-CBC encryption.
you should get 50-60 mb/s you are probably using 256 encryption this is why you are down in the 30s
Also PIA is a very fast provider.
The only way you can get your VPN speeds up there with your ISP is to get a PC to do the routing
running pfsence. Good luck with that

 

[Ghaperlordan]

I see VPN Router/Firewalls from different companies... like ZYWALL, CICSO, Linksys and the like... can I use one of those to handle the encryption/decryption and feed that into my ASUS WIFI router which would control the LAN? So, <modem> -> <VPN router> -> <AC5300> -> <LAN> I would like to avoid purchasing another computer to handle this, if there is hardware out there that I can use instead.

 

[sfx2000]

Yes. You will never get anywhere close to 134 Mbps of encryption/decryption out of a 1 GHz router CPU. 30 MB/s is close to the max you can get out of an RT-AC5300 indeed.

To get anything faster out of OpeNVPN, you will need a desktop-class CPU.

The ARM's are compute bound - so as RMerlin suggests - that's about the bandwidth you can expect - there's been a fair amount of work on OpenSSL, which solves part of the problem, but it's also the context changes from kernel to userland to kernel that hurts the ARM's, and that the TUN/TAP driver in the linux kernel is single threaded...

L2TP/IPSec is much faster, as it doesn't do that context switch between user/kernel space, and there's other efficiencies involved with how the kernel handles the encryption - but L2TP does limit options for various VPN providers, and can be a challenge for off-site access (OpenVPN is very nice at hole punching as it is application layer, whereas L2TP is much lower in the stack).

 

[CaptainSTX]

I see VPN Router/Firewalls from different companies... like ZYWALL, CICSO, Linksys and the like... can I use one of those to handle the encryption/decryption and feed that into my ASUS WIFI router which would control the LAN? So, <modem> -> <VPN router> -> <AC5300> -> <LAN> I would like to avoid purchasing another computer to handle this, if there is hardware out there that I can use instead.

If you are willing to buy additional equipment look at what Sabai Technology offers. Using an ASUS N66 flashed with their modified Tomato software AND their VPN accelerator I get 95% of my ISP's download speed. The VPNA uses an Atom processor so it is a computer where the VPN processing has been off loaded to.

 

[yorgi]

If you are willing to buy additional equipment look at what Sabai Technology offers. Using an ASUS N66 flashed with their modified Tomato software AND their VPN accelerator I get 95% of my ISP's download speed. The VPNA uses an Atom processor so it is a computer where the VPN processing has been off loaded to.

so basically they modify the unit and add another cpu just for the VPN?
so they give you a separate unit for the accelerator which works with their tomato modified OS?
Very interesting.

 

[yorgi]

I am excited about this company it may be a great alternative to everyone that I have seen complaining about speeds not being fast enough in regards to their 3100 or 5300 which are super routers and should give better performance in my opinion.
ASUS and others should just get on the bandwagon and give desktop class cpu, I am sure there are people that would pay the price as me being one of them. Already for under 300 US the ASUS 3100 delivers but if it had a better class cpu I would pay an extra 100 dollars or more. Besides the new 6100 U dual core i3 cpu's from intel are not crazy expensive and one of those babies in a 88u would simply be the amazing

 

[CaptainSTX]

so basically they modify the unit and add another cpu just for the VPN?
so they give you a separate unit for the accelerator which works with their tomato modified OS?
Very interesting.

Sabai offers several choices of routers which have been loaded with their Sabai OS. The VPN Accelerator is a separate small box that has an Atom processor (mine is clocked at 1.86 Ghz ) and 2 Gigs of memory. The VPN accelerator runs the VPN or your TOR connection. It is connected to the router with an Ethernet cable. The router doesn't need to process any encryption. The accelerator handles your choice of OpenVPN, PPTP or TOR. You select which clients are sent using the VPN or your local ISP.

I have twenty networked devices and I route all my traffic over a VPN connection with the exception of video streaming devices when I'm physically in the USA. When traveling in Europe my VPN provider has a server that Netflix hasn't shut down yet so I can stream video from my US account.

 

[yorgi]

excellent at least now we have some alternatives to VPN routers.
Do you have to buy their router/vpn box together? or do they offer just the box alone?
Its a bit of a pain if you have a 88U to have to buy a 66u and another box in order to make it work.

Would you mind if I quoted this in the article.?

"Sabai offers several choices of routers which have been loaded with their Sabai OS. The VPN Accelerator is a separate small box that has an Atom processor (mine is clocked at 1.86 Ghz ) and 2 Gigs of memory. The VPN accelerator runs the VPN or your TOR connection. It is connected to the router with an Ethernet cable. The router doesn't need to process any encryption. The accelerator handles your choice of OpenVPN, PPTP or TOR. You select which clients are sent using the VPN or your local ISP"

 

[RMerlin]

Until Sabai stops violating the GPL and provide sources to their Tomato modifications (something I feel stronger about when the violator is actually running their business off the back that GPL product), I can't recommend them in any way.

 

[yorgi]

Until Sabai stops violating the GPL and provide sources to their Tomato modifications (something I feel stronger about when the violator is actually running their business off the back that GPL product), I can't recommend them in any way.

That is a good point. but if there are no other alternatives because most manufacturers routers cant cut it what other options are available for someone who wants to have a 100mb/s connection do the same on a VPN?
Are there options with Cisco or other higher end routers that can achieve this?
I for one don't care because I have 12/12 mb/s nowhere near the speeds of 100mb/s this is purely for the people who keep commenting about this problem.

 

[RMerlin]

That is a good point. but if there are no other alternatives because most manufacturers routers cant cut it what other options are available for someone who wants to have a 100mb/s connection do the same on a VPN?
Are there options with Cisco or other higher end routers that can achieve this?
I for one don't care because I have 12/12 mb/s nowhere near the speeds of 100mb/s this is purely for the people who keep commenting about this problem.

You will have to go with IPSEC and a product that features hardware-based acceleration, or build your own out of a Celeron or Intel i3 with AES-NI support.

 

[yorgi]

You will have to go with IPSEC and a product that features hardware-based acceleration, or build your own out of a Celeron or Intel i3 with AES-NI support.

I was sure that was the answer
Pfsence doh!!! good luck with that one

 

[CaptainSTX]

excellent at least now we have some alternatives to VPN routers.
Do you have to buy their router/vpn box together? or do they offer just the box alone?
Its a bit of a pain if you have a 88U to have to buy a 66u and another box in order to make it work.

Would you mind if I quoted this in the article.?

"Sabai offers several choices of routers which have been loaded with their Sabai OS. The VPN Accelerator is a separate small box that has an Atom processor (mine is clocked at 1.86 Ghz ) and 2 Gigs of memory. The VPN accelerator runs the VPN or your TOR connection. It is connected to the router with an Ethernet cable. The router doesn't need to process any encryption. The accelerator handles your choice of OpenVPN, PPTP or TOR. You select which clients are sent using the VPN or your local ISP"

Sabai's VPN solution requires that you have a router with their firmware (AC68, AC56, Linksys E2500 or a Netgear R7000). The router is where the gateway resides that lets you select which clients route over the VPN. Using the router only you will take the large haircut in speed that all home routers give you when you run a VPN on them. If you own one of the above mentioned routers Sabai will flash their firmware on it for a price.

To get approximately the maximum speed on your VPN you need the accelerator which only work with a router with the Sabai OS. With the accelerator you should get approximately the same download/upload speeds that you would get if you ran the VPN client software on your PC.

FYI Sabai's hardware/firmware isn't inexpensive but it works and it comes with the best technical support that I have ever had on any product.

Hardware isn't the only issue. Not all VPN providers have sufficient backbone connections to support high upload and download speeds. I had to try several before I could get consistent download speeds of over 70 Mbps.