AC88U/AC-3100 - Setup OpenVPN and non-vpn end points

[AntirisK]

Hi, I'm running on AsusMerlin 380.64_2 on my RT-AC3100 router. I have setup OpenVPN client and things are dandy.

But I am trying to setup the router in a way that only certain IPs go thru VPN while the other IPs can go unencrypted. For e.g. my desktop, NAS, Laptop, Tablets, Home Automation Kit needs to go thru VPN. But Roku/ATV/FTV can go without any encryption.

How do I setup the router to do this? I see there are some Flashrouter options that support this option. But I have not been able to find any articles to set this up.

The alternate option is to use my Comcast Router as the primary and making my RT-AC3100 & RT-N16 as to routers behind and configure them as APs. I'm trying not to complicate things more than it already is.

Any suggestions or pointers?

 

[RMerlin]

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

 

[AntirisK]

Mucha appreciated RMerlin. Got it running with the policies. One additional question, is the throughput significantly impacted when using the OpenVPN client from the router than from the desktop/laptop? I see a big drop in the throughput using the same provider and selecting the same exit point.

Thanks again.

 

[RMerlin]

One additional question, is the throughput significantly impacted when using the OpenVPN client from the router than from the desktop/laptop?

Depends on the speed of your connection, and the CPU of your router model. Router CPUs cannot match the performance of a computer.

 

[AntirisK]

I understand the computational overhead for the AES256. But running on a dual-core 1.4 GHz processor along with coprocessors should be fairly good, right? The upcoming routers are touting the 1.7Ghz dual-core processors. Which means the 1.4 GHz processors are the current cream-of-crop.

Given the current crop of routers and their respective processors, why does anybody bother with setting up routers with OpenVPN? To me this sounds academic. Was I smoking?

 

[RMerlin]

I understand the computational overhead for the AES256. But running on a dual-core 1.4 GHz processor along with coprocessors should be fairly good, right?

What co-processor? The AES calculations are entirely done on the CPU, and since OpenVPN is single threaded, only one core can be used for these calculations.

Given the current crop of routers and their respective processors, why does anybody bother with setting up routers with OpenVPN?

Not everyone has a >100 Mbps Internet connection. An RT-AC88U has no problem keeping up with a 60 Mbps Internet connection with AES-128-CBC, for instance. The average connection speed around here is more around 15-25 Mbps, well below the max speed an RT-AC68U could handle VPN-wise.

 

[AntirisK]

Makes perfect sense. I did not read up on the OpenVPN architecture. Thanks for that.

But I run on Comcast Business with 30Mbps down and 10Mbps up. That's why I'm perplexed as to why the router can't handle that level of throughput. Additionally, I'm not doing a whole lot of transport.

Any given time, there is only one stream going as in Netflix or Youtube or some Torrent download using around 12-15Mpbs. So the router should not have any issues with this load, correct?

I am averaging around 7-8Mbps in speed tests (Ookla). But when I use the VPN client on my machine, I'm averaging 20Mpbs.

Do you think there is something in the advanced settings or the protocol/port combination I should play with? Currently, I used UDP/1194.

 

[RMerlin]

Do you think there is something in the advanced settings or the protocol/port combination I should play with?

You are limited to what the remote end will require you to use. So if they don't offer AES-128-CBC for instance, you will lose nearly 50% of performance by being forced on AES-256-CBC.

The HMAC hash will also have a significant impact if they use a more complex algorithm.