(Asus AC86u / Merlin 384.18) OpenVPN performance improvement

Enrico85

Occasional Visitor
Hi all,
I have 2 Router AC86U with the last Merlin firmware.
I configured a site to site vpn network, I have a gigabit symmetric connection but the performance is limited to 160/200 mbits
The cpu usage is under 80%

cpu.PNG

my configuration:

config.PNG

I found this guide:
Optimizing performance on gigabit networks

do you have any tips to improve performance?
how can i enable AES-NI acceleration?

i tried to add custom parameters

parameters.PNG
but nothing changes

Thanks
 
Last edited:

Jack Yaz

Part of the Furniture
200mbits is near the top end of what you can expect on an ac86u.
 

Enrico85

Occasional Visitor
ok thanks,
are there better performing asus routers?

My cpu is 1.8 GHz dual-core processor, the best is 1.8 GHz quad-core processor (GT-AX11000).
I believe the speed is related to the maximum speed of a single core

thanks
 

raven-au

Senior Member
ok thanks,
are there better performing asus routers?

My cpu is 1.8 GHz dual-core processor, the best is 1.8 GHz quad-core processor (GT-AX11000).
I believe the speed is related to the maximum speed of a single core
And OpenVPN is a single threaded application so the number of cores won't make a difference unless you have multiple VPN connections.
 

RMerlin

Asuswrt-Merlin dev

L&LD

Part of the Furniture
@Enrico85 'you' have a Gbps symmetrical ISP connection, but what about the other site? Your maximum speed will be the weakest of all the links involved. What are the ISP speeds there? Fibre, cable, DSL?

How are you determining what the maximum performance is? Does this vary by the time of day the test is performed?

With a solid ISP connection on both ends (symmetrical Gbps Fibre), the RT-AC86U can hit up to about 250Mbps.

What is the actual RMerlin firmware version you're running? I would suggest testing the latest 384.19 Beta 1.

 

Enrico85

Occasional Visitor
sorry I have omitted some details of my connection
I have a ftth gpon gigabit and the two devices are in the same control unit, in fact I have only 1 hop away and the ping stands at 5ms.
the speed with an external ftp connection (outside the vpn) approaches 800/900 mbit

doing the speed test both sites always have maximum speed 940/940 dl/ul

the strange thing is that changing parameters like: ciphers (AES-128-CB, AES-192-CBA, ES-256-CB ) or the compression does not change anything, the speed remains on 160/200 mbps

i will try the new firmware, my firmware is Merlin 384.18
 

L&LD

Part of the Furniture
Are you running any scripts via amtm or otherwise? Are you using any other router features besides OpenVPN?

What do you mean by the 'same control unit'? If the two networks are physically that close, why not run a cable between the two instead of going out over the 'net?
 

Enrico85

Occasional Visitor
they are 2 different houses, 3 km away but connected to the same telephone exchange, same PoP (Point of Presence)
no, I have the standard firmware, without any scripts
 

john9527

Part of the Furniture
Maybe your ISP is throttling VPN traffic? Try a non-standard port for the VPN?
 

eibgrad

Senior Member
the strange thing is that changing parameters like: ciphers (AES-128-CB, AES-192-CBA, ES-256-CB ) or the compression does not change anything, the speed remains on 160/200 mbps
This is well understood. The problem has little to do w/ various OpenVPN settings, even encryption. Ultimately, the CPU dictates/limits your performance. And the reason is that OpenVPN (like most VPNs on these routers) runs in user-space, NOT the kernel. That means there are constant ring changes between user-space and the kernel to manage the tunnel, and that sets an upper limit on performance. All you can do to overcome this limitation is provide more CPU. That's why Merlin suggested the real answer is a desktop-level CPU, and not the relatively crappy processors on these routers. That's why if you're expecting desktop level performance, you're fighting a losing battle. Your best hope is Wireguard, which runs in the kernel.
 

Enrico85

Occasional Visitor
i tried port 5555, no change

here is my full configuration:

home 1 (subnet 192.168.2.X)
server_2.pngclient_2.png

hone 2 (subnet 192.168.0.X)
server_0.pngclient_0.png


@RMerlin @eibgrad
thanks for the explanation
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top