Best Router for VPN client

[BlueFightingCat]

I am looking for a new WiFi Router. My main criteria is that it should be able to run as a VPN Client (I currently use NordVPN). What are the main specs I should look out for? Do I need a powerful CPU in the router to be able to handle the VPN encryption?

Any recommendations? This are my main criteria:

- Best specs to handle VPN client data traffic
- Best Range
- USB port to handle my 4G/LTE dongle (not essential but preferable)

 

[MichaelCG]

You need high clock rate for high VPN speeds. You need to better define what your speed expectations are. Is 20Mbps enough? 30? 50? Or do you want 100Mbps?

 

[BlueFightingCat]

You need high clock rate for high VPN speeds. You need to better define what your speed expectations are. Is 20Mbps enough? 30? 50? Or do you want 100Mbps?

The max I can achieve at the moment is 50Mbps. I'd be happy with approx. 30Mbps.

 

[BlueFightingCat]

So if I have understood from a VPN point of view, I should get a router with the best cpu possible e.g. quad-core. Or is the speed of the core more important? Is it better to have a dual core with 1.7Ghz or a quad-core with 1 Ghz?

 

[RMerlin]

So if I have understood from a VPN point of view, I should get a router with the best cpu possible e.g. quad-core. Or is the speed of the core more important? Is it better to have a dual core with 1.7Ghz or a quad-core with 1 Ghz?

Clock rate is more important than number of cores, as OpenVPN is single-threaded.

 

[BlueFightingCat]

Clock rate is more important than number of cores, as OpenVPN is single-threaded.

So I guess based on the core clock rate I have two choices:

ROG Rapture Wireless-AC5300 Tri-band Gaming Router
or
Nighthawk X10 Smart Wi-Fi Router

I've heard the synology AC2600 has a bug when working as a VPN client that slows everything dramatically down, that has yet to be resolved.
The Max-Stream AC4000 Tri-Band Wi-Fi Router EA9300 doesn't support openVPN and there is no DD-WRT version of it yet. So VPN on the router is out of the question there.

Am I missing any router that could be a possible candidate?

 

[CaptainSTX]

There is a point of diminish returns with bigger and faster processors. At the present time it doesn't appear that most/all commercial VPN providers can support customers with very fast connections using routers with high speed processors.

It appears that most VPN providers set up their business to run a 100+ customers per server and at that time customers were lucky to have a fast 75/5 connection and a router with 600 Mhz processor. This resulted in most customers not requiring/ able to download at much more than 20 Mbps.

Now with people have faster Internet connections of up to a 1000 Mbps and routers with 1.8 Ghz processor speeds customers can overload the VPN servers processing capabilities and saturate the 1 Gig link that it seems some/many VPN providers have to their hosting services backbone.

I can see this when I connect to my VPN provider in the morning and can get close to 150/22 speeds in the early morning. Later in the day it often drops to 125/22. At the same time if I run a speed test to the same city at the same time with no VPN my speed is consitently 180-170/23. The processor I am using to handle the VPN never shows a load of more than 4% unless I have multiple HD video streams going then it can be as high as 26%. I am confident that my hardware is the bottleneck particularly since even if I turn of all encryption my speeds through the VPN provider is consistently faster than with encryption on.

I put my hypothesis outlined above to a support tech at a VPN provider and he didn't dispute it.

Until some VPN providers are willing to turbo charge their hardware and use faster connections the maximum VPN speed is probably capped at 140 - 180 Mbps regardless of what speed internet connection you have or what processor your router has.

 

[doczenith1]

PIA can achieve speeds higher than 140 - 180 Mbps as noted below.

I did some testing a while back (January 2017) that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN client on two different ASUS routers. Both routers running Asuswrt-Merlin 380.64 firmware. Connecting to PIA VPN servers on port 1198.

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
DL :74 Mbps with core 1 at 30%, core 2 at 85% with mods*
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client (i5-2500K) I'm able to attain 250 Mbps down and 350 Mbps up (450 on some recent tests) on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

*Adding the following lines to the custom configuration bumped the DL speeds to 74 Mbps.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

 

[CaptainSTX]

PIA can achieve speeds higher than 140 - 180 Mbps as noted below.

I did some testing a while back (January 2017) that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN client on two different ASUS routers. Both routers running Asuswrt-Merlin 380.64 firmware. Connecting to PIA VPN servers on port 1198.

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
DL :74 Mbps with core 1 at 30%, core 2 at 85% with mods*
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client (i5-2500K) I'm able to attain 250 Mbps down and 350 Mbps up (450 on some recent tests) on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

*Adding the following lines to the custom configuration bumped the DL speeds to 74 Mbps.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

I have tried adjusting send and receive buffers with two VPN providers and I can't statistically prove it makes any difference and with one provider it actually seemed to slow my connection down. I have tried with various sized buffers up to 1572864. On all my speed tests time of day was the biggest variable.

I don't dispute you are getting great speeds but I think it might be the exception instead of the rule. When I get some time I might give PIA a try just to see what speeds I can get.

I think part of the diminishing returns is a result of more people increasing their demands for VPN speed and they are attempting to take a bigger slice of their VPN provider's pie and the pie isn't getting any bigger and for $3 - $5 a month fee I don't think the VPN providers can afford to give everyone a bigger slice. I used to be able to get 170 Mbps downloads with Astrill running their app on my PC but now speeds typically test in the 125 - 135 Mbps download range. IMHO more demand for bandwidth while the total available isn't getting any larger results in defacto caps on speed.

At the present time speeds of over 100 Mbps are more limited by the VPN provider's bandwidth and the processors used on their end than the speed of your PC or router's processor. Perhaps someone more knowledgeable about network hardware can chime in on how many VPN connections a commercial server can handle and at what speeds.

 

[RMerlin]

ROG Rapture Wireless-AC5300 Tri-band Gaming Router

Spending that much on a router just for OpenVPN is not a good idea IMHO. Personally, I would spend less on the wifi router, and spend some money on an embedded system with a decent CPU to act as my main router. Could run pfsense or any other distro of your choice. The firewall I have at my office is a PC running CentOS + Shorewall + OpenVPN (as a server, not a client tho). You will get far better performance (and flexibility) from it.

Or, look for a much cheaper RT-AC88U - its 1.4 GHz CPU should be able to give you 70 Mbps out of AES-128-CBC OpenVPN.

 

[Xentrk]

I am looking for a new WiFi Router. My main criteria is that it should be able to run as a VPN Client (I currently use NordVPN). What are the main specs I should look out for? Do I need a powerful CPU in the router to be able to handle the VPN encryption?

Any recommendations? This are my main criteria:

- Best specs to handle VPN client data traffic
- Best Range
- USB port to handle my 4G/LTE dongle (not essential but preferable)

If I was in the market right now, I would seriously consider a Protecti or Qotom appliance and install pfsense on it. The CPU may be more powerful than what can be found in a consumer grade router which will help with vpn performance. Some already have pfSense installed. They are available on Amazon. You can take your older router and use is as a WiFi AP with the box or purchase a Ubiquiti Radio AP. May need to buy a switch to have extra ports. If you go this route, make sure the cpu supports AES-NI compatible as this is a future requirement in pfSense 2.5.

 

[psychopomp1]

OP, i'm getting in excess of 100 mbps on my Netgear R9000 (X10) using the Openvpn client protocol on DD-WRT fimrware. My connection is 330/30 FTTP and my vpn provider is vpn.ac. That lovely powerful 1.7ghz quadcore Alpine processor combined with 1GB DDR3 RAM and 512mb flash on the router appears to be making a difference. Previously no router has ever given me more than 30 mbps using Openvpn client. Oh, and the R9000 has superb wifi coverage as well

 

[CaptainSTX]

If I was in the market right now, I would seriously consider a Protecti or Qotom appliance and install pfsense on it. The CPU may be more powerful than what can be found in a consumer grade router which will help with vpn performance. Some already have pfSense installed. They are available on Amazon. You can take your older router and use is as a WiFi AP with the box or purchase a Ubiquiti Radio AP. May need to buy a switch to have extra ports. If you go this route, make sure the cpu supports AES-NI compatible as this is a future requirement in pfSense 2.4

I am using a Qotom box as my VPN appliance using OpenWRT. It has an I7 processor 1.8Ghz with Intel Turbo Boost to 3.5 Ghz. It is AES-NI compatible. It is a great piece of hardware and appears to be well engineered. I have at times gotten 160/22 speeds using a VPN. Normally download speeds are 130-140 connected to my nearest VPN server. This device has more processing power I suspect than many VPN providers have on their end. I haven't experimented/found a VPN provider that can provide speeds matching the 180/23 speed I get from my ISP.

 

[Xentrk]

I am using a Qotom box as my VPN appliance using OpenWRT. It has an I7 processor 1.8Ghz with Intel Turbo Boost to 3.5 Ghz. It is AES-NI compatible. It is a great piece of hardware and appears to be well engineered. I have at times gotten 160/22 speeds using a VPN. Normally download speeds are 130-140 connected to my nearest VPN server. This device has more processing power I suspect than many VPN providers have on their end. I haven't experimented/found a VPN provider that can provide speeds matching the 180/23 speed I get from my ISP.

Thanks for the review @CaptainSTX! I was wondering if anyone on the forum had a Qotom. I am jealous. That is great performance. The online reviews are excellent. What model number do you have and # of cores? It is amazing how many Qotom models there are along with the different configurations. I stumbled upon these the other day when looking at a DIY pfsense solution. But these come with everything I would need and lots of configurations to choose from.

 

[CaptainSTX]

Thanks for the review @CaptainSTX! I was wondering if anyone on the forum had a Qotom. I am jealous. That is great performance. The online reviews are excellent. What model number do you have and # of cores? It is amazing how many Qotom models there are along with the different configurations. I stumbled upon these the other day when looking at a DIY pfsense solution. But these come with everything I would need and lots of configurations to choose from.

I have the Qotom Q370G4. Quad Core I7 4500 CPU Equipped 8G RAM - 16GB Msata SSD. 4 Intel 10/100/1000 Ethernet Ports, 2 USB 2.0, 2 USB 3.0 , HDMI, Video , Mic, Audio Out. Also orderd an additional Msata SSD to I could easily switch OS. Started off with Pfsense which Qotom flashed onto the SSD. Now using OpenWRT.

Over kill for what it is doing but I wanted to be able to repurpose it as mini desktop if it didn't work out as VPN appliance.

Their web site is very confusing. If you need assistance try working with Sunny Lau. His email export05@qotom.com. He was very responsivie and seems to check his e-mail 24/7. Machine shipped from China. Had it in less than four days.

Power efficent just draws five watts when not heavily loaded.

 

[Xentrk]

I have the Qotom Q370G4. Quad Core I7 4500 CPU Equipped 8G RAM - 16GB Msata SSD. 4 Intel 10/100/1000 Ethernet Ports, 2 USB 2.0, 2 USB 3.0 , HDMI, Video , Mic, Audio Out. Also orderd an additional Msata SSD to I could easily switch OS. Started off with Pfsense which Qotom flashed onto the SSD. Now using OpenWRT.

Over kill for what it is doing but I wanted to be able to repurpose it as mini desktop if it didn't work out as VPN appliance.

Their web site is very confusing. If you need assistance try working with Sunny Lau. His email export05@qotom.com. He was very responsivie and seems to check his e-mail 24/7. Machine shipped from China. Had it in less than four days.

Power efficent just draws five watts when not heavily loaded.

Thanks for sharing the info. I have serious router envy. Your VPN speeds are something I can only dream about right now. With my pfSense and AC88U, I can stream media, including 4K and sports without any buffering using AES-128-CBC encryption. So I am completely satisfied. But of course, it would be nice to get closer to my native WAN speed, since I have a 200 Mbps fiber connection.

Out of curiosity, I looked at Aliexpress.com and see they carry them. Shipping to Thailand from Aliexpress is less expensive for me. i7 processor, 8 GB Ram, 30 GB SSD with Wifi is $361.42. Shipping cost via DHL is $28.42. I will wait and pull the trigger on one of these boxes once pfSense 2.4 is released as the CPU in my pfSense does not support AES-NI. I have a quad core Atom D525 1.8 Ghz in my pfSense box. Perhaps in another year or two when it is time to upgrade, Intel will have the next generation of CPU in production.

 

[CaptainSTX]

Thanks for sharing the info. I have serious router envy. Your VPN speeds are something I can only dream about right now. With my pfSense and AC88U, I can stream media, including 4K and sports without any buffering using AES-128-CBC encryption. So I am completely satisfied. But of course, it would be nice to get closer to my native WAN speed, since I have a 200 Mbps fiber connection.

Out of curiosity, I looked at Aliexpress.com and see they carry them. Shipping to Thailand from Aliexpress is less expensive for me. i7 processor, 8 GB Ram, 30 GB SSD with Wifi is $361.42. Shipping cost via DHL is $28.42. I will wait and pull the trigger on one of these boxes once pfSense 2.4 is released as the CPU in my pfSense does not support AES-NI. I have a quad core Atom D525 1.8 Ghz in my pfSense box. Perhaps in another year or two when it is time to upgrade, Intel will have the next generation of CPU in production.

Qotum sells through a store on Aliexpress. Another gotcha fee I got hit with was a $19 transfer fee when paying by PayPal as I don't think Qotom takes VISA, MC or American Express.

 

[MichaelCG]

I will wait and pull the trigger on one of these boxes once pfSense 2.4 is released as the CPU in my pfSense does not support AES-NI. I have a quad core Atom D525 1.8 Ghz in my pfSense box. Perhaps in another year or two when it is time to upgrade, Intel will have the next generation of CPU in production.

I have roughly the same idea/plan as you. Waiting to see where pfSense really takes me since my box as well does not support AES-NI. Mine is a 2.4GHz Core2 E4600 I think...but it meets my current needs and cost me $50.

 

[Xentrk]

More about AES-NI and pfSense support here:

https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html
https://en.wikipedia.org/wiki/AES_instruction_set

 

[sfx2000]

Qotum sells through a store on Aliexpress. Another gotcha fee I got hit with was a $19 transfer fee when paying by PayPal as I don't think Qotom takes VISA, MC or American Express.

Some folks suggest that the reason why those QOTOM boxes are so cheap is that they're built from rejected Intel chips from the major ODM's supporting the big computer vendors - mostly due to stability and thermal issues, as those chips are primarily driven into a specific market segment - and the rejection numbers are a bit high - so there is a surplus of them in the Shenzen spot-market...

Just saying... could be fake news there, I suppose...