Can you help me speed up OPENVPN on N66U?

[Deleted member 27741]

No, no deep inspection software, and not enough knowledge to use it currently anyway.

It is weird that I get better speeds connected directly to the N66U OPENVPN server than port forwarding through the N66U to a Win 7 machine running an OPENVPN server. I will try to run an openvpn server on a different machine and see if I have the same problem and report back. I can't believe that windows is THAT bad at running an OPENVPN server!

 

[L&LD]

How old is that computer? It isn't Windows per se, it is the hardware or your configuration, imo.

 

[netware5]

How old is that computer? It isn't Windows per se, it is the hardware or your configuration, imo.

Any PC capable to run Win 7 is much, much, more powerful than N66U in crypto work.

........I will try to run an openvpn server on a different machine and see if I have the same problem and report back. I can't believe that windows is THAT bad at running an OPENVPN server!

Why not try to change the client PC also?

 

[Deleted member 27741]

I have now tried a windows 7 machine and an xp machine running OPENVPN servers. Both are about the same speed as running OPENVPN on the N66U. Is there any way a QOS rule or something is prohibiting the speed? The QOS is off on the N66U, so that doesn't make sense, but... What about the firewall on the router? Should that be turned off even though I have the OPENVPN ports forwarded to the servers?

The win 7 computer has a i7 3610QM 2.3 GHz processor, the xp computer a core2duo T7500 @ 2.2 GHz. Both should be far more able to encrypt/decrypt than the N66U.

Not sure why the VPN is so slow but it seems to be slow just about no matter how powerful the server processor is?!

 

[L&LD]

Yes, as I thought. The windows computers are not the problem.

Check each link in your network and ensure it isn't the bottleneck.

Have you made any special network tweaks to your test computers?

 

[netware5]

......
Not sure why the VPN is so slow but it seems to be slow just about no matter how powerful the server processor is?!

That's the reason I am suspicious about your client. May be there is something wrong in the client's (your laptop) configuration. The other possibility is the router itself, but you stated that the QoS is turned off, no deep packet inspection, etc.... It is really weird.....

And last option: May be your phone hotspot has some deep packet inspection enabled for security purposes. In such case, the encrypted traffic will be very very slow, as the DPI engine will spent a lot of CPU power in attempt to understand what the hell is going through the tunnel. Or the hotspot has some specific QoS rules for encrypted traffic.

May advice is to explore these two suspects - client and hotspot.

 

[Deleted member 27741]

Thanks for the continued advice! I have tried using different laptops to connect to both the N66U OPENVPN Server and an XP OPENVPN server. They are both slow when connecting through the sprint phone hotspot, so for now I will eliminate the client variable.

When I get a chance, I will connnect from another WAN source and see if it is the phone that is slowing things down and report back.

 

[BitingChaos]

This may not help you on the ASUS device, but you must remember to tweak TCP settings with OpenVPN (tweaks that are not needed when using UDP).

When using OpenVPN with TCP, sndbuf and rcvbuf are supposed to default to 64K. They actually default to 8K on Windows! 8K and even 64K might be way too slow. You could try 256K (262144 bytes).

For example, we have this in our server config for our OpenVPN TCP server:

# tcp tweak: set send & receive buffers.
sndbuf 262144
rcvbuf 262144
push "sndbuf 262144" # send to client
push "rcvbuf 262144" # send to client

# tcp tweak: don't wait to queue packets (setting this on the server will also push it to clients)
tcp-nodelay

Our primary is 1194/UDP, and 443/TCP for backup. "tap" doesn't work with most devices that we've tested (such as iOS, etc), so using "tun" is a must.

 

[Deleted member 27741]

Nice, BitingChaos! Using my phone for WAN, downloads increased to about 1.0 Mb/s and uploads to 3.0 Mb/s (using the windows 7 machine for OPENVPN server). A drastic improvement (used to be 0.3 down/0.3 up)! If you have any more tweaks please post them! I'm actually using tcp and tap, I was never really able to get tun working, probably from a lack of knowledge about pushing routes. Tap suits my needs fine since as all my connections are with windows machines and I get full access to local resources.

 

[netware5]

Nice, BitingChaos! Using my phone for WAN, downloads increased to about 1.0 Mb/s and uploads to 3.0 Mb/s. A drastic improvement! If you have any more tweaks please post them! I actually am using tcp and tap, I was never really able to get tun working, probably from a lack of knowledge about pushing routes.

The above results confirm my considerations about the phone hotspot as these type of tweaks are especially advised for high latency connections like 3G networks. In order to check the real OpenVPN performance of your router you should connect a PC client by wired LAN. I do believe that in such case you may reach up to 22-25 Mbits/s with 128-bit AES encryption.

Concerning TAP vs TUN the TUN will never increase the speed too much. In theory the TAP is slower because it encapsulates a little bit more payload - Ethernet frame vs IP packet and also more broadcast traffic is going through the tunnel. But this is not so big difference.

 

[BitingChaos]

The above results confirm my considerations about the phone hotspot as these type of tweaks are especially advised for high latency connections like 3G networks.

I use those exact tweaks on a very low-latency 100 Mbps Internet connection. The systems are a Windows PC to Windows PC (one is from 2006 and one is from 2008, so they are not very new or speedy). I have not tested my speeds with my RT-AC68U, since my home upload speed is kinda low already.

256KB might be too much for cellular. I'd play with the values. Maybe try 128KB.

For me, 256K worked well. I didn't get an improvement going with larger numbers, but I definitely slowed way down with smaller values.

My average speeds, client to client, on a 100 Mbps Internet connection (OpenVPN is set to use AES256):

No VPN: 105 Mb/sec
OpenVPN UDP: 80 Mb/sec
OpenVPN TCP (defaults): 5 Mb/sec
OpenVPN TCP (256KB): 50 Mb/sec

While TCP is still slower than UDP, I got an immedite 10X boost in performance by setting the send & receive buffers.

 

[netware5]

I use those exact tweaks on a very low-latency 100 Mbps Internet connection. The systems are a Windows PC to Windows PC (one is from 2006 and one is from 2008, so they are not very new or speedy). I have not tested my speeds with my RT-AC68U, since my home upload speed is kinda low already.

May be these tweaks are more related to Windows OpenVPN servers. I've tried them on my configuration - OpenVPN server is RT-N66U, OpenVPN client is Windows XP - no significant changes, the tunnel speed remains about 14 Mbits/s with AES-256 encryption and 50/33 Mbits/s download/upload connection at home.

 

[leszek]

May be these tweaks are more related to Windows OpenVPN servers. I've tried them on my configuration - OpenVPN server is RT-N66U, OpenVPN client is Windows XP - no significant changes, the tunnel speed remains about 14 Mbits/s with AES-256 encryption and 50/33 Mbits/s download/upload connection at home.

On both N66U and AC66U you are limited by the slow single core 600MHz CPU. You need at least an AC68U with its dual core 800MHz CPU or an AC68P with its dual core 1GHz CPU to break 14 Mbits/s barier when running OpenVPN on the router.

 

[netware5]

On both N66U and AC66U you are limited by the slow single core 600MHz CPU. You need at least an AC68U with its dual core 800MHz CPU or an AC68P with its dual core 1GHz CPU to break 14 Mbits/s barier when running OpenVPN on the router.

Yes, I know. You may read my previous posts in this thread (first page of the thread). The above post about using these tweaks was just to confirm this as I never tried them before. BTW the 14 Mbits/s is not the absolute barrier for this router. Changing the encryption to 128-bit AES will allow up to 22-25 Mbits/s without overclocking. Merlin did a tests with different OpenVPN configurations on RT-N66U and posted the results in this forum.

 

[Deleted member 27741]

@netware5 I apologize for my ignorance, but could you explain how to test the OPENVPN with a hard line to the router? Do you mean connect a hard line to the WAN port of the router/a laptop, connect to OPENVPN on the router via the laptop client, then test speed (with what)? How could I do a test like this to test the "best case scenario" OPENVPN speed of a windows 7 machine running OPENVPN?

Thanks for the continued discussion, guys!

 

[netware5]

@netware5 I apologize for my ignorance, but could you explain how to test the OPENVPN with a hard line to the router? Do you mean connect a hard line to the WAN port of the router/a laptop, connect to OPENVPN on the router via the laptop client, then test speed (with what)? How could I do a test like this to test the "best case scenario" OPENVPN speed of a windows 7 machine running OPENVPN?

Thanks for the continued discussion, guys!

There are several options:

1. The most easy way.
Take your laptop to other place (office, home of your buddy, etc.) where LAN internet connection is available. Then plug your laptop to the LAN and test as usual. Please, note that the download/upload speed at this place should be at least the same as at your home or better. For fast estimation you may use some Web site like http://speedtest.net with and without OpenVPN and when the server is running on the router or on the Windows 7 PC. For more reliable test you should install iperf on your router and use its client on your laptop. You may also install the iperf on your Windows 7 PC running OpenVPN server and test and compare both options for OpenVPN server - PC and Router itself.

2. Create a small network on the WAN side of the router. You will need a switch and should configure manually the WAN interface of the router and LAN interface of your laptop with static IP addresses within the same subnet as your laptop. Plug your laptop and the WAN interface of your router in the switch and use iperf to test.

3. Connect directly your router's WAN port to your laptop's LAN port. You should arrange proper static IP addresses on both interfaces. Then test with iperf.

The first option is the best as you will not need to do anything extraordinary.

Second and third options will test the technical limit of your router (or Windows 7 PC) as it eliminates possible influence of all communication lines, routers and switches on the route between this "other" place and your home.

 

[RMerlin]

Here are my (old) benchmark results, reposted from my Evernote notes.

OpenVPN throughput benchmark:
iperf -c 10.16.0.1 -M 1400 -N -l 64K -t 30



=== 3.0.0.4.270.24:
AES-128-CBC [152]    0.0-30.0 sec  69.9 MBytes  19.5 Mbits/sec

=== 3.0.0.4.270.25 (with openvpn + openssl + lzo optim):
AES-128-CBC [152]  0.0-30.0 sec  79.5 MBytes  22.2 Mbits/sec

=== 3.0.0.4.374_32:
AES-128-CBC             0.0-30.0 sec  84.8 MBytes  23.7 Mbits/sec

=== 3.0.0.4.374.33_Alpha2 (with mips32r2)
AES-128-CBC             0.0-30.1 sec  93.8 MBytes  26.1 Mbits/sec

=== 3.0.0.4.367.28 ARM (800 MHz):
AES_128-CBC [156]  0.0-30.0 sec    217 MBytes  60.7 Mbits/sec

As you can see by the versions, those tests are a bit old however, but they should give you a good ballpark as to what to expect. They show nicely the type of improvements I was able to achieve over the months with various openssl/openvpn optimizations at the firmware level.

Someday when I get the time, I'll redo some tests, and compare them to the stock FW to get a clear view as to what type of performance boost I'm bringing with the openssl 1.0.2 backports I've done on top of 1.0.0.

 

[Deleted member 27741]

Wow. Trying to get OPENVPN working on a windows server really sucks. I am very thankful it works so well on the N66U, because whether it will work or not on windows is pretty much a crapshoot.

 

[BitingChaos]

Wow. Trying to get OPENVPN working on a windows server really sucks. I am very thankful it works so well on the N66U, because whether it will work or not on windows is pretty much a crapshoot.

Really? Is this a stand-alone server or is it part of AD?

Because Windows Server 2008 R2 is the primary platform I work with OpenVPN on, and it works like a treat!

Server 2008 R2 already supports RRAS / Routing and Remote Access, so things like NAT are simple, and with just a few clicks I can get a routing VPN server that supports OpenVPN UDP, OpenVPN TCP, L2TP/IPSec and PPTP up and running and fully integrated with an Active Directory authentication setup.

All my scripts and configurations are tested are made on Windows. Clients are mostly Windows, iOS, and OS X users.

What problems are you having?

 

[Deleted member 27741]

My main problem is probably using XP and Windows 7 (I have had unreliable OPENVPN servers sporadically working on both).
Having major problems getting OPENVPN server working reliably on either. One day it connects. Next day it doesn't. Haven't figured it out yet.

Sounds like you have it working, though so I am encouraged that it apparently can be done... just takes more knowledge than I currently have. I will keep working on it and perhaps humbly ask for your help when I get to the banging head on keyboard stage.