1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ExpressVPN setup (app vs. manual configuration) in Asus routers

Discussion in 'VPN' started by Marin, Apr 27, 2018.

  1. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    762
    Hi,

    I have the ExpressVPN app installed in my Asus RT-AC87U and it performs very well with averages download speeds for the server I use at about 30Mbps (ISP ~60 Mbps). The ExpressVPN app is built on a DD-WRT platform but I was curious how some (or all) of its settings could be translated in the same router that uses Merlin’s FW, instead?

    When I try to set up the same server settings on my Asus RT-AC5300 (Merlin’s latest FW installed) I only get about 10Mbps download speeds. I have tweaked some of the settings based on suggestions posted in other threads but have not had experienced any improvement in download speeds.

    I understand that apps have their own configurations and may not necessarily perform the same in different routers but is there a way to find out what an app’s settings are to try to somehow replicate them in another router in hopes of getting similar performance results?

    I also just purchased an Asus RT-AC86U and I am wondering if will truly perform better when connected to VPN. Some of you have suggested this due to hardware-accelerated changes for openvpn settings.

    For those of you who have manually configured ExpressVPN in your routers, would you be willing to share a pic with your current VPN client settings that you are having very good results?

    Thank you!
     
  2. NoelS

    NoelS Regular Contributor

    Joined:
    Apr 4, 2019
    Messages:
    59
    @Marin Were you ever able to figure out the "secret sauce" for ExpressVPN+Merlin=same speed as ExpressVPN Router App?
     
  3. rk8531

    rk8531 Regular Contributor

    Joined:
    Jan 28, 2019
    Messages:
    94
    I am using nordvpn and I get roughly same speed as if without VPN. To be specific, without VPN I get around 85-90 Mbps and with VPN turned on I get around 80-85 Mbps.
    The settings I use depends upon the server specific OVPN configuration file that you have to download from the expressvpn site. However, you have to change few settings after uploading the file to VPN client.
    The settings that you need to change are-
    1. Accept DNS configuration- "Strict"
    2. Cipher Negotiation- "Enable with Fallback"
    3. Compression- "LZO Adaptive"
    4. TLS renegotiation time- "-1"
    5. ConnextioC retry attempt- "-1"
    6. Verify Server Certificate- "No"
    7. Redirect Internet Traffic- "All"

    Keep all other settings unchanged.

    Note- Don't use the expressvpn recommended server. Using the recommended server has never worked for me. So, I suggest you the same.

    Last thing which I also forgot to mention that I am getting this VPN speed even after enabling Stubby, AI protection, QOS and diversion.
     
  4. rk8531

    rk8531 Regular Contributor

    Joined:
    Jan 28, 2019
    Messages:
    94
    I can confirm that HW acceleration has no role to play with VPN performance. I am using QOS with VPN and still getting almost same internet speed as without VPN.
     
  5. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,686
    Without specifying which router and ISP speeds you get, that statement means very little on its own. ;)
     
  6. rk8531

    rk8531 Regular Contributor

    Joined:
    Jan 28, 2019
    Messages:
    94
    Router- Asus 86U
    Speed without VPN- 85-90 MBPS on WAN (with QOS enabled)
    Speed with VPN- 80-85 MBPS on WAN (with QOS enabled)
     
    L&LD likes this.
  7. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    762
    No, I have not tried and/or compared. The EVPN app is based on DD-WRT. Plus, you would not be able to tweak it unless you download a Kong's or Brainslayer's DD-WRT version in it. Even then, you would have to research DD-WRT forums to determine what tweaks would be needed to get better speeds. Unfortunately, I did not use this app long enough in my RT-AC87U. I didn't install Merlin in it either to be able to tell the difference. Keep in mind that although custom config settings tweaks help, it is also the type of router, CPU, hardware acceleration that considerable impact VPN speed. Based on my research then I didn't expect AC87U to get better speeds like newer routers such as AC86U and AX88U.
     
  8. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    FWIW, after a lot of testing, I'm convinced the primary reason that these consumer grade routers perform so poorly when it comes to the VPN (just about any VPN) is due to ring changes, NOT the lack of hardware compression, not various buffers sizes, and a million other settings. It's having to constantly jump from user space to the kernel and back (aka ring changes), for the purposes of constructing and managing the tunnel, that's the *primary* culprit, w/ these others issues making marginal differences.

    Why do I say that? Because I've gone so far as to configure a PTP (point to point) OpenVPN tunnel between my router (ASUS RT-AC68U) and a VPS, and even if I disable encryption entirely, just a plain ol', in the clear, tunnel (can't get any simpler), I still get the same crappy performance. But if instead I grab even an old crappy PC circa 2008 to support the OpenVPN client, it blows the pants off the router.

    The reason a more powerful router improves VPN performance is simply raw horsepower. Back in the early 90's, Microsoft had the same problem when it came to the GDI (graphics routines) in Windows 3.x. The PCs of that time were so pathetic (at least relative to today), if Microsoft had left the GDI in user space, it would have taken forever to redraw the screen. So they decided to place the GDI in the kernel, which vastly improved performance. Of course, they paid the price for that decision years later when the internet came along and it became possible to gain remote access of the kernel through flaws in the GDI!

    That's what I believe is happening w/ these VPNs. The ring changes using these relatively crappy processors in the router can't complete the ring changes efficiently. To improve performance, you would have to move OpenVPN to the kernel. And that's why Wireguard has better performance than OpenVPN. It's NOT the simplicity of Wireguard, or the better encryption options, yada yada, as so many claim, but the fact it runs in the kernel! Do the same for OpenVPN, and you'll see a dramatic improvement there as well.

    That's why you're wasting your time trying to fiddle with various OpenVPN options. As long as it has to run in user space, and you mix it w/ a low-end processor, you'll remain disappointed w/ its performance. When users choose move to a *much* more powerful router (say 1.4GHz or better), *then* you see a significant improvement, but again, simply because of raw horsepower. Of course, at some point it starts to get silly, and you might as well run the OpenVPN client off an old PC. And if I'm serious about getting top performance from the VPN, that's what I do. I don't use the router.

    JMTC
     
    Last edited: Apr 17, 2019
    Grisu, 58chev and L&LD like this.
  9. NoelS

    NoelS Regular Contributor

    Joined:
    Apr 4, 2019
    Messages:
    59
    @eibgrad How does what you say apply to routers with encryption specific SOC CPUs such as the AC86U?
     
  10. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    The point I'm making is that issues like encryption, and a thousand other configuration details we all typically fiddle with to improve VPN performance, are NOT the primary problem. I'm sure the choice of encryption, whether you have hardware acceleration for those purposes, the chipset architecture, etc., all have some impact. But relative to this issue of ring changes, they are trivial in comparison. While you might be able to tweak another 5-10% improvement, I believe ring changes is what's killing it, and what's dropping performance from 100Mbps to 10Mbps. All other tweaks might improve that 10Mbps to say 15Mbps. But it NOT going to improve that 10Mbps to say 70Mbps. For that to happen, you just need more raw horsepower. And that's what something like the RT-AC86U and its 1.8GHz (!) dual-core processor brings to the table. Just sheer, raw horsepower.
     
    L&LD likes this.
  11. NoelS

    NoelS Regular Contributor

    Joined:
    Apr 4, 2019
    Messages:
    59
    I think you are correct (and lots of good information, THANKS). However, I think you are underestimating/understating the capability of the AES-NI instruction set. The AC86U CPU is about 2 1/4 times as fast as the AC68. But OpenVPN throughput is 5X+.
     
    rk8531 likes this.
  12. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    Perhaps. But the problem in apportioning blame is made more difficult by the fact you have multiple variables that are affecting the performance. That's why I went to the trouble to eliminate as many variables as possible in my testing, by using a super simple PTP tunnel (no encryption, no TLS, etc.). And once those variables were eliminated, there wasn't much, other than rings changes, to explain the vast difference in performance between an OpenVPN client on the router, and an OpenVPN client running on a crappy old PC, when connecting to the same OpenVPN server running on my VPS.

    Again, this isn't to say encryption options, hardware assist, etc., don't have an impact. But it may be that unless you *also* have a powerful CPU, you might not see 5X+ performance w/ AES-NI. IOW, first you need the powerful CPU, *then* you can take advantage of hardware assisted encryption.

    None of this is absolutely definitive. It's just my own, less than perfect, analysis after dealing w/ this issue for many years. And not just with OpenVPN, PPTP too. What really got me convinced that ring changes are the real culprit is the fact the Wireguard developer brags about the increased performance of his VPN, specifically because it runs in the kernel! Then the light bulb lit up! Ahh, that's why nothing gets any better unless you just throw more horsepower at it.

    Now if someone comes along and shows me a low-end router w/ hardware encryption that provides full bandwidth from their ISP and VPN providers, I'm willing to reconsider. But so far, I haven't seen it. What I have seen are linear improvements as the power of the CPU increases. But no magic bullets, like hardware encryption.
     
    Last edited: Apr 19, 2019
  13. NoelS

    NoelS Regular Contributor

    Joined:
    Apr 4, 2019
    Messages:
    59
    Great analysis. I'm learning A LOT about this piece. Thanks!
     
  14. #TY

    #TY Senior Member

    Joined:
    Mar 27, 2019
    Messages:
    228
    If you have Stubby installed, why are you not setting it to "Disabled"? Doesn't "Strict" mean its still using the ExpressVPN DNS Servers? If so, then what's the point of Stubby? I'm just trying to understand how this all works.