What's new

Gigabit speed possible with VPN on router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Homelab

New Around Here
I have a 1000/50 connection and I trying to find a VPN on router setup which will allow 1000 Mbps down speed.

My initial plan was to get an Asus RT-AX88U however after reading through the forums it seems this will max out around 200-250 Mbps.

I was then leaning towards a Ubiquiti EdgeRouter 4 however that also seems to lack the processing power.

I am now considering using my own hardware and installing pfSense. It seems this may be the only way since none of the routers on the market have the processing power required.

What CPU would I need to be able to decrypt fast enough for 1000 Mbps down through a VPN?
Can OpenVPN handle 1000 Mbps?
 
What is your goal here? What will be on the other end of this VPN?

I have no idea how high of speeds are possible on modern x86 hardware....I have never tested any of mine with a client that can go over a couple hundred Mbps.

If I get bored enough over the weekend I can try testing from an i7 laptop to my sophosXG and see where it tops out. My guess is well short of 1Gbps....but guessing around 500’ish maybe?

There isn’t a use case for me that needs those kinds of speeds so never really cared.


Sent from my iPhone using Tapatalk
 
What is your goal here? What will be on the other end of this VPN?

I plan to use this router to connect my home devices, laptop for example, to a VPN provider (PIA for example). Since I have a 1Gbps connection I would rather not be bottle necked by the router. If you tell me that providers like PIA can't deliver 1Gbps then I guess my problem is already solved :)

I am looking at the new Zen 2 Ryzen 3 3100, for 99$ these seem like ideal candidates for a router. I don't see any benchmarks out yet but I guess they will outperform the i3s mentioned above.
 
With the overhead of the VPN and the extra routing, even with paid top end VPN service vs free (which is definitely limited) I'd be surprised if you got more than 50-75% of your non-VPN speed.
 
You will be lucky to get 200Mbps out of a standard commercial provider. Some are better than others, but don’t expect miracles for the general affordable plans. You will be on shared infrastructure meant to service hundreds to thousands of other users all consuming the same resources.

I have used Nord, Strong, and a few others and rarely got over 100Mbps. I never really shopped around for speed. I only use VPN when out and about on public WiFi so as long as I get 10Mbps, I am pretty content most days.


Sent from my iPhone using Tapatalk
 
If you want to see what is possible from any particular commercial VPN provider install their app on your most powerful PC, connect the PC directly to your modem and run a series of speed tests to various servers at various times of night and day to find out what is they can do.

As other posters have said if you get 250 Mbps downloads that is about as good as it gets and it will often be much less. Also you will see large variations in speeds from test to test as your speed tests depends both on your ISP and your VPN provider whose server is probably more congested than your ISP's network. If you run the VPN client on your router then you have added more variability.
 
If you want to see what is possible from any particular commercial VPN provider install their app on your most powerful PC, connect the PC directly to your modem and run a series of speed tests to various servers at various times of night and day to find out what is they can do.

As other posters have said if you get 250 Mbps downloads that is about as good as it gets and it will often be much less. Also you will see large variations in speeds from test to test as your speed tests depends both on your ISP and your VPN provider whose server is probably more congested than your ISP's network. If you run the VPN client on your router then you have added more variability.

Great idea, I will give this a shot once I am home.

Let us for a moment ignore the possibility of the VPN provider as the bottleneck, if I were able to get a gigabit VPN provider, what would be the minimum processor needed to decrypt this at full speed?

I found this thread on reddit where some people discuss the same topic:
https://www.reddit.com/r/PFSENSE/comments/96elf4/build_for_gigabit_fiber_vpn/

These guys mention getting 600-750 Mbps with an i3 7350k:
https://www.reddit.com/r/PFSENSE/comments/96elf4/build_for_gigabit_fiber_vpn/e4085xs/

Is there any way to calculate the instructions per second required to decrypt a certain type of encryption at a certain speed? Say the minimum needed to decrypt 128bit AES at 1000 Gbps download speed?
 
A couple of points is if you have the bandwidth you could set it up from work where you could push that much data.

The other point is 128 bit encryption is not secure so why bother.
 
Keep in mind that the VPN provider needs to have an even more powerful processor on their servers to support multiple VPN connections (128 customers per server is a number I have seen ). They would also need to have extremely high bandwidth backbone connections to the Internet. Neither are economically likely when they currently charge $4 - $8 monthly.

Through put increases will be possible using WireGuard vs OpenVPN but I haven't seen any improvement running a WireGuard VPN client on my Windows PC but my testing has been limited by the speed of my ISP connection.
 
The other point is 128 bit encryption is not secure so why bother.
128-bit AES is still secure. Unless you are doing DoD type work or have concerns that span protection requirements past 10-years, 128 is still fine.

The biggest challenge is understanding the entire cipher suite, key exchange, and key generation methods. Having AES-256 encryption is point less if the keys aren’t being generated or protected well.


Sent from my iPhone using Tapatalk
 
My neighbor was doing DoD type work for the Highway department in Texas. They used only 512 and I don't remember the stacks about 4 years ago. We used 256 back almost 30 years ago and 3Des which now is not safe now days. I was government also. This was all Cisco VPN.
 
My neighbor was doing DoD type work for the Highway department in Texas. They used only 512 and I don't remember the stacks about 4 years ago. We used 256 back almost 30 years ago and 3Des which now is not safe now days. I was government also. This was all Cisco VPN.
I think you are inter-mingling a few different variables out of the cipher suites you were using. 3DES has never been anywhere near 256 bit...it is technically 112-bit. Pretty sure you are referring to either your HMAC (MD5, SHA-1, SHA-256, etc) in use or maybe your key lengths. 512 bit RSA keys....yeah, way too easy to break these days. Pretty sure the minimum RSA key length is now 3072 or 4096....can't remember, we have been pushing elliptical curve more lately since it is more efficient using shorter keys.
 
I have slept since then. Maybe 3DES and ipsec. It has been a long time. And computers were pretty slow 30 years ago. I can remember once they were setup and both ends matched they were maintenance free and just worked.

All the big sites were private lines. We only used VPN for remote access. We had a PRI spilt out for ISDN lines which you could dial into also. The ISDN lines were point to point so they did not require VPN but they were only 128K at max. This was decent speed back then.
 
Last edited:
There is a difference between "less secure" and "not secure". Yes, 128-bit AES is less secure than 256-bit AES, for obvious reasons. But it's not considered not secure. Some evaluations of the time required to brute force AES 128 numbers in centuries as of when it was done (2-3 years ago).

So if you are a home or SOHO user, 128-bit AES is still "pretty damn secure" in 2020. When it comes to security, you have to balance needs versus performance.
 
If you want to see what is possible from any particular commercial VPN provider install their app on your most powerful PC, connect the PC directly to your modem and run a series of speed tests to various servers at various times of night and day to find out what is they can do.

As other posters have said if you get 250 Mbps downloads that is about as good as it gets and it will often be much less. Also you will see large variations in speeds from test to test as your speed tests depends both on your ISP and your VPN provider whose server is probably more congested than your ISP's network. If you run the VPN client on your router then you have added more variability.

I connected to my closest PIA VPN server and got the following results with my 2011 Macbook Pro

CPU: i7 2635QM
VPN off/on
Wifi: 250 Mbps/150 Mbps
Wired: 890 Mbps/110 Mbps

Wifi speeds are capped around 300 Mbps since I am on an N wifi adapter (old macbook). Not sure why I got slightly lower VPN speeds on the wired connection...could be test variability since I only did ~5 tests.

My CPU is quite old so I think it may have been the bottle neck in these tests...I will need to give this a go with a more powerful CPU to see if the VPN had more to give. I had 890 Mbps wired with the VPN off so my ISP was not the issue here.

I would like to see how the Broadcom BCM43684 from the RT-AX88U compares to my i7 2635QM. Is there any way to compare Broadcomm processors with intel/AMD processors?

Something like this benchmark site: https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-2635QM+@+2.00GHz&id=874
 
Last edited:
Processor comparison might give you some useful information but SOHO routers have other limitations including but not limited to the fact that running a speed test with a high speed connection places a demand on processor cycles, same with having a higher speed connection, how much memory a router has as well as the firmware installed and how it allocates resources. Merlin's firmware makes it possible to run a VPN client on a core not being used for primary router functions.

In my opinion you have to look at the whole router not just the processor to judge performance. I'm sure other posters may have different opinions but this is my two cents.
 
The closest relevant benchmark one could do IMHO is to run an openssl speed test on both devices, and compare numbers. It will at least give you a decent approximation of the performance difference when dealing with VPN crypto.

Some numbers:

openssl11 speed -elapsed -evp aes-256-cbc

RT-AX56U:
Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc      22335.47k    26783.38k    28205.74k    28493.40k    28740.27k    28672.00k

RT-AX88U:
Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc      75435.50k   237646.33k   512273.75k   727184.73k   827804.33k   835786.07k
 
Just gave this a shot with my i7 2635QM:
Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      62025.49k    67077.36k    69036.03k    70165.77k    70120.79k

It says "The 'numbers' are in 1000s of bytes per second processed" so it seems that the AX88U is actually processing more bytes per second (better) than my CPU. I guess this makes sense since I read that the AX88U can do 200-250 Mbps over VPN while I am only getting 150 or so.
 
Gigabit to public VPN providers? No chance. I have experience with ExpressVPN and NordVPN. Both are "fast" compared to others. PC with i7/i9/Ryzen CPU... doesn't matter. 180-220Mbps is what you usually get.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top