What's new

Latency spikes during OpenVPN key reneg on AC87U (OpenWRT)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gloriousbear

New Around Here
Hello,
my VPN provider requires a key renegotiation every hour. I have OpenWRT installed on asus rt-ac87u with openVPN-openssl. I don't really care about high bandwidth, but I do need to have my latency low and stable. However every time the key is reneged all the packets get buffered for 1,5-2 seconds. From what I understand, normally openvpn keeps the data channel open and so there should be no packet loss/latency spikes. However it looks like I am reaching 100% of one core usage when the key is being reneged.

When connecting with openvpn from my PC (still routed through the same device) the problem disappears.
I tried overclocking CPU on the router to 1200 and 1400 briefly, it booted and worked on both (without load). Booting at 1400 slashes the delay in half (to 700-800ms), but I don't know if it will be stable (and ideally I would like no delay at all, like on pc).

I would like to know if there is anything I could do with this setup or do I just need to buy a new router? Can I enable any kind of crypto acceleration? Can I force the openvpn to use the second core somehow (or even use the unused antenna cpu)? Would installing merlin or dd-wrt change anything?

details:
18.06.1 openwrt
OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
****
openvpn.conf:
remote XXXXXXX
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
verb 4
CERTS
****
 
If there is any info I forgot to include please let me know. Or if my question is wrong/naive please let me know too. I tried to search the internet pretty hard, but the only guy I found with the same problem solved it by buying a new router :(

I know my device is far from the best, but it is not the worst either as far as I can tell. How do people deal with this issue on devices with even slower CPUs? When talking about VPN and slow router CPUs virtually all threads focus on getting higher bandwidth (which again I don't mind low bandwidth personally); does that mean they simply don't notice/care about the regular latency spikes they get when key is being renegotiated?

Any and all replies welcome.
 
Hello,
my VPN provider requires a key renegotiation every hour. I have OpenWRT installed on asus rt-ac87u with openVPN-openssl. I don't really care about high bandwidth, but I do need to have my latency low and stable. However every time the key is reneged all the packets get buffered for 1,5-2 seconds. From what I understand, normally openvpn keeps the data channel open and so there should be no packet loss/latency spikes. However it looks like I am reaching 100% of one core usage when the key is being reneged.

When connecting with openvpn from my PC (still routed through the same device) the problem disappears.
I tried overclocking CPU on the router to 1200 and 1400 briefly, it booted and worked on both (without load). Booting at 1400 slashes the delay in half (to 700-800ms), but I don't know if it will be stable (and ideally I would like no delay at all, like on pc).

I would like to know if there is anything I could do with this setup or do I just need to buy a new router? Can I enable any kind of crypto acceleration? Can I force the openvpn to use the second core somehow (or even use the unused antenna cpu)? Would installing merlin or dd-wrt change anything?

details:
18.06.1 openwrt
OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
****
openvpn.conf:
remote XXXXXXX
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
verb 4
CERTS
****

Welcome to the forum. Here is my feedback.

1. Key negotiation

Try setting reneg-sec it to 0 (reneg-sec 0). From the Openvpn 2.4 ManPage
--reneg-sec n
Renegotiate data channel key after n seconds (default=3600).

When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour.

Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.


2. My advice on Firmware choices
  • I think Asuswrt-Merlin is more user friendly and the snbforum can provide good support for the firmware. Since you have an Asus router, you should consider trying it. OpenWRT is considered a lighter weight firmware when compared to others. Some might think it is a little more bare bones. I think Asuswrt-Merlin is a better fit for the Asus router than DD-WRT. DD-WRT can be more challenging to flash.
  • The firmware will have no impact on OpenVPN performance. It is primarily the CPU that impacts performance and the cipher you use. geo-distance to the Server is another factor.
3. OpenVPN Hacks
  • With Asuswrt-Merlin, you can pin the OpenVPN client to a CPU. The even number clients get pinned to one CPU and the odd number clients get pinned to the other.
  • CBC cipher used to be the go to for speed and performance. GCM has not replaced it. You can see the results of my experiment here.
  • You will not be able to achieve very fast OpenVPN performance with the RT-AC87U. There is no option to accelerate encryption. The HND routers RT-AC86U and RT-AX88U are now the go to routers for the Asus customers who want to chase improved OpenVPN performance and bandwidth. There are many posts on the topic in the threads you can search on. I was not able to duplicate the success others reported with an RT-AC86U in the short time I had my hands on one. Or, you can do what I did and convert an old PC to a pfSense appliance that has a CPU that supports AES-NI. Or purchase an appliance from Netgate.
Hope that helps!
 
Last edited:
Hello and thank you so much for your reply!

1. Key negotiation


Try setting reneg-sec it to 0 (reneg-sec 0).

That's the first thing I tried, sadly my provider forces the reneg server side every hour.


I think Asuswrt-Merlin is more user friendly and the snbforum can provide good support for the firmware. Since you have an Asus router, you should consider trying it. OpenWRT is considered a lighter weight firmware when compared to others. Some might think it is a little more bare bones. I think Asuswrt-Merlin is a better fit for the Asus router than DD-WRT. DD-WRT can be more challenging to flash.

I picked OpenWRT because it can be ran pretty bare boned. It does not support wireless on this device, but since latency is important to me I'm wired in.


I tried both Merlin and DD-WRT to see if I can squeeze any extra performance that way. For whatever reason, on DD-WRT the latency spikes are on average 15% shorter. I didn't bother investigating too much as this is not big enough difference for me and I disliked everything else about it. It would also not boot overclocked, while Open-WRT happily boots and works under max load I can throw at it with 1400mhz clock, which in itself makes up for the 15% I would gain from having DD-WRT installed. Overall it just felt like a less advanced Open-WRT version.


I tried Merlin too, performance-wise it's similar to Open-WRT, but it's just not for me, as (at least from what I could tell) there is no way to fine tune the firewall, no easy way to disable some features and no way to disable the closed-source components. I only played with it for couple of hours though, as I found it to be too similar to stock, so it's possible I missed something obvious - please let me know if I did! I understand why you would recommend it to people though.


The firmware will have no impact on OpenVPN performance. It is primarily the CPU that impacts performance and the cipher you use.

I didn't ran any extensive tests, but I am pretty sure the key renegotiation lasts at least 10% shorter on DD-WRT than other two firmwares, for whatever reason. If I decide to flash it again I will provide some hard numbers to (dis)prove it.


geo-distance to the Server is another factor.
I find this part very suprising! How exactly does the distance factor into it? I understand that the latency should be higher for the whole duration of the connection purely due to distance/number of hops, but does the key renegotiation process specifically suffer from a greater distance even more somehow?


With Asuswrt-Merlin, you can pin the OpenVPN client to a CPU. The even number clients get pinned to one CPU and the odd number clients get pinned to the other.

That sadly doesn't help since the system load is next to none most of the time, with both cores free - only on key reneg OpenVPN will use 100% of one of the cores, and it doesn't really matter which one as far as I can tell.


CBC cipher used to be the go to for speed and performance. GCM has not replaced it. You can see the results of my experiment here.

Did you mean to say "GCM has NOW replaced it" or "NOT replaced it"? According to your website GCM performs a bit better.

Do you know if picking a different cipher has an effect on the key regen process as well? Sorry if that is a dumb question, cryptography is not my strong suite. I will try different ones and see if it helps myself when I have free time, but I thought you might know already. If the only difference is bandwidth then I would rather pick a cipher that is "best" for privacy.

You will not be able to achieve very fast OpenVPN performance with the RT-AC87U. There is no option to accelerate encryption. The HND routers RT-AC86U and RT-AX88U are now the go to routers for the Asus customers who want to chase improved OpenVPN performance and bandwidth. There are many posts on the topic in the threads you can search on. I was not able to duplicate the success others reported with an RT-AC86U in the short time I had my hands on one. Or, you can do what I did and convert an old PC to a pfSense appliance that has a CPU that supports AES-NI. Or purchase an appliance from Netgate.


I have couple of PCs running 24/7 already and would rather avoid having another one just to route. A newer router with hardware crypto acceleration seems like the best choice at the moment.


However, and this might sound dumb, but I am not a big fan of cryptography done on hardware. So that brings me to my last questions:


- if I chose to build a PC as a vpn router, what kind of CPU speed would I need for it to be able to handle OpenVPN without choking (no HW accel)? I will try to test this one myself with a VM later, but maybe somebody already did


- if I understand correctly, OpenVPN uses openSSL (or alternatives) to handle crypto operations; OpenSSL in turn can offload those operations to a 3rd party using one of its "engines" (https://github.com/openssl/openssl/blob/master/README.ENGINE , this is how it can use AES-NI instructions for example); what I am wondering is what exactly stops me from writing my own, purely software based crypto engine? As long as the code is not super inefficient and can utilize multiple cores, it should end up being faster (without touching OpenSSL/OpenVPN code at all...)? I feel like I am missing something very obvious, otherwise I would expect something like that to already exist...

I will admit that this is more about me being stubborn than any practical reasons ;) but maybe somebody else already went down that route and can share some experiences. In the end I will probably just end up buying AES-NI capable router to save me some headaches. For now though I am still looking for workaround (having two vpn connections open at once and routing through one that has rekeyed recently is probably the easiest one to do) while keeping an eye on openVPN 3.0 development and alternatives (https://github.com/znuh/frivpn).

If you reached here I want to thank you for reading and again all and any input is welcome (just linking related technical reading material is absolutely fine if you don't feel like explaining)!
 
Hello and thank you so much for your reply!

If you reached here I want to thank you for reading and again all and any input is welcome (just linking related technical reading material is absolutely fine if you don't feel like explaining)!
One limitation is the architecture of OpenVPN. It is single core threaded. So, if you have a multi core CPU, it will only use one core.

The reneg setting and cipher are two separate configurations. So changing cipher should not have an impact on renegotiation.

Regarding geo distance, yes, less hops. For example, if I live in San Francisco and connect to a server in LA, I will get better speed compared to connecting to a server in Hong Kong. This is the Latency metric you see on speed test sites. So, when you see someone posting awesome VPN speed, you also need to consider geo distance to the server they are connected to. If they were to connect to a server half way across the globe, the speeds will be lower.

I meant GCM chiper has replaced CBC as the go to cipher for speed and performance. That is one of the main take aways from the metrics I gathered for the blog post.

I’m not in a position to read the link about the GitHub solution right now but will read it tomorrow. But the RT-Ac87U is end of life and it sounds like you have tried to max it out with firmware choices and settings with little improvement. As my friend Steve once told me, “you can’t polish a turd”. The RT-AC86U may be worth a consideration. They go on sale periodically. My understanding is acceleration has to do with the CPU. When researching pfSense appliances last year, the first thing I looked at is the CPU. You can usually then find a CPU benchmark report or data sheet that tells you if the CPU supports acceleration. For Intel, this is AES-NI.

Other than Netgate, another source for high end boxes with CPU that support AES-NI are
https://www.aaeon.com/en/
http://www.lannerinc.com/

With these devices, you will need to use pfSense or OpnSense firmware.

Are you marrried to your VPN provider? :D May be time to break up with them. There are many other providers available. Many have a seven day trial period. Try one or two and compare. It may also allow you to validate that the issue is really the renegotiate setting and not something else.
 
Thank you for taking your time to reply again! Unfortunately I think did not make myself clear, I am not a native speaker nor a network professional so I am probably misusing some terms; I will try to rephrase my questions:

Regarding geo distance, yes, less hops. For example, if I live in San Francisco and connect to a server in LA, I will get better speed compared to connecting to a server in Hong Kong. This is the Latency metric you see on speed test sites. So, when you see someone posting awesome VPN speed, you also need to consider geo distance to the server they are connected to. If they were to connect to a server half way across the globe, the speeds will be lower.
When you say "speed" I feel like you mean bandwidth, which again, I couldn't care less about. I understand this is the most important metric for most people, but personally I can live with couple megabits (for this particular connection). I also understand that communicating with any server far away (using any protocol) has to be slower (as in latency) than communicating with a server that is close by, simply because we are bound by the speed of light (but also because we are jumping through more hops).
What I am trying to clarify is if the process of renegotiating the key itself is going to taker longer with a server that is far away (and if so, why?). So in my scenario (with bogus numbers):

- I connect to a server that is 1000 km away. The connection can do 100mbits and has 50 ms latency. On my slow device the renegotiating of the key takes 1000ms.
- I connect to a server that is 5000km away. The connection can do 50mbits and has 250 ms latency. Will the renegotiating of the key take more than 1000ms (using the same device) and if so, why?

The only answer I can think of is the key reneg process is basically a full handshake (and not just symmetrically encrypted UDP data flow) and so while the client has to wait for the server to answer (and vice versa) before proceeding the latency will accumulate? Is this correct?

My understanding is acceleration has to do with the CPU.
It surely is the case with AES-NI, but things like hardware crypto acceleration cards exist and openssl can take an advantage of those too; what I am trying to understand is what makes it impossible for somebody to code an emulated crypto card that's multi threaded and use that for encrypting/decrypting. I will try to explain it better below:

One limitation is the architecture of OpenVPN. It is single core threaded. So, if you have a multi core CPU, it will only use one core.
I accept that OpenVPN itself is a single threaded program, I don't mean to mess with this situation at all. What I am saying is the program that OpenVPN is offloading it's crypto operations does NOT need to be single threaded as well, unless I am misunderstanding how things work to a comical degree. Let me expose my ignorance with some pseudo "code":

[..... we have an established connection and we get some data to send from the client ...]
in OpenVPN client (all happening in the same thread):

encryptData(data, cipher, key)
{
return libOpenSSL(data, cipher, key)
[... CPU jumps into OpenSSL library ...]
{
cryptEngine = pickEncryptionEngine(cipher);
//openSSL tries to pick the fastest way to handle the encryption

[here is the interesting part; if we are using no acceleration (or a built in one like AES-NI) the CPU just jumps to the appropriate library and does the calculations; if we are using a HW card it will make a call to the driver; either way we are still staying in the same thread as far as OpenVPN is concerned, it will just wait/sleep till something returns data]
[the only difference from the program's perspective is how fast the data gets returned]
return cryptEngine->encrypt(data, cipher, key);​
}​
}​


So what I thought could be done is writing a purely software encryption engine, either as part of OpenSSL or if that proves to be impossible/impractical, as an emulated system device (e.g. a pure software module for http://cryptodev-linux.org/) that can execute instructions independent of OpenVPN's state. I am not saying this would be fast enough, but it should be much faster than what is available now.


Please bear in mind that this is a purely theoretical discussion for me at this point. I have been known to be dumb, but I ain't nearly dumb enough to write my own crypto :') I just want to understand why it hasn't been done before, as it seems like an obvious solution without implementation and in my experience when I encounter those it's usually because I misunderstood a concept at its core. If this is a wrong forum to discuss ideas like this please let me know.


But the RT-Ac87U is end of life and it sounds like you have tried to max it out with firmware choices and settings with little improvement.
That is true, however, the limitations seem to be purely software based. There is one more core that's idling, so the resources are there. There are other devices on the market that have 4 cores and no hardware acceleration, that's 3/4th of the resources idling. Feels very wasteful to me to just give up on them. Personally I *will* just get a better router with HW acceleration because I am a lazy person, but I disagree about those devices reaching their maximum potential.


The pfSense looks really neat, I have been playing with it since yesterday in VMs. Overkill for my needs, but I am going to learn it anyway just for the sake of it.


Are you marrried to your VPN provider? :D May be time to break up with them. There are many other providers available. Many have a seven day trial period. Try one or two and compare. It may also allow you to validate that the issue is really the renegotiate setting and not something else.
My subscription with them runs out in 2 months or so and I do not mind switching. I picked them partially because of their focus on privacy and commitment to open source solutions. but the most important reason (I have used them for a while so maybe things changed), however, they were the best I was able to find when it comes to low jitter - I get sub 1ms jitter when connecting to the servers close to me and only 2-3 ms with servers further away (this is under minimal loads of course). If you know other VPN services like that please feel free to recommend some! Most recommendations that I was able to find (that were not pure advertisements/referral spam) focus on irrelevant (to me) stuff like ease of setup or bandwidth or geolocators bypass etc.

However, even if I did find another good VPN provider, how does that solve the problem of my core maxing out? The key renegotiation process is there to ensure Perfect Forward Secrecy, if I understand correctly. I would be worried that a provider that does not enforce privacy measures doesn't really care about the privacy at all.

Once again thanks for taking the time out of your day to read this/reply!
 
So here is a picture of what I am talking about. I live in The Land of Smiles. I connect to a VPN server south of me in the same country.

upload_2019-2-1_12-20-19.png


I then connect to a server in Los Angeles:

upload_2019-2-1_12-21-0.png


Note the speed and latency differences. That is my point about the impact of geo distance to server from your physical location. If someone reports awesome vpn performance, you need to also consider how far away geographically they are from the server.

My recommendation on VPN provider is in my blog post Why I use Torguard

There is a discount code in the article. The monthly costs goes way down with an annual or by-annual subscription.

There are some good guides on the internet on how to configure pfSense and pfBlockerNG. Eventually, I plan to write my own guide and show how to implement selective routing.

I've been around the block many times on the topic of VPN performance. I think I've read about every forum post on the topic when I first got into it. I stand by my statement about the CPU being the primary limiting factor. You can find others on the forum who I highly respect stating the same. It is a topic that comes up often on the forum. The Asus HND CPU supported routers have acceleration built in. But I was not successful in getting the performance out of the AC86U that others reported. Unfortunately, I just did not have it in my hands long enough to see if there was anything else I could have done.

I recommend that you try the performance test benchmark listed in the article https://x3mtek.com/openvpn-performance/ and compare the results with your router. If you post the results, I'll add them to the article. Try it with the AES-128-CBS and AES-128-GCM ciphers to see the performance difference.

The thread mentioned below is an excellent read too:
However, as snbforums.com member @sfx2000 noted in this thread, OpenSSL is only one part of OpenVPN performance, it doesn’t take into account the OpenVPN application, or the HMAC, which is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. According to @sfx2000, these metrics are more relevant for real-world expectations of what an end-point can do; it is up to one’s internet connection after that. So, for comparing OpenVPN performance, the following benchmark test should be used instead.
 
I forgot that there is another option for you If you want to keep your existing router and improve VPN speeds, you may want to look at the VPN accelerator option from Sabai Technologies. I have a brief overview on my blog post about it and explain why it will help. So, I won't get into the details here.
 
I appreciate your willingness to help me, but at this point I am beginning to believe that you either do not read my posts carefully or simply do not understand the issue I am trying to solve.


Note the speed and latency differences. That is my point about the impact of geo distance to server from your physical location. If someone reports awesome vpn performance, you need to also consider how far away geographically they are from the server.

So, bandwidth and average latency. Things I stated multiple times I do not care about. I am going to assume the geo distance has exactly 0 influence on the duration of the key renegotiation process (it would be insane if it did to be fair) unless I somebody posts/links a technical explanation of why it does.


My recommendation on VPN provider is in my blog post Why I use Torguard


There is a discount code in the article. The monthly costs goes way down with an annual or by-annual subscription.

That post is a literal advertisement. With the referral links and all :/ None of the features are special or unique. There are at least few other reputable providers that offer such services while not operating from the god damn United States. Using a vpn that's based in US jurisdiction is just a terrible idea for any US citizen/resident or anybody that is planning on using US based services (so only like 70% of the internet...) - unless you don't care about the privacy AT ALL.


To be absolutely fair this particular VPN does allow setting "reneg-sec" to 0 which would "help" with my problem but that is a TERRIBLE "solution" ESPECIALLY for vpn connections made by routers that are supposed to be working 24/7 for days - unless, again, you don't care about your privacy at all. Anybody else reading that's interested why is that should read this wiki article at the very least: https://en.wikipedia.org/wiki/Forward_secrecy


This is like suggesting somebody who wants to squeeze more performance to use weak, insecure ciphers - sure, it will "work", but at a great implied cost - at some point you have to ask yourself why even bother using VPN if you don't care about losing privacy...


I stand by my statement about the CPU being the primary limiting factor.

And it obviously is? I never said it wasn't? The whole point of my posts are to figure out a workaround/ways to utilize CPU better?


Of course, when you say performance, you mean how many mbits/s you can squeeze through, which again and I am not sure how can I be clearer about this, THE BANDWIDTH IS NOT AND NEVER WAS AND NEVER WILL BE AN ISSUE IN THIS PARTICULAR CASE. I am *only* trying to get rid of the data channel flow interruptions that ONLY happen during a very specific operation (key renegotiation) and ONLY because of the "bad" implementation (as there are unused hardware resources on the system that could be utilized).


I recommend that you try the performance test benchmark listed in the article https://x3mtek.com/openvpn-performance/ and compare the results with your router. If you post the results, I'll add them to the article. Try it with the AES-128-CBS and AES-128-GCM ciphers to see the performance difference.

The router is physically secured in a way that makes the access to it a bit tedious, but I will be testing some workarounds next week and while doing so I will run the test for you (even though they are completely irrelevant to the matter at hand, but somebody might find the numbers useful).


I forgot that there is another option for you If you want to keep your existing router and improve VPN speeds, you may want to look at the VPN accelerator option from Sabai Technologies. I have a brief overview on my blog post about it and explain why it will help. So, I won't get into the details here.

Nothing in this post explains why it would help, actually nothing in this post explains what it even is... This is just another torguard ad, with straight up dishonest implications ("One of the many reasons I prefer TorGuard to other VPN providers, is their support for a wide range of router firmware." implies that other providers can be somehow incompatible with some firmwares, which is just BS, as long as they run openvpn servers and your firmware has an openvpn client it HAS to work???)


From what I quickly gathered, this device is basically a $450 router with a cpu that supports aes-ni? You can buy a bleeding edge top shelf consumer device for much less than that and it will have 5 times more features even on stock firmware (10gbps+ AX routers are ~$350 atm)... Oh and the manufacturer states this cannot function as a router on its own, you actually need yet another router to route your home network, which is just bizzarre and I can't imagine a technical reason for this except for the firmware being very primitive.


Why would you ever buy this or recommend this to anybody??
 
I appreciate your willingness to help me, but at this point I am beginning to believe that you either do not read my posts carefully or simply do not understand the issue I am trying to solve.




So, bandwidth and average latency. Things I stated multiple times I do not care about. I am going to assume the geo distance has exactly 0 influence on the duration of the key renegotiation process (it would be insane if it did to be fair) unless I somebody posts/links a technical explanation of why it does.




That post is a literal advertisement. With the referral links and all :/ None of the features are special or unique. There are at least few other reputable providers that offer such services while not operating from the god damn United States. Using a vpn that's based in US jurisdiction is just a terrible idea for any US citizen/resident or anybody that is planning on using US based services (so only like 70% of the internet...) - unless you don't care about the privacy AT ALL.


To be absolutely fair this particular VPN does allow setting "reneg-sec" to 0 which would "help" with my problem but that is a TERRIBLE "solution" ESPECIALLY for vpn connections made by routers that are supposed to be working 24/7 for days - unless, again, you don't care about your privacy at all. Anybody else reading that's interested why is that should read this wiki article at the very least: https://en.wikipedia.org/wiki/Forward_secrecy


This is like suggesting somebody who wants to squeeze more performance to use weak, insecure ciphers - sure, it will "work", but at a great implied cost - at some point you have to ask yourself why even bother using VPN if you don't care about losing privacy...




And it obviously is? I never said it wasn't? The whole point of my posts are to figure out a workaround/ways to utilize CPU better?


Of course, when you say performance, you mean how many mbits/s you can squeeze through, which again and I am not sure how can I be clearer about this, THE BANDWIDTH IS NOT AND NEVER WAS AND NEVER WILL BE AN ISSUE IN THIS PARTICULAR CASE. I am *only* trying to get rid of the data channel flow interruptions that ONLY happen during a very specific operation (key renegotiation) and ONLY because of the "bad" implementation (as there are unused hardware resources on the system that could be utilized).




The router is physically secured in a way that makes the access to it a bit tedious, but I will be testing some workarounds next week and while doing so I will run the test for you (even though they are completely irrelevant to the matter at hand, but somebody might find the numbers useful).




Nothing in this post explains why it would help, actually nothing in this post explains what it even is... This is just another torguard ad, with straight up dishonest implications ("One of the many reasons I prefer TorGuard to other VPN providers, is their support for a wide range of router firmware." implies that other providers can be somehow incompatible with some firmwares, which is just BS, as long as they run openvpn servers and your firmware has an openvpn client it HAS to work???)


From what I quickly gathered, this device is basically a $450 router with a cpu that supports aes-ni? You can buy a bleeding edge top shelf consumer device for much less than that and it will have 5 times more features even on stock firmware (10gbps+ AX routers are ~$350 atm)... Oh and the manufacturer states this cannot function as a router on its own, you actually need yet another router to route your home network, which is just bizzarre and I can't imagine a technical reason for this except for the firmware being very primitive.


Why would you ever buy this or recommend this to anybody??
@Xentrk has tried to help you. It would seem that you only want to complain. Don't come here to complain, the people here post problems and the community tries ways to fix it. That is all. @RMerlin does not work for Asus, no one here does. If you don't like the help, the router, then I think you already know what to do. No need to Troll.:rolleyes::rolleyes::rolleyes::rolleyes::rolleyes:
 
Thank you for your contributions :') if you have some spare time feel free to educate me as to how should I respond to somebody replying with irrelevant information over and over so I don't hurt anybody's feelings.

If anybody else has any technical suggestions that don't involve me clicking on your referral links I am all ears. As I am currently finding out even 5ghz Intel Cpus with AES-NI are not fast enough to avoid a latency spike (altough it is an extremely short one, e.g. if you icmp flood a device only one packet will lag for 50-100ms, still not ideal for online gaming and such), at this point the only viable option seem to be having multiple vpn sessions with dynamic route switching between the key renegotiations...
 
Thank you for your contributions :') if you have some spare time feel free to educate me as to how should I respond to somebody replying with irrelevant information over and over so I don't hurt anybody's feelings.

If anybody else has any technical suggestions that don't involve me clicking on your referral links I am all ears. As I am currently finding out even 5ghz Intel Cpus with AES-NI are not fast enough to avoid a latency spike (altough it is an extremely short one, e.g. if you icmp flood a device only one packet will lag for 50-100ms, still not ideal for online gaming and such), at this point the only viable option seem to be having multiple vpn sessions with dynamic route switching between the key renegotiations...
Limiting the way someone can help you, is going to limit your ability to be helped. If a link and some self education is needed, I don't see a problem with that. Your issue demands more research. Keep reporting back with helpful information. The first place to look would be to install stock firmware and see if the issue can be replicated.
 
Thank you for your contributions :') if you have some spare time feel free to educate me as to how should I respond to somebody replying with irrelevant information over and over so I don't hurt anybody's feelings.

If anybody else has any technical suggestions that don't involve me clicking on your referral links I am all ears. As I am currently finding out even 5ghz Intel Cpus with AES-NI are not fast enough to avoid a latency spike (altough it is an extremely short one, e.g. if you icmp flood a device only one packet will lag for 50-100ms, still not ideal for online gaming and such), at this point the only viable option seem to be having multiple vpn sessions with dynamic route switching between the key renegotiations...
Maybe, just maybe with your AC87U you are trying to make a silk purse from a sows ear. While OpenWRT is good it can't fix problems with hardware that others have reported multiple issue with on stock and custom firmware. And there are many of us who would love to have the bandwidth rate you have reported! And If you are using VPN to hide your illegal browsing habits...
Suggestion: Buy a Netgear Orbi... then you will have something to complain about!
 
Maybe, just maybe with your AC87U
Ok so if I actually go out and drop $400 on the router and come back here and show you that it still hiccs up on key regen (which it almost certainly will since even my 8086K needs ~50ms to reauthenticate) will my question be valid then? This is NOT a device specific issue. Anybody (that cares about forward secrecy) using OpenVPN is subject to this, it's just that most of the users do not notice or care. I run few applications that work best with minimal jitter (that does not mean low latency, but the lack of variation in latency [no spikes]) so I absolutely do notice and care. I came upon this forum while looking for other people that also might've noticed and cared, and hopefully found some workarounds. It looked like a right place for it, emphasis on past tense.

And If you are using VPN to hide your illegal browsing habits...
I use it for anti-ddos but thanks for your concern.
 
Limiting the way someone can help you, is going to limit your ability to be helped. If a link and some self education is needed, I don't see a problem with that. Your issue demands more research. Keep reporting back with helpful information. The first place to look would be to install stock firmware and see if the issue can be replicated.
I have not noticed your post while replying, sorry!

I am really not trying to limit anybody. With all due respect, since you are all senior members here, but people sometimes do give out... misguided advice, let's call it that. If all you care about is that your netflix works and you can download torrents fast at the same time, then more power to you and buying a newish router will certainly help you accomplish this. This is NOT what I am after and I tried to be very clear about it so I went into much detail just to hear the same thing over and over...

It's the same thing as if I went on a medical forum and ask about the rash that keeps popping out in a very specific place in a very specific conditions, and somebody (who I am sure means well) keeps telling me what should I do to treat flu symptoms... Just to eventually recommend me some "essential oils" that they just so happen to be selling... And I'm a troll here? I really do not get it.
 
Folks. No one is trying to troll here. So let's not get personal and stay focused on the question.
 
my VPN provider requires a key renegotiation every hour. I have OpenWRT installed on asus rt-ac87u with openVPN-openssl. I don't really care about high bandwidth, but I do need to have my latency low and stable. However every time the key is reneged all the packets get buffered for 1,5-2 seconds. From what I understand, normally openvpn keeps the data channel open and so there should be no packet loss/latency spikes. However it looks like I am reaching 100% of one core usage when the key is being reneged.

The RT-AC87U is "kind of" supported on OpenWRT as a derivative of the RT-68U with the QTN 5GHz side, so it's a bit odd...

Maybe roll back to AsusWRT-RMerlin, and discuss there.
 
I apologize for my response to @gloriousbear. I really like helping people on the forum. I was trying my best to help you and obviously failed to give you the answers you were looking for, which probably caused you to be frustrated with me. I interpreted your replies as a critical attack of advice I felt was helpful, yet not appreciated despite my taking time out of my day to try and help. I could have responded differently and will try to do better next time.

Overall, we have a good community here on the forum. In fact, one of the best I have seen from many of the Network centrist forums on the net. I hope you will not be discouraged from seeking help on the forum in the future and that you find a resolution to your issue.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top