Max VPN client speed

[cipo80]

Hi all, I'm planning to buy a GT-AX6000, I want to know the maximum VPN client throughput of this model running a popular service like NordVPN or expressVPN.
I've a real 940/480 Mbs fiber an the purpose will be Torrenting by my NAS using Merlin and VPN director.

Thanks in advance

 

[RMerlin]

In theory it should be around 250 Mbps. But that will vary based on the server configuration.

 

[Tech Junky]

First off you should run the VPN on the device that has the best CPU. Router's don't do well with this unless you build your own or go higher end SMB/Enterprise. With a gig connection running a whole network VPN / wireguard with Nord I was able to hit line speeds beyond gig by bonding 2 ports together and unlocking the additional bandwidth to the tune of about 1.3-1.4gbps vs a single connection topping out ~980mbps.

OVPN tops out at ~600mbps with even the best HW.

So, you can either go with the Asus and chop your ISP plan speed / plan
you could build your own device and keep the higher speeds with proper HW.
you can do split tunneling / "director" and only put the NAS traffic into the VPN
put the VPN client on the NAS itself and possibly get better speeds depending on the NAS.

 

[JoeBee]

First off you should run the VPN on the device that has the best CPU. Router's don't do well with this unless you build your own or go higher end SMB/Enterprise. With a gig connection running a whole network VPN / wireguard with Nord I was able to hit line speeds beyond gig by bonding 2 ports together and unlocking the additional bandwidth to the tune of about 1.3-1.4gbps vs a single connection topping out ~980mbps.

OVPN tops out at ~600mbps with even the best HW.

So, you can either go with the Asus and chop your ISP plan speed / plan
you could build your own device and keep the higher speeds with proper HW.
you can do split tunneling / "director" and only put the NAS traffic into the VPN
put the VPN client on the NAS itself and possibly get better speeds depending on the NAS.

Very good advice reminds me when someone mentioned its better just to install VPN client software per device.

But I wonder Is there anything on the market that is as easy and simple as merlins awesome firmware, that could be installed on a mini pc something for basic network/computer skills users could do themselves?

I find pfsense and similar others too advanced.

 

[Tech Junky]

that could be installed on a mini pc something for basic network/computer skills users could do themselves?

I use Ubuntu on a larger PC to accomplish this and other functions tied into the same box.

If you want performance you're not going to find a cheap & easy option that performs.

If you have a knack for figuring things out w/ some guidance then you can do it your way fairly easily. When tech changes you can swap out the AP with the newer version cheaper, if you upgrade to 2.5 or 5gbps internet you can swap the NIC vs spending another $500-$1000 on a new router.

 

[nmos]

Openwrt has an x86 version. I've had good luck installing it to a usb drive and running as a router it on Dell Optiplex mini-towers with multiple NICs. Alternatively putting your vpn software on a pc inside the network is possible.

 

[JoeBee]

I use Ubuntu on a larger PC to accomplish this and other functions tied into the same box.

If you want performance you're not going to find a cheap & easy option that performs.

If you have a knack for figuring things out w/ some guidance then you can do it your way fairly easily. When tech changes you can swap out the AP with the newer version cheaper, if you upgrade to 2.5 or 5gbps internet you can swap the NIC vs spending another $500-$1000 on a new router.

Alternatively putting your vpn software on a pc inside the network is possible.

Trying to get my limiting network head around that, so get a PC with decent specs (3ghz+ AES quad, 2-4 ethernet card) put ubuntu or openwrt x86 etc and install the VPN software on that be it WG for example and let that box do all the hard work to get the full WG or Openvpn speeds.

Then use the 2nd ethernet port on that PC back to the Asus router WAN and let it do all the device routing with VPN director so some devices can use ISP IP clear net and others WG VPN?

 

[Tech Junky]

VPN director

That's not needed because you can have everything at full speed through the PC using wireguard through say Nord. You can get quad port gigabit/2.5/5 NIC for it and then assign one port to the wan and the others to the lan.

For instance I out a quad 5ge nic in mine for faster speeds on the LAN. One port to the AP for 2.5ge speed which allows my laptop to hit 1.5gbps over wifi to the PC which also acts as a NAS. Before I switched ISPs I bonded two ports together for higher than gigabit speed for the same plan price.

Depending on your needs / wants you can make it do whatever you want with the option to change the performance on your whims for a lower cost than having to buy a new all in one router.

5GE - $200
2.5GE - $150
1GE - $50

So, if you're happy with gig speeds across the network you can keep it cheap for 4 ports. If you want a little more performance then bump it up to the next levels but, the price difference makes more sense to jump to a 5GE card than the middle ground.

There are different OS options that are either generic like Ubuntu or more specific like pFsense. They both do the same thing but, one's more geared towards keeping things simple like a router GUI or a little more nuanced in the setup but opens the door to other options to be rolled into the PC setup. OpenWRT is an option as well that gives you that "router" feeling as well.

If you put a little effort into it though you get a much more performant system than something that comes in a box from BB or walmart. No router off the shelf from a retailer will hit line speed above 500mbps for VPN in either mode. I tested OVPN on my system when shopping around for options when my subscription came up for renewal and it didn't matter which provider I was testing. None of them broke any speed records unless using WG. WG testing though did show some of them being slower than others. Some of them required some security bypasses to get them to launch post reboot w/o manually logging into the system to get to the desktop to launch the app to engage the VPN connection.

 

[nmos]

Trying to get my limiting network head around that, so get a PC with decent specs (3ghz+ AES quad, 2-4 ethernet card) put ubuntu or openwrt x86 etc and install the VPN software on that be it WG for example and let that box do all the hard work to get the full WG or Openvpn speeds.

Then use the 2nd ethernet port on that PC back to the Asus router WAN and let it do all the device routing with VPN director so some devices can use ISP IP clear net and others WG VPN?

I haven't tried this exact scenario but I've done similar to connect remote offices so maybe someone will poke a hole in it but I think it should work.. Put a PC with Openwrt and a single NIC on your lan. Set up Openvpn on it, set it's default route to go through your main router. On your main router DHCP server have it push the PC's lan IP as the default gw to all clients (or just the specific ones that you want to go through vpn). Use SNAT on the PC to redirect all traffic from your LAN out over the VPN connection. If that works then to increase speed just swap your switch and the NIC in the PC for ones that can do 2.5G or better.

 

[Tech Junky]

@nmos

That's one way. I have some sites that tend to be a real pain to deal with when an IP is marked as a VPN source. I just add routes to bypass to those site subnets. For instance Amazon prime is annoyingly anti VPN for content and sometimes it works and most of the time it doesn't. A couple of banks just flat out block VPN origination and I sued to just switch to known good servers but did the same route approach on them as well.

Putting in firewall snat's is just another approach but, it gets to be clutter when scaling up the number of them. Putting them in a container though would work as well using ipset.

 

[cipo80]

Very Thank you guys for the suggestions and for the alternative ways.
I know the VPN is a CPU hungry task, I’m a network administrator here in Italy (emm..sorry for the bad English ) and after 20 years spent to “fight with devices and with the users” I‘m trying to keep my house as simple as possible regarding devices, but sometimes isn’t easy to resist at temptation!
I totally agree also in a pc acting a router/firewall and the concept to upgrade only the obsolete peripherals and not the all-in-one device, but as I write before I want to keep all easy and spend less time as possible in networking at home.
Another aspect is the power consumption, actually In the EU we’re “frustrated” regarding power cost, last month I payed 0.68€/KWh vs 0.20 of the last 10 years; devices active H24 need more attention.

At the end I’ll go ahead with the AX6000, 250Mbs are enough for torrenting in my case, probably in the future with WG support will perform better.
My actual router a Fritz box 7530AX on IPSec perform 10/10Mbs and on WG 150Mbs.

 

[cipo80]

In theory it should be around 250 Mbps. But that will vary based on the server configuration

Thank you “god” of Merlin to answer , are 250 in both direction at the same time?
Probably depends also if and how many other tasks the router need to manage during VPN, torrenting with hundreds of sources not help, anyway I can get from Amazon and try.

 

[RMerlin]

Thank you “god” of Merlin to answer , are 250 in both direction at the same time?

No, one direction. This is a CPU bottleneck.