New to VPNs on Routers..

EdCaffreyMS

Occasional Visitor
Morning!

I'm new to the forums, but have relied on SNB for years when I needed knowledge on most of my networking questions. Today I find myself in a somewhat new situation, and needing input/advice. I've played around, off and on, with VPNs for about a year now, and recently decided to get serious about it. I got a screaming deal over the holidays for a subscription to SurfShark VPN. I've found it very good at what it does, and their support/help is some of the best I've encountered.

My Network: Three T-Mobile hot spot devices, all have been converted to AC68U, and have DD-WRT firmware install. One is the "main" router, connected directly to the Spectrum Cable Modem/100Mpbs connection, and the other two are further down the line in the network, and are there as switches and wireless APs where the main router doesn't reach on my property.

Situation: I chose to install/run the VPN on the main router, mainly because it seems my ISP can still maker certain conclusions about my network if I run it on individual machines. I have seen the connection speed on my network plummet from my typical 90-100Mbps to a maximum of 35Mbps when the VPN is enabled. (it is VERY noticeable when doing just about anything on the net) After talking with SurfShark support, they say that the router (the T-Mobile converted to AC68U) isn't "robust" enough to handle the VPN, and recommended something more powerful. I've looked around, and located a great deal on a Asus RT-AC88U (one of the routers SurfShark recommended), which has considerably better specs than the converted AC68U routers I currently run. IF I got the AC88U route, I'd likely upgrade it to Merlin firmware, and deploy it as the main router on my network.

The Questions: 1. Any thoughts as to IF I replaced the main router with the AC88U.... do you think it would yield any higher connection speeds than what I am now seeing/getting with the converted AC68U router?
2. Any significant advantages to the Merlin firmware over stock, or DD-WRT?

Would also be more than happy to hear anything related to this type of situation and it's surrounding circumstances!
 

eibgrad

Part of the Furniture
1). I can tell you from having the RT-AC68U myself, 30-35Mbps is all you're going to get w/ OpenVPN. However, I have seen as high as 111Mbps w/ Wireguard (specifically from KeepSolid VPN, aka VPNUnlimited) and DD-WRT. So the router is capable of better performance provided the VPN runs in the kernel (the fact OpenVPN runs in user-space is what really limits that router). A router like the RT-AC88U, or even better, the RT-AX86U (which seems to be the current favorite around the SNB forums), will improve performance. In my own case, I moved by OpenVPN client to a small form-factor PC made from some old x86 parts and running DD-WRT, rather than invest more money in a new router, esp. when the RT-AC68U is otherwise working perfectly in all other respects.

2). Installing Merlin to a converted TM-AC1900 is considered illegal, and can NOT be discussed on these forums. Sorry.
 

heysoundude

Part of the Furniture
If you're considering a new router, getting an AX86 seems to be the way to go for the foreseeable future, and it will run WireGuard effortlessly, possibly replacing your 3 current router/APs with one machine for simplicity/energy savings/future-proofness: the AC88 might not be supported for much longer
 

EdCaffreyMS

Occasional Visitor
1). I can tell you from having the RT-AC68U myself, 30-35Mbps is all you're going to get w/ OpenVPN. However, I have seen as high as 111Mbps w/ Wireguard (specifically from KeepSolid VPN, aka VPNUnlimited) and DD-WRT. So the router is capable of better performance provided the VPN runs in the kernel (the fact OpenVPN runs in user-space is what really limits that router). A router like the RT-AC88U, or even better, the RT-AX86U (which seems to be the current favorite around the SNB forums), will improve performance. In my own case, I moved by OpenVPN client to a small form-factor PC made from some old x86 parts and running DD-WRT, rather than invest more money in a new router, esp. when the RT-AC68U is otherwise working perfectly in all other respects.

2). Installing Merlin to a converted TM-AC1900 is considered illegal, and can NOT be discussed on these forums. Sorry.
Thanks! It's funny you mentioned VPN Unlimited! That's what started this entire journey. I own VPN Unlimited, but was having issues with it leaking my IP and DNS. I was pulling speeds such as those you mentioned too, on Wireguard, but again, it was NOT secure. I also had a number of other issues with VPN Unlimited. I tried for a long time to get any support/customer service, but never got a reply to any attempt at contact. So based on my experiences, I would never recommend VPN Unlimited. There's a very good reason you can get "lifetime" deals on that specific VPN service. ;)
That is what drove me to search for another VPN, and I ended up with SurfShark, not only from reviews, but they had a screaming deal over the holidays. It's been rock solid from a security standpoint, but the speed is not very good. They currently only operate with the OpenVPN protocol for routers, but I've been told they will be including Wireguard later this year. Based on my very limited experience with VPNs, it seems you can either have speed, OR security, but not both.

Now, with all that aside, and since I have become interested in Merlin, I suppose I will start looking for a router. Yesterday I ordered a "renewed" AC88U for less than $100. I will also be looking into the AX86. Thanks for you great information!!
 
Last edited:

EdCaffreyMS

Occasional Visitor
If you're considering a new router, getting an AX86 seems to be the way to go for the foreseeable future, and it will run WireGuard effortlessly, possibly replacing your 3 current router/APs with one machine for simplicity/energy savings/future-proofness: the AC88 might not be supported for much longer
Thanks for that input! As I said in another reply, I did order the AC88..... but it may just get returned, based not only on your words, but also the extra research that posting on these forums has lead me to. :) And replaced with the AX86.

This seems as good a place as any to pose the following and seek input/ideas

It's been several years since implementing the current converted AC68U devices/building my current network, so now I'm in the planning stages to update the network, and if I'm doing that, I might as well modernize for the future.

One of the possible solutions I've come up with is..... Get the AX86 as my primary router, likely upgrade to the Merlin firmware, and install SurfShark onto it.... so I'd need sufficient hardware to run the VPN for as much connection speed as it allows, and all the networked devices.
I'd love to cut down the number of devices (routers) in my network, but doubt it will allow me to forgo other routers/APs around the place..... just too much distance and obstructions. The closest shop, were the 2nd router resides via Ethernet connection to the main router, is approx. 300 ft (straight line) from the main router, which is in the basement of the house. From there, and through an gigbit switch, it goes to a another shop/steel building, that is 400ft from the main router ( in a straight line, and it has the steel bldg to content with). The PCs in both the shops run ethernet connections, but I also run 20 of the wyze security cames around the property, which all require a wifi connection, as well as a number of other wifi connected devices that I often forget are there. So..... for the "satellite" routers I was thinking of a couple cheaper TP-Link models such as the AX10 or AX21.

The thought had occurred to just go all hardwired/Ethernet with switches....but I must have the wifi for the security cameras and other wireless devices throughout the property. Happy to hear any/all inputs!
 
Last edited:

heysoundude

Part of the Furniture
A few followup thoughts/comments:
1- I'm increasingly getting as many of my network clients as possible off wifi and hardwired to routers/switches, and encouraging people to do the same for theirs. In your case, because of the distances between the various locations, trying to accomplish your desired setup with consumer SOHO hardware might not be the best approach. You might want to get a local networking professional to advise on your setup - the differing electrical ground potentials between buildings may be a concern that needs mitigation for electrical code compliance/safety/speeds.
2- If Your ISP supports Native IPv6, use it for your network. It will make subnetting outlier APs and what connects to them easier. You can go get the knowledge you need at ipv6.he.net/certification.
3- WireGuard (https://www.wireguard.com/) isn't supported by all VPN providers, so check with yours that they do if you choose to stick with Asus machines
 

EdCaffreyMS

Occasional Visitor
I am learning more about VPNs, along with some growing suspicions. That being, does a VPN really do what it claims? Since I live in a smaller area, we are very limited to any high speed internet service..... and in ONE choice.... so most use this ISP. Recently a friend of mine was visiting, and told me that he got on his PC last Saturday morning, and opened his browser..... and was met with a full screen popup: "A computer at this location has been identified as downloading copyright materials. Any further violations of this nature will result in termination of your internet services, and possible prosecution" He said the computer was locked on that screen, he had to hit an "I understand and acknowledge" button in order to do anything.

He runs SurfShark VPN on his PC, and said it is always active, with the "kill switch" enabled full time.

So.... this leads me to.... Does a VPN actually do what it's advertised to? As in, does it provide security/anonymity on the web? Obviously in this case, it did not. Have ISPs found a way around VPNs? Are we wasting our money on VPN subscriptions??

I have send a couple of support requests into my VPN provider, asking those very questions, and they never answer the questions directly.... always deflecting to another subject. This just adds to my suspicions. Thoughts anyone?
 

Tech Junky

Very Senior Member
I have been using Nord for several years after getting some of those nasty ISP popups and haven't had any nastigrams since. Not all providers are the same when it comes to protecting you from snooping from the ISP. Out of the hundreds of providers there's only a handful I would trust / pay for. Even less when using them in Linux with Wire Guard. I tested a few last summer when I was up for renewal and they all had their own issues in hitting the bar that Nord had put in place for performance.

If you're collecting DMCA notices or seeing anything odd in your PC performance should be an indicator something isn't working 100%.
 

L&LD

Part of the Furniture
Yes, paid-for VPNs do what they're supposed to do. Generate money for the company involved.

Other than making it seem you're browsing from another part of the country/world, no.
 

EdCaffreyMS

Occasional Visitor
I have been using Nord for several years after getting some of those nasty ISP popups and haven't had any nastigrams since. Not all providers are the same when it comes to protecting you from snooping from the ISP. Out of the hundreds of providers there's only a handful I would trust / pay for. Even less when using them in Linux with Wire Guard. I tested a few last summer when I was up for renewal and they all had their own issues in hitting the bar that Nord had put in place for performance.

If you're collecting DMCA notices or seeing anything odd in your PC performance should be an indicator something isn't working 100%.
I've only been with SurfShark since the holidays..... so still feeling them out. I did get a blog entry/notice that Nord and SurfShark have "merged", which I suspect means Nord bought them out. My biggest point in the post is that it just seems to me that running a VPN on a single device.... that be a PC or other device that uses the net, then the ISP can track to a physical location/address, and only that individual piece of hardware is obscured?
Would that also be true if the VPN were installed on the network's main router? Or would it only indicate to the ISP, the DNS server it is connected to?

When I first started using SurfShark on my main router, I noticed that my internet service would drop every morning at exactly 10:10am, and the only way I could get it back was to stop the VPN on the router, then reset the modem and router. The location was the "nearest" as recommended by SurfShark. Once I noticed that, I switched to another location, and since, have had no more issues.

Very interesting conversation.....makes me see VPNs in a whole new light. Thanks!
 

EdCaffreyMS

Occasional Visitor
Yes, paid-for VPNs do what they're supposed to do. Generate money for the company involved.

Other than making it seem you're browsing from another part of the country/world, no.
That gives me a great insight into all those "extras" that SurfShark offers! :) Thanks!
 

Tech Junky

Very Senior Member
Nord and SurfShark have "merged"
Financially yes, but SS is still a separate product / network.

ISP will only see encapsulated traffic and not the actual data inside those packets. i.e. not able to sell based on metrics

Rest of the world see your IP as the VPN and multiple users using the same server to originate traffic from.

IP trolls base their complaints off the HASH for the file / IP from which is connecting to download / upload the associated file.

would drop every morning at exactly 10:10am
Sounds like a 24-hour key cycle not renewing the keys and thus dropping / kill switch being activated. Switching to another location though shouldn't resolve that issue it might have been associated with that single server you were being connected to though.
 
Similar threads
Thread starter Title Forum Replies Date
Lee MacMillan Interesting article about VPNs VPN 2
A Bi-directional VPN on ASUS routers set-up VPN 33

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top