New to VPNs on Routers..

EdCaffreyMS

Occasional Visitor
Morning!

I'm new to the forums, but have relied on SNB for years when I needed knowledge on most of my networking questions. Today I find myself in a somewhat new situation, and needing input/advice. I've played around, off and on, with VPNs for about a year now, and recently decided to get serious about it. I got a screaming deal over the holidays for a subscription to SurfShark VPN. I've found it very good at what it does, and their support/help is some of the best I've encountered.

My Network: Three T-Mobile hot spot devices, all have been converted to AC68U, and have DD-WRT firmware install. One is the "main" router, connected directly to the Spectrum Cable Modem/100Mpbs connection, and the other two are further down the line in the network, and are there as switches and wireless APs where the main router doesn't reach on my property.

Situation: I chose to install/run the VPN on the main router, mainly because it seems my ISP can still maker certain conclusions about my network if I run it on individual machines. I have seen the connection speed on my network plummet from my typical 90-100Mbps to a maximum of 35Mbps when the VPN is enabled. (it is VERY noticeable when doing just about anything on the net) After talking with SurfShark support, they say that the router (the T-Mobile converted to AC68U) isn't "robust" enough to handle the VPN, and recommended something more powerful. I've looked around, and located a great deal on a Asus RT-AC88U (one of the routers SurfShark recommended), which has considerably better specs than the converted AC68U routers I currently run. IF I got the AC88U route, I'd likely upgrade it to Merlin firmware, and deploy it as the main router on my network.

The Questions: 1. Any thoughts as to IF I replaced the main router with the AC88U.... do you think it would yield any higher connection speeds than what I am now seeing/getting with the converted AC68U router?
2. Any significant advantages to the Merlin firmware over stock, or DD-WRT?

Would also be more than happy to hear anything related to this type of situation and it's surrounding circumstances!
 

eibgrad

Part of the Furniture
1). I can tell you from having the RT-AC68U myself, 30-35Mbps is all you're going to get w/ OpenVPN. However, I have seen as high as 111Mbps w/ Wireguard (specifically from KeepSolid VPN, aka VPNUnlimited) and DD-WRT. So the router is capable of better performance provided the VPN runs in the kernel (the fact OpenVPN runs in user-space is what really limits that router). A router like the RT-AC88U, or even better, the RT-AX86U (which seems to be the current favorite around the SNB forums), will improve performance. In my own case, I moved by OpenVPN client to a small form-factor PC made from some old x86 parts and running DD-WRT, rather than invest more money in a new router, esp. when the RT-AC68U is otherwise working perfectly in all other respects.

2). Installing Merlin to a converted TM-AC1900 is considered illegal, and can NOT be discussed on these forums. Sorry.
 

heysoundude

Very Senior Member
If you're considering a new router, getting an AX86 seems to be the way to go for the foreseeable future, and it will run WireGuard effortlessly, possibly replacing your 3 current router/APs with one machine for simplicity/energy savings/future-proofness: the AC88 might not be supported for much longer
 

EdCaffreyMS

Occasional Visitor
1). I can tell you from having the RT-AC68U myself, 30-35Mbps is all you're going to get w/ OpenVPN. However, I have seen as high as 111Mbps w/ Wireguard (specifically from KeepSolid VPN, aka VPNUnlimited) and DD-WRT. So the router is capable of better performance provided the VPN runs in the kernel (the fact OpenVPN runs in user-space is what really limits that router). A router like the RT-AC88U, or even better, the RT-AX86U (which seems to be the current favorite around the SNB forums), will improve performance. In my own case, I moved by OpenVPN client to a small form-factor PC made from some old x86 parts and running DD-WRT, rather than invest more money in a new router, esp. when the RT-AC68U is otherwise working perfectly in all other respects.

2). Installing Merlin to a converted TM-AC1900 is considered illegal, and can NOT be discussed on these forums. Sorry.
Thanks! It's funny you mentioned VPN Unlimited! That's what started this entire journey. I own VPN Unlimited, but was having issues with it leaking my IP and DNS. I was pulling speeds such as those you mentioned too, on Wireguard, but again, it was NOT secure. I also had a number of other issues with VPN Unlimited. I tried for a long time to get any support/customer service, but never got a reply to any attempt at contact. So based on my experiences, I would never recommend VPN Unlimited. There's a very good reason you can get "lifetime" deals on that specific VPN service. ;)
That is what drove me to search for another VPN, and I ended up with SurfShark, not only from reviews, but they had a screaming deal over the holidays. It's been rock solid from a security standpoint, but the speed is not very good. They currently only operate with the OpenVPN protocol for routers, but I've been told they will be including Wireguard later this year. Based on my very limited experience with VPNs, it seems you can either have speed, OR security, but not both.

Now, with all that aside, and since I have become interested in Merlin, I suppose I will start looking for a router. Yesterday I ordered a "renewed" AC88U for less than $100. I will also be looking into the AX86. Thanks for you great information!!
 
Last edited:

EdCaffreyMS

Occasional Visitor
If you're considering a new router, getting an AX86 seems to be the way to go for the foreseeable future, and it will run WireGuard effortlessly, possibly replacing your 3 current router/APs with one machine for simplicity/energy savings/future-proofness: the AC88 might not be supported for much longer
Thanks for that input! As I said in another reply, I did order the AC88..... but it may just get returned, based not only on your words, but also the extra research that posting on these forums has lead me to. :) And replaced with the AX86.

This seems as good a place as any to pose the following and seek input/ideas

It's been several years since implementing the current converted AC68U devices/building my current network, so now I'm in the planning stages to update the network, and if I'm doing that, I might as well modernize for the future.

One of the possible solutions I've come up with is..... Get the AX86 as my primary router, likely upgrade to the Merlin firmware, and install SurfShark onto it.... so I'd need sufficient hardware to run the VPN for as much connection speed as it allows, and all the networked devices.
I'd love to cut down the number of devices (routers) in my network, but doubt it will allow me to forgo other routers/APs around the place..... just too much distance and obstructions. The closest shop, were the 2nd router resides via Ethernet connection to the main router, is approx. 300 ft (straight line) from the main router, which is in the basement of the house. From there, and through an gigbit switch, it goes to a another shop/steel building, that is 400ft from the main router ( in a straight line, and it has the steel bldg to content with). The PCs in both the shops run ethernet connections, but I also run 20 of the wyze security cames around the property, which all require a wifi connection, as well as a number of other wifi connected devices that I often forget are there. So..... for the "satellite" routers I was thinking of a couple cheaper TP-Link models such as the AX10 or AX21.

The thought had occurred to just go all hardwired/Ethernet with switches....but I must have the wifi for the security cameras and other wireless devices throughout the property. Happy to hear any/all inputs!
 
Last edited:

heysoundude

Very Senior Member
A few followup thoughts/comments:
1- I'm increasingly getting as many of my network clients as possible off wifi and hardwired to routers/switches, and encouraging people to do the same for theirs. In your case, because of the distances between the various locations, trying to accomplish your desired setup with consumer SOHO hardware might not be the best approach. You might want to get a local networking professional to advise on your setup - the differing electrical ground potentials between buildings may be a concern that needs mitigation for electrical code compliance/safety/speeds.
2- If Your ISP supports Native IPv6, use it for your network. It will make subnetting outlier APs and what connects to them easier. You can go get the knowledge you need at ipv6.he.net/certification.
3- WireGuard (https://www.wireguard.com/) isn't supported by all VPN providers, so check with yours that they do if you choose to stick with Asus machines
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top