OpenVPN client speed - Merlin 384.19 vs 386.1

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

bukso

Occasional Visitor
Hi all,
originally I posted it here, but since it is probably quite specific problem, I decided to create new thread.

I am using RT-AC86U router with ExpessVPN subscription. When running firmware 384.19,
I am getting download speeds through OpenVPN client around 220 - 240 Mbps.

But when I update firmware to 386.1 (while using same ExpressVPN config and server), I suddenly get only around
130 - 140 Mbps download speeds. Everything else looks normal, works great, but I have this
VPN speed drop which I cannot explain.
If I disconnect the router from VPN, I get 250 Mbps, which is my maximum speed from ISP.

Just for reference, when on 386.1 and connected to VPN, the CPU cores are not maxed out while
I measure internet speed and CPU temperature is around 86°C - I don't think that CPU throttling is the
cause for VPN speed drop.
Also wiping the router and reapplying saved settings did not change the measured VPN speed on 386.1.
Speedtest results remain in range 130 - 140 Mbps no matter if I test from wired or wireless client, Windows or iOS,
computer or mobile device.
If I go back to 384.19 firmware, I immediately get the 220 - 240 Mbps VPN speedtest results.

OpenVPN advanced parameters I use are copied from ExpressVPN website and are meant for Merlin firmware:
fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

Anyone else using VPN client noticed speed difference between these firmware versions?
If yes, anyone managed to fix it?
Any suggestions what else could I try to get to my usual VPN speeds on 386.1 firmware?

Thank you.
 

eibgrad

Very Senior Member
You are/were getting 220-240Mbps w/ ExpressVPN? Wow. 90% of time I'm lucky to get 80-85Mbps (using USA servers, near and far), w/ occasional spikes to 110-120Mbps. And I know my OpenVPN client is plenty capable beyond that since it's running on a PC (dd-wrt x86). Mind telling us which server(s) you're using (lol, probably not)?

I have to say that I find it a bit out of the ordinary that your prior setup was giving you as much as 96% of your ISP's bandwidth over the VPN. Can't help but wonder if when you tested the prior setup if perhaps you weren't actually using the VPN! I know, I know, seems hard to believe this could happen, but still, given all my own experiences w/ ExpressVPN, 110-120Mbps seems much more reasonable.
 

bukso

Occasional Visitor
No problem, I am using ExpressVPN servers in Germany, Czech Republik, Slovakia and Austria. I live in this region and these servers are "near". And yes, the speeds are real, measured with Speedtest app for iOS and Windows. I am sure I am connected to VPN while measuring, among others you can see it in Speedtest app because it shows your current provider :) But router shows the information as well and various websites confirm it.
Even when I had 600 Mbps connection, my ExpressVPN tests were showing same results and so I conclude that the range of 220 - 240 Mbps is maximum what I can get from ExpressVPN in this region.
The only problem is that on 386.1 firmware the speed mysteriously decreases and it is constant decrease.

Here are results from few minutes ago, OpenVPN client running on RT-AC86U 384.19.

Screenshot 2021-02-07 200627.png


Screenshot 2021-02-07 200724.png
 

Viktor Jaep

Regular Contributor
I am using RT-AC86U router with ExpessVPN subscription. While running firmware 384.18 and 384.19,
I am getting download speeds through OpenVPN client around 220 - 240 Mbps.

But when I update firmware to 386.1 and with same ExpressVPN config, I suddenly get only around
130 - 140 Mbps download speeds. Everything looks normal, everything works great, but I have this
VPN speed drop which I cannot explain.
If I disconnect the router from VPN, I get 250 Mbps, which is my maximum speed from ISP.

ExpressVPN user here as well, @bukso ... and have never been able to get my speeds above 130-140Mbps... I always thought it was a limitation of the AES processing power on the AC86U, and a the distance factor between your location and the VPN endpoint... And this is on both 384.19 and 386.1... I have seen no change. I've got a 300Mbps Xfinity connection, and can achieve 300+Mbps rates while not on the VPN... here's the config I use:

#!/bin/sh
#Location: /jffs/scripts/openvpnclient1.postconf
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "fast-io" $CONFIG
pc_append "server-poll-timeout 10" $CONFIG
pc_append "remote-random" $CONFIG
pc_append "remote usa-newyork-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-chicago-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-washingtondc-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-dallas-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-miami-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-3-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-newjersey-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-newjersey-3-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-seattle-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-miami-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-denver-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-saltlakecity-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-tampa-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote us-new-york-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-dallas-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-atlanta-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles5-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "pull" $CONFIG
pc_append "tls-client" $CONFIG
pc_append "verify-x509-name Server name-prefix" $CONFIG
pc_append "remote-cert-tls server" $CONFIG
pc_append "route-method exe" $CONFIG
pc_append "route-delay 2" $CONFIG
pc_append "tun-mtu 1500" $CONFIG
pc_append "fragment 1300" $CONFIG
pc_append "mssfix 1450" $CONFIG
pc_append "sndbuf 524288" $CONFIG
pc_append "rcvbuf 524288" $CONFIG
pc_append "comp-lzo no" $CONFIG
pc_append "push \"comp-lzo no\"" $CONFIG
pc_append "auth-nocache" $CONFIG
 

RMerlin

Asuswrt-Merlin dev
I just tested the OpenVPN server itself within my LAN, it's still reaching the usual 230-250 Mbps I have always gotten from it, and which is about the max you can expect out of that router's CPU.

I haven't gone through the trouble of setting up a complete client-server setup within my network, but a simple test with NordVPN is giving me 175 Mbps, which seems about normal to me for a commercial VPN provider.
 

Perr23

New Around Here
Hi all,
originally I posted it here, but since it is probably quite specific problem, I decided to create new thread.

I am using RT-AC86U router with ExpessVPN subscription. When running firmware 384.19,
I am getting download speeds through OpenVPN client around 220 - 240 Mbps.

But when I update firmware to 386.1 (while using same ExpressVPN config and server), I suddenly get only around
130 - 140 Mbps download speeds. Everything else looks normal, works great, but I have this
VPN speed drop which I cannot explain.
If I disconnect the router from VPN, I get 250 Mbps, which is my maximum speed from ISP.

Just for reference, when on 386.1 and connected to VPN, the CPU cores are not maxed out while
I measure internet speed and CPU temperature is around 86°C - I don't think that CPU throttling is the
cause for VPN speed drop.
Also wiping the router and reapplying saved settings did not change the measured VPN speed on 386.1.
Speedtest results remain in range 130 - 140 Mbps no matter if I test from wired or wireless client, Windows or iOS,
computer or mobile device.
If I go back to 384.19 firmware, I immediately get the 220 - 240 Mbps VPN speedtest results.

OpenVPN advanced parameters I use are copied from ExpressVPN website and are meant for Merlin firmware:
fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

Anyone else using VPN client noticed speed difference between these firmware versions?
If yes, anyone managed to fix it?
Any suggestions what else could I try to get to my usual VPN speeds on 386.1 firmware?

Thank you.
Same problem for me. With 384.19 in AC86U, i got 220Mps, but now with 368.1 I get 168Mbps without changing config. I tried dirty and clean update, and same result.
 

RMerlin

Asuswrt-Merlin dev
And client mode tested - also getting the expected 250 Mbps. Client on the RT-AX86U, server on my Linux VM.

Code:
Connecting to host 10.18.0.1, port 5201
[  5] local 10.18.0.2 port 33081 connected to 10.18.0.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  30.0 MBytes   252 Mbits/sec    4   1.30 MBytes       
[  5]   1.00-2.00   sec  28.8 MBytes   241 Mbits/sec   46   1.07 MBytes       
[  5]   2.00-3.00   sec  28.8 MBytes   241 Mbits/sec    0   1.16 MBytes       
[  5]   3.00-4.00   sec  30.0 MBytes   252 Mbits/sec    0   1.24 MBytes       
[  5]   4.00-5.00   sec  28.8 MBytes   241 Mbits/sec    0   1.29 MBytes       
[  5]   5.00-6.00   sec  28.8 MBytes   241 Mbits/sec    1    984 KBytes       
[  5]   6.00-7.00   sec  30.0 MBytes   252 Mbits/sec    0   1.02 MBytes       
[  5]   7.00-8.00   sec  30.0 MBytes   252 Mbits/sec    0   1.06 MBytes       
[  5]   8.00-9.00   sec  30.0 MBytes   252 Mbits/sec    0   1.08 MBytes       
[  5]   9.00-10.00  sec  28.8 MBytes   241 Mbits/sec    0   1.10 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   294 MBytes   246 Mbits/sec   51             sender
[  5]   0.00-10.07  sec   292 MBytes   243 Mbits/sec                  receiver
 

bukso

Occasional Visitor
@Viktor Jaep - Let's assume there is something in firmware 386.1, what limits ExpressVPN speed to around 140 Mbps.
And now there is a ExpressVPN user, who can get maximum 130 Mbps for various non-router related reasons.
If that user would upgrade his router from 384.19 to 386.1, he would probably not notice anything.

FYI here is my router's CPU usage while doing Speedtest:
Screenshot 2021-02-07 223224.png

@RMerlin , thank you for testing. I am am puzzled why I get lower VPN speeds with 386.1 and whenever I downgrade back to 384.19, I get the higher speeds.
Maybe when I will find some time, I will try to wipe the router, upgrade to 386.1 and manually set up everything from scratch (if someone else does not suggest some smarter fix in this thread). But it is hard to find the right moment if whole family is in lockdown and using internet for work at home, school and entertainment :)
 

bukso

Occasional Visitor
@Perr23 - looks like you have similar issue. Are you also using ExpressVPN, or some other provider?

@RMerlin - maybe it is combination of specific parameters, like RT-AC86U and firmware 386.1 and ExpressVPN client.
 

Perr23

New Around Here
@Viktor Jaep - Let's assume there is something in firmware 386.1, what limits ExpressVPN speed to around 140 Mbps.
And now there is a ExpressVPN user, who can get maximum 130 Mbps for various non-router related reasons.
If that user would upgrade his router from 384.19 to 386.1, he would probably not notice anything.

FYI here is my router's CPU usage while doing Speedtest:
View attachment 30473

@RMerlin , thank you for testing. I am am puzzled why I get lower VPN speeds with 386.1 and whenever I downgrade back to 384.19, I get the higher speeds.
Maybe when I will find some time, I will try to wipe the router, upgrade to 386.1 and manually set up everything from scratch (if someone else does not suggest some smarter fix in this thread). But it is hard to find the right moment if whole family is in lockdown and using internet for work at home, school and entertainment :)
I tried with a fresh update and config again all the settings including VPN Client and same result...I'm using Nordvpn
@Perr23 - looks like you have similar issue. Are you also using ExpressVPN, or some other provider?

@RMerlin - maybe it is combination of specific parameters, like RT-AC86U and firmware 386.1 and ExpressVPN client.
 

Sobster88

Occasional Visitor
FFA383E0-2636-4FD5-A892-9311D3231F4A.png

I use ExpressVPN and usually get between 160-180 connected to Dallas. I dirty flashed from 384.19 to 386.1 a week ago and saw no change. Here is a 30 day history from spdMerlin.
 

RMerlin

Asuswrt-Merlin dev
It's more likely to be a config difference. Some providers have broken implementations that don't work too well with OpenVPN 2.5.0. It's possible that some users are ending up using a different cipher, or a different MTU for instance. People should increase the verbosity level to 6, and compare the configured parameters between both - there's a good chance that something would be different in what is being negociated between the client and the server.

In any case, I don't consider this to be a bug at the firmware level, since testing both client and server is able to get expected performance results when both ends are being controlled.
 

CaptainSTX

Part of the Furniture
My results have shown a similar reduction in download speeds on VPN clients either using PIA-New or Strong VPN.

While on my AC86 running 384.19 I would often get VPN download speeds of over 200 Mbps now on connecting to the nearest server my typical speeds are around 160 Mbps when on 386.1.

WAN speeds still fine at 460/23 Mbps.

Hopefully VPN providers will improve their OVPN configurations soon.

P.S.
I contacted StrongVPN yesterday and they had no updated files even in beta that could be loaded on a router to optimize OpenVPN 2.4.
 
Last edited:

maxbraketorque

Very Senior Member
It's more likely to be a config difference. Some providers have broken implementations that don't work too well with OpenVPN 2.5.0. It's possible that some users are ending up using a different cipher, or a different MTU for instance. People should increase the verbosity level to 6, and compare the configured parameters between both - there's a good chance that something would be different in what is being negociated between the client and the server.

In any case, I don't consider this to be a bug at the firmware level, since testing both client and server is able to get expected performance results when both ends are being controlled.

My first thought was different cipher, especially since the OP's OVPN config does not specify a cipher.
 

bukso

Occasional Visitor
n any case, I don't consider this to be a bug at the firmware level, since testing both client and server is able to get expected performance results when both ends are being controlled.

@RMerlin Thank you for testing and confirming that the problem is not with the OpenVPN client 2.5.0 implementation.

So the theory is that current configuration in ovpn files (created by VPN providers) should be adjusted to work better with OpenVPN client 2.5.0 and/or VPN servers should be updated/modified in such a way that they work better with OpenVPN client 2.5.0.
If I find some time, I will experiment with VPN client setting for ExpressVPN.

In the meantime anyone who encounters this problem please contact your VPN provider and open a ticket with them. VPN is a paid service and VPN providers should test OpenVPN client 2.5.0 performance in their network and should provide updated instructions or ovpn files, or any other relevant solution.

I have opened ticket with ExpressVPN asking them to look into OpenVPN client 2.5.0 performance when connecting to their servers.

If someone runs into this problem or finds a solution or gets back something from his/her VPN provider, please update this thread.
 

bukso

Occasional Visitor
ExpressVPN support came back to me with this:

"At this moment, we have already filed a feature request for this specific OpenVPN version for your Merlin UI. For now, what we can only suggest is for you to stick with the old version of the firmware as that one seems to provide you a better speed."

So now ExpessVPN is aware of this problem, let's see if/how/when they tackle it.
 

ajp2k14

Regular Contributor
Contacted WeVPN support and they suggested I try the clients on a computer and compare 2.5 and 2.4 which I did. I've never used it on my Windows laptop before so I don't know which speeds to expect but 2.4 and 2.5 were about the same with max 120-130Mbps. Using WeVPN on my AC86U with 384.19 gave me 200Mbps+ but with 386.1 it's more like the windows speeds 120Mpbs max.

Logs from the 2.5-clients have warnings about mtu, no warnings in the 2.4-log. EDIT: Sorry, warnings appear in the 2.4-log too, I just missed it.

2021-02-09 14:53:30 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 36049'
2021-02-09 14:53:30 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 36000'

UPDATE: I get this in both the 2.4 and 2.5-logs. Now I'm confused... (this is on a PC)

2021-02-09 14:53:30 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-09 14:53:30 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-02-09 14:53:30 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-09 14:53:30 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
 
Last edited:

maxbraketorque

Very Senior Member
Contacted WeVPN support and they suggested I try the clients on a computer and compare 2.5 and 2.4 which I did. I've never used it on my Windows laptop before so I don't know which speeds to expect but 2.4 and 2.5 were about the same with max 120-130Mbps. Using WeVPN on my AC86U with 384.19 gave me 200Mbps+ but with 386.1 it's more like the windows speeds 120Mpbs max.

Logs from the 2.5-clients have warnings about mtu, no warnings in the 2.4-log. EDIT: Sorry, warnings appear in the 2.4-log too, I just missed it.

2021-02-09 14:53:30 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 36049'
2021-02-09 14:53:30 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 36000'

UPDATE: I get this in both the 2.4 and 2.5-logs. Now I'm confused... (this is on a PC)

2021-02-09 14:53:30 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-09 14:53:30 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-02-09 14:53:30 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-09 14:53:30 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

I had similar issues when dealing with an OVPN 2.5.0 client (one ASUS router) talking to a OVPN 2.4.9 server (another ASUS router). I found that I had to adjust the cipher configurations. My notes are here:


Since you are connecting to a commercial VPN service, you don't have any control over their server side config, but you can try asking WeVPN to see if they'll show you their server config, in particular the cipher settings. You'll probably want to ask what version of OVPN WeVPN is using.
 
I have noticed a similar drop in speed from 170-210 Mbits to around 120-130 on my two VPN tunnels with Getflix.
No config changed after firmware update. ISP did bump all customers from 500/500 Mbit to 1G/1G during this period, but I have not had less that 900 Mbit on WAN tests, so it should not be a line issue.
Running AES-256-CBC on RT-AC86U

IMG_1338.jpg

IMG_1339.jpg
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top