OpenVPN n00b - Things to consider?

[M@rco]

I'm considering to subscribe to ProtonVPN services. I've already searched their documentation on how to set things up, I searched the forum (note to self - found some useful info here) and went through the OpenVPN chapters in the wiki, but still have some questions I can't easily seem to find any answers to. Maybe they're silly questions, but I'd rather know for sure beforehand. I once had a VPN subscription with StrongVPN on a single Mac using their desktop client but that was prior to getting into Asuswrt-Merlin, and frankly, easy as pie, so I barely have any prior experience with or knowledge of VPNs.

There are most likely more questions to come, but to start with: will I still be able to use AB-Solution, pixelserv-tls, Skynet and dnscrypt on my RT-AC68U? The latter seems less relevant as ProtonVPN apparently offers encrypted DNS out of the box, although it would definitely be great if I could keep using it.

I want to direct all traffic from my LAN through the VPN, would that be a dealbreaker considering I would preferably like to keep using the applications and scripts I mentioned before?

Are there other things (besides the choice for which VPN service provider) that I should take into consideration?

Your assistance is highly appreciated.

Marco

 

[CaptainSTX]

Two things to consider is that if you run all LAN connections through a VPN using your present router:

1. Your download and upload speeds will be reduced by as much as 50% using an AC68. The only ASUS router that has the processor to handle download speeds at up to 200 Mbps is the N86.
2. If you stream Netflix they are very good at blocking many VPN servers. Some VPN providers offer some servers that are not blocked presently.

 

[Billy Chaney]

I'm considering to subscribe to ProtonVPN services. I've already searched their documentation on how to set things up, I searched the forum (note to self - found some useful info here) and went through the OpenVPN chapters in the wiki, but still have some questions I can't easily seem to find any answers to. Maybe they're silly questions, but I'd rather know for sure beforehand. I once had a VPN subscription with StrongVPN on a single Mac using their desktop client but that was prior to getting into Asuswrt-Merlin, and frankly, easy as pie, so I barely have any prior experience with or knowledge of VPNs.

There are most likely more questions to come, but to start with: will I still be able to use AB-Solution, pixelserv-tls, Skynet and dnscrypt on my RT-AC68U? The latter seems less relevant as ProtonVPN apparently offers encrypted DNS out of the box, although it would definitely be great if I could keep using it.

I want to direct all traffic from my LAN through the VPN, would that be a dealbreaker considering I would preferably like to keep using the applications and scripts I mentioned before?

Are there other things (besides the choice for which VPN service provider) that I should take into consideration?

Your assistance is highly appreciated.

Marco

I use AB-Solution, pixelserv-tls and Skynet on my ac86u and they work fine. I don't use dnscrypt as I use ProtonVPN's dns 10.8.8.1. I use ProtonVPN's plus servers VA 3-4 to get Netflix. Most of their US plus servers work with Netflix, if not all. But I haven't had any success with Amazon Prime Video, it's blocked when using ProtonVPN from a router. If you want to view Amazon Prime Videos on your PC then you have to use the APP.

 

[M@rco]

Your download and upload speeds will be reduced by as much as 50% using an AC68.

Thanks for your reply. Although speed is not my main concern, is there any estimate to give what (under optimal circumstances) the maximum achievable speed would be on a RT-AC68U? I've read that ProtonVPN uses AES256 for encrypting data, I assume that's relevant as it impacts the CPU load?

 

[CaptainSTX]

Thanks for your reply. Although speed is not my main concern, is there any estimate to give what (under optimal circumstances) the maximum achievable speed would be on a RT-AC68U? I've read that ProtonVPN uses AES256 for encrypting data, I assume that's relevant as it impacts the CPU load?

Search this forum. VPN speeds have been discussed hundreds of times including what speeds you might expect.
As a rough demonstration of what the slow down might be based on my 180/24 speeds using a wired connection when I connect to Wifi on my 5G radio using NO VPN my download speed is 167 Mbps on an Iphone. With the VPN ON the speed droped to 15.5 Mbps.

My router used in this test is an AC1900P which has 1400 Mhz processor and is in fact an AC68 model. If you have an earlier AC68 with a slower processor you can expect your speeds to be even less, but search the site as it is possible that someone will have had better results but 25 Mbps might be the upper limit.

 

[M@rco]

Search this forum.

I'll see what I can find. Unfortunately vpn is too short and well, speed way too common. But the numbers you just mentioned make me wonder whether I wouldn't be better off installing desktop and/or mobile clients on a paid plan for 6 devices and the rest on a free plan. Would it be technically possible to direct only part of my LAN through the (free) tunnel set up from the router itself and have the desktop and/or mobile clients set up a VPN connection directly, without losing that much of my bandwidth?

 

[CaptainSTX]

I'll see what I can find. Unfortunately vpn is too short and well, speed way too common. But the numbers you just mentioned make me wonder whether I wouldn't be better off installing desktop and/or clients on a paid plan for 6 devices and the rest on a free plan. Would it be technically possible to direct only part of my LAN through the (free) tunnel set up from the router itself and have the desktop and/or mobile clients set up a VPN connection directly, without losing that much of my bandwidth?

Using Merlin's firmware and depending on your your router you can have up to five VPN clients running at the same time on your router. Merlin's firmware supports policy routing which mean by device you can select which VPN a client uses or select that a device connect using the WAN.

Running a VPN app on most devices is going to be faster than running it on a router as the device probably has a faster processor and the processor may support AES-NI which is necessary for fast encryption.

 

[M@rco]

Two things to consider is that if you run all LAN connections through a VPN using your present router:

1. Your download and upload speeds will be reduced by as much as 50% using an AC68. The only ASUS router that has the processor to handle download speeds at up to 200 Mbps is the N86.
2. If you stream Netflix they are very good at blocking many VPN servers. Some VPN providers offer some servers that are not blocked presently.

ProtonVPN was kind enough to provide 3 .ovpn config files for their Plus servers, so I'm able test ProtonVPN from my router, during the 7-day trial they offer for their Plus package. All three of them are located in The Netherlands, where I live (at roughly 30 km, to be exact).
With all three of them I'm able achieve 25~30Mbit downstream (on a 200 Mbit connection, which - without VPN - provides around 220 Mbit). I monitored CPU usage on the router, it doesn't get over 50 percent when actively streaming, so it doesn't seem like my router is the bottleneck here. I tested both wireless from my iPhone as well as from a wired laptop with a GigaBit ethernet adapter.

I tried LZ4 compression (default is no compression) to see if it would improve performance, but it doesn't really matter that much (it seems, give or take, 2~3 Mbit faster).
I'm aware that ProtonVPN is not the fastest out there, but speed is not my main concern. However, being able to use utilize only 1/8 of the bandwidth provided by my ISP seems very slow.

Any suggestions on how to improve performance?

 

[Jack Yaz]

ProtonVPN was kind enough to provide 3 .ovpn config files for their Plus servers, so I'm able test ProtonVPN from my router, during the 7-day trial they offer for their Plus package. All three of them are located in The Netherlands, where I live (at roughly 30 km, to be exact).
With all three of them I'm able achieve 25~30Mbit downstream (on a 200 Mbit connection, which - without VPN - provides around 220 Mbit). I monitored CPU usage on the router, it doesn't get over 50 percent when actively streaming, so it doesn't seem like my router is the bottleneck here. I tested both wireless from my iPhone as well as from a wired laptop with a GigaBit ethernet adapter.

I tried LZ4 compression (default is no compression) to see if it would improve performance, but it doesn't really matter that much (it seems, give or take, 2~3 Mbit faster).
I'm aware that ProtonVPN is not the fastest out there, but speed is not my main concern. However, being able to use utilize only 1/8 of the bandwidth provided by my ISP seems very slow.

Any suggestions on how to improve performance?

It'll just be a limitation of your router CPU. You could try overclocking (my 87U pushed to 1.4ghz could get 40-45 with NordVPN), but with my AC86U (which has hardware encryption support), gets my full 70Mbps (router can get up to 200 without a sweat iirc)

You could try dropping cipher strength to 128 in place of 256/higher if not already as well

 

[M@rco]

It'll just be a limitation of your router CPU. You could try overclocking (my 87U pushed to 1.4ghz could get 40-45 with NordVPN), but with my AC86U (which has hardware encryption support), gets my full 70Mbps (router can get up to 200 without a sweat iirc)

You could try dropping cipher strength to 128 in place of 256/higher if not already as well

Oh, wow... Wasn't aware speed was about to drop so far. Overclocking isn't really my thing, I'd rather leave some headroom instead of pushing it to its limits. It's also still within 2-years warranty, so I'd rather not fiddle that deep under the hood...

Regarding lowering the cipher strength: which setting would I need to change? I tried changing Legacy/fallback cipher to 128, but in syslog it still showed 256 after I restarted the OpenVPN client:

Sep 16 21:28:11 ovpn-client5[12220]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 16 21:28:11 ovpn-client5[12220]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 16 21:28:11 ovpn-client5[12220]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Is that the right setting or am I looking in the wrong place?

My current config:

Thanks in advance.

Marco

 

[Jack Yaz]

You'd need to remove 256 ciphers from negotiable as well. Backup the cipher list before doing so - ProtonVPN may not support lower than 256. Do this at a time when network activity can be disrupted - as the VPN tunnel may fail to connect until the full cipher list is restored!