1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN performance of the RT-AC86U

Discussion in 'VPN' started by RMerlin, Sep 14, 2017.

  1. Sting

    Sting New Around Here

    Joined:
    Aug 31, 2018
    Messages:
    4
    Also saw a new one, is that any better for gaming or Open Vpn speeds ?
    GT-AX11000
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,410
    Location:
    Canada
    Nobody can tell since the product isn't out yet.
     
    Sting likes this.
  3. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,748
    Location:
    The Land of Smiles
    If OpenVPN speed is the primary use case and if you can afford it, you should look at the Netgate SG-5100. CPU is Quad Core Intel® Atom™ C3558 2.2 GHz, with AES-NI and Intel QuickAssist acceleration. There are good benchmark reports on the CPU for OpenSSL performance. It will satisfy the requirements you posted and exceed them. You can use an Asus router as a WiFi Access Point.
     
    JoeBee and nodnarb91 like this.
  4. Sting

    Sting New Around Here

    Joined:
    Aug 31, 2018
    Messages:
    4
    Cannot afford that mate :(
     
  5. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,748
    Location:
    The Land of Smiles
    I converted an old Windows 7 PC with an i5 Intel CPU to a pfSense appliance. Just look for an Intel CPU with AES-NI. Maybe able to purchase a used one from a friend who had an old PC sitting in a closet. I just had to purchased another NIC for around $15.
     
    JoeBee and nodnarb91 like this.
  6. Sting

    Sting New Around Here

    Joined:
    Aug 31, 2018
    Messages:
    4
    Sounds cool ?

    * Where would this PC go ? connect to the main Fibre box ? then into a router (AC88u) to be shared by the house ?

    * I would need to get a pc with Intel CPU with AES-NI (win 10 OK ?)

    * Then install PF sense software ?
     
  7. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,748
    Location:
    The Land of Smiles
    Here is my network layout.
    Code:
    Fiber--->ISP Supplied Modem/Router-->pfSense (WAN Port)
    pfSense (LAN Port) --> 8 port Switch --> Asuswrt-Merlin Router for WIFI Access Point
    ......................................-> out to streaming media devices
    ......................................-> Raspberry PI
    
    One NIC is used for WAN and the other for LAN. Connect the LAN cable to a switch. I had to call the ISP to configure the ISP Supplied Modem/Router to Bridge Mode. I used to be able to do this myself. One phone call and 10 minutes later it's done.

    The ISP supplied modem/routers are required for the fiber port connection. Bridge modem turns them into a modem which passes thru the connection to the main router.

    I have done the same at other sites I support. But use Asus routers connected to the ISP supplied modem/router.
     
    Last edited: Sep 2, 2018
  8. Rpony

    Rpony Occasional Visitor

    Joined:
    Jan 20, 2015
    Messages:
    25
  9. Rpony

    Rpony Occasional Visitor

    Joined:
    Jan 20, 2015
    Messages:
    25
    Update, I got the above running but it's killing my download speed. It's down from 100down to 25down.
    Does anyone have a better config they can share? I'm with PIA.
     
  10. Rpony

    Rpony Occasional Visitor

    Joined:
    Jan 20, 2015
    Messages:
    25
    Does nobody have this setup currently?
    Merlin, how did you speed test with this arrangement?
     
  11. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,391
    Here are the settings I am using on PIA. I am running it on an AC1900 so I don't get nearly the speed you would expect on an 86U

    Here is how I would go about setting it up:

    Download OVPN files from PIA.

    Unzip the file for the server you want to use.

    In the VPN client that you want to run this file on, upload the ovpn file. (1,3 or 5 recommended so the VPN runs on a core not being used for other router functions.)

    Add your user name and password

    Add the last three lines in my custom file to your custom settings if necessary

    Check your other settings to see if they match up with mine. The last two in advanced settings our your choice depending on what you want to accomplish.

    Note that the further your VPN server is from your actual location the slower your VPN speed. PIA offers decent speed. I run another instance of PIA on a VPN server running on a mini PC with an I7 processor and when connected to a VPN server within 500 miles I regularly get download speeds of 275/285 Mbps.

    Hope this helps you get better speeds.

    upload_2018-9-6_15-14-19.png



    tls-client
    remote-cert-tls server
    auth-nocache
    disable-occ
    pull-filter ignore "auth-token"
    pull-filter ignore "ipconfig-ipv6"
    pull-filter ignore "route-ipv6"
    explicit-exit-notify 2
    ifconfig-nowarn
    persist-key
    fast-io
    sndbuf 524288
    rcvbuf 524288
     
  12. pusb87

    pusb87 Regular Contributor

    Joined:
    Dec 15, 2016
    Messages:
    67
    as per @CaptainSTX follow his guidelines
    I have an RT AC86U and use PIA as my vpn provider
    here are my settings
    Capture.JPG
    and my custome config is very similar

    resolv-retry infinite
    tls-client
    remote-cert-tls server
    disable-occ
    mute-replay-warnings
    pull-filter ignore "auth-token"
    pull-filter ignore "ifconfig-ipv6"
    pull-filter ignore "route-ipv6"
    sndbuf 524288
    rcvbuf 524288


    My ISP is 200 down 12 up and with these settings i get more or less the full speed.

    Capture2.JPG
     
    JoeBee and nodnarb91 like this.
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,410
    Location:
    Canada
    Iperf, with both client and server within my LAN.


    Sent from my Nexus 5X using Tapatalk
     
  14. ludnell

    ludnell New Around Here

    Joined:
    Oct 5, 2018
    Messages:
    3
    Hello everyone.

    I'm getting 250/250 fiber connection to my apartment next week and have been looking into getting VPN straight into the AC86U.

    Where do I start? I assume getting an OpenVPN subscription and the router itself would be the first step but whats the second here. Can I set it up using the factory firmware or do I need the Merlin (or any other firmware) software installed on the router to get the results that been presented in this thread?

    First post btw. Currently studying CCNA courses so hopefully I'll be able to set this up properly.

    Edit: Are there any tests done with the AC88U? You guys know how it stands compared to AC86U? I dont mind getting a more expensive one.
     
  15. pusb87

    pusb87 Regular Contributor

    Joined:
    Dec 15, 2016
    Messages:
    67
    Yes, you will need a VPN provider and the router. Most seem to reccomend the AC 86U as having better performance over the AC88U.

    Most are probably using Merlins firmware as it gives additional useful features over and above the stock Asus firmware.
     
    Last edited: Oct 6, 2018
  16. doczenith1

    doczenith1 Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    636
    Location:
    MI
    I used to own the AC88U's little brother the AC3100. (same router as 88U minus 4 ethernet ports). My vpn results are below. All tests using AES-128-CBC.

    AC3100 (1.4 Ghz dual core)
    CTF (Cut Through Forwarding NAT Acceleration)
    DL: 61 Mbps with core 1 at 25%, core 2 at 75%
    UL: 84 Mbps with core 1 at 35%, core 2 at 100%

    AC86U (1.8 Ghz dual core)
    Flow Cache enabled
    DL: 223 Mbps with core 1 at 35%, core 2 at 70%
    UL: 233 Mbps with core 1 at 55%, core 2 at 90%

    Note that despite the numbering scheme the 86U is a newer and more power router than the 88U.
     
    Last edited: Oct 11, 2018
    JoeBee likes this.
  17. doczenith1

    doczenith1 Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    636
    Location:
    MI
    Set a new speed record tonight on my 86U (384.7). I updated my PIA config to use the AES-128-GCM cipher. I wasn't sure what to set Auth digest to with GCM so I set it to default. Compression is set to none but I think I remember from another post that the server sets it anyway and most likely to none. I also have fast-io in my custom config. My best download speed was 242 Mbps.

    [​IMG]
     
    JoeBee likes this.
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,410
    Location:
    Canada
    With GCM ciphers the digest is not used.
     
  19. doczenith1

    doczenith1 Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    636
    Location:
    MI
    That was my understanding. I just wasn't sure if default or none would be the best choice.
     
  20. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    377
    @RMerlin

    Openvpn 2.5 will support Chacha20-Poly1305 in data channel.

    https://github.com/OpenVPN/openvpn/...3e94b68#diff-cd48a9282e5d5c787dacbd9d65e68ea8

    Code:
    @RT-AC86U-69B8:/tmp/mnt/opt/entware# /opt/sbin/openvpn --version
    OpenVPN 2.5_git aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
    library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
    Originally developed by James Yonan
    Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
    
    Code:
    @RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher chacha20-poly1305
    Mon Oct 15 23:36:40 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    real    0m 11.36s
    user    0m 11.33s
    sys     0m 0.00s
    @RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
    Mon Oct 15 23:37:00 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    real    0m 10.55s
    user    0m 10.50s
    sys     0m 0.01s
    @RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
    Mon Oct 15 23:37:14 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    real    0m 10.62s
    user    0m 10.58s
    sys     0m 0.01s
    
    I tested on RT-AC86U, its speed didn't above aes-gcm since AC86U support aes acceleration.
    But I think other supported models will earn better speed from chacha20-poly1305.
    Is there no way to work around limitation of built-in openssl 1.0.2, really?