OpenVPN performance of the RT-AC86U

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RMerlin

Asuswrt-Merlin dev
Also saw a new one, is that any better for gaming or Open Vpn speeds ?
GT-AX11000
Nobody can tell since the product isn't out yet.
 

Xentrk

Part of the Furniture
Hi
Contemplating buying the RT-AC86U

I am on Fibre to premises. Dload 100mbps Uload 40mbps, I get uoto 97mbps down from US to Aus

I got Expres VPN. (for US Netflix hulu etc)

I got an AC88U, but 'open VPN' from Aus to US is tragic, between 6 to 24mbps down. (With L2TP i get 30 to 70mbps down)

I also got a Asus tm-ac1900, but sadly bought the incorrect router as it is no AI Mesh compatible (not very tech savvy so the fancy conversions to the 66U was not possiblke for me)

My main requirements are:

1) Faster 'Open VPN' speeds from US to AUS (prefer between 50 to 90mbps)

2) VPN Tunneling (As I want to have 'Open VPN" for US Netflix & Local Aus Servers for gaming, as pings with VPN are around 300ms) Both at the same time.
Would prefer ASUS standard firmware if possible.

3) AI mesh with 86U as primary, and 88U as secondary AI Mesh router

Thanks
If OpenVPN speed is the primary use case and if you can afford it, you should look at the Netgate SG-5100. CPU is Quad Core Intel® Atom™ C3558 2.2 GHz, with AES-NI and Intel QuickAssist acceleration. There are good benchmark reports on the CPU for OpenSSL performance. It will satisfy the requirements you posted and exceed them. You can use an Asus router as a WiFi Access Point.
 

Sting

Occasional Visitor
If OpenVPN speed is the primary use case and if you can afford it, you should look at the Netgate SG-5100. CPU is Quad Core Intel® Atom™ C3558 2.2 GHz, with AES-NI and Intel QuickAssist acceleration. There are good benchmark reports on the CPU for OpenSSL performance. It will satisfy the requirements you posted and exceed them. You can use an Asus router as a WiFi Access Point.
Cannot afford that mate :(
 

Xentrk

Part of the Furniture
Cannot afford that mate :(
I converted an old Windows 7 PC with an i5 Intel CPU to a pfSense appliance. Just look for an Intel CPU with AES-NI. Maybe able to purchase a used one from a friend who had an old PC sitting in a closet. I just had to purchased another NIC for around $15.
 

Sting

Occasional Visitor
Sounds cool ?

* Where would this PC go ? connect to the main Fibre box ? then into a router (AC88u) to be shared by the house ?

* I would need to get a pc with Intel CPU with AES-NI (win 10 OK ?)

* Then install PF sense software ?
 

Xentrk

Part of the Furniture
Sounds cool ?

* Where would this PC go ? connect to the main Fibre box ? then into a router (AC88u) to be shared by the house ?

* I would need to get a pc with Intel CPU with AES-NI (win 10 OK ?)

* Then install PF sense software ?
Here is my network layout.
Code:
Fiber--->ISP Supplied Modem/Router-->pfSense (WAN Port)
pfSense (LAN Port) --> 8 port Switch --> Asuswrt-Merlin Router for WIFI Access Point
......................................-> out to streaming media devices
......................................-> Raspberry PI
One NIC is used for WAN and the other for LAN. Connect the LAN cable to a switch. I had to call the ISP to configure the ISP Supplied Modem/Router to Bridge Mode. I used to be able to do this myself. One phone call and 10 minutes later it's done.

The ISP supplied modem/routers are required for the fiber port connection. Bridge modem turns them into a modem which passes thru the connection to the main router.

I have done the same at other sites I support. But use Asus routers connected to the ISP supplied modem/router.
 
Last edited:

Rpony

Occasional Visitor
Update, I got the above running but it's killing my download speed. It's down from 100down to 25down.
Does anyone have a better config they can share? I'm with PIA.
 

Rpony

Occasional Visitor
Does nobody have this setup currently?
Merlin, how did you speed test with this arrangement?
 

CaptainSTX

Part of the Furniture
Here are the settings I am using on PIA. I am running it on an AC1900 so I don't get nearly the speed you would expect on an 86U

Here is how I would go about setting it up:

Download OVPN files from PIA.

Unzip the file for the server you want to use.

In the VPN client that you want to run this file on, upload the ovpn file. (1,3 or 5 recommended so the VPN runs on a core not being used for other router functions.)

Add your user name and password

Add the last three lines in my custom file to your custom settings if necessary

Check your other settings to see if they match up with mine. The last two in advanced settings our your choice depending on what you want to accomplish.

Note that the further your VPN server is from your actual location the slower your VPN speed. PIA offers decent speed. I run another instance of PIA on a VPN server running on a mini PC with an I7 processor and when connected to a VPN server within 500 miles I regularly get download speeds of 275/285 Mbps.

Hope this helps you get better speeds.

upload_2018-9-6_15-14-19.png




tls-client
remote-cert-tls server
auth-nocache
disable-occ
pull-filter ignore "auth-token"
pull-filter ignore "ipconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 2
ifconfig-nowarn
persist-key
fast-io
sndbuf 524288
rcvbuf 524288
 

pusb87

Regular Contributor
as per @CaptainSTX follow his guidelines
I have an RT AC86U and use PIA as my vpn provider
here are my settings
Capture.JPG

and my custome config is very similar

resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
mute-replay-warnings
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
sndbuf 524288
rcvbuf 524288


My ISP is 200 down 12 up and with these settings i get more or less the full speed.

Capture2.JPG
 

RMerlin

Asuswrt-Merlin dev
Does nobody have this setup currently?
Merlin, how did you speed test with this arrangement?
Iperf, with both client and server within my LAN.


Sent from my Nexus 5X using Tapatalk
 

ludnell

New Around Here
Hello everyone.

I'm getting 250/250 fiber connection to my apartment next week and have been looking into getting VPN straight into the AC86U.

Where do I start? I assume getting an OpenVPN subscription and the router itself would be the first step but whats the second here. Can I set it up using the factory firmware or do I need the Merlin (or any other firmware) software installed on the router to get the results that been presented in this thread?

First post btw. Currently studying CCNA courses so hopefully I'll be able to set this up properly.

Edit: Are there any tests done with the AC88U? You guys know how it stands compared to AC86U? I dont mind getting a more expensive one.
 

pusb87

Regular Contributor
Hello everyone.

I'm getting 250/250 fiber connection to my apartment next week and have been looking into getting VPN straight into the AC86U.

Where do I start? I assume getting an OpenVPN subscription and the router itself would be the first step but whats the second here. Can I set it up using the factory firmware or do I need the Merlin (or any other firmware) software installed on the router to get the results that been presented in this thread?

First post btw. Currently studying CCNA courses so hopefully I'll be able to set this up properly.

Edit: Are there any tests done with the AC88U? You guys know how it stands compared to AC86U? I dont mind getting a more expensive one.
Yes, you will need a VPN provider and the router. Most seem to reccomend the AC 86U as having better performance over the AC88U.

Most are probably using Merlins firmware as it gives additional useful features over and above the stock Asus firmware.
 
Last edited:

doczenith1

Very Senior Member
Edit: Are there any tests done with the AC88U? You guys know how it stands compared to AC86U? I dont mind getting a more expensive one.
I used to own the AC88U's little brother the AC3100. (same router as 88U minus 4 ethernet ports). My vpn results are below. All tests using AES-128-CBC.

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC86U (1.8 Ghz dual core)
Flow Cache enabled
DL: 223 Mbps with core 1 at 35%, core 2 at 70%
UL: 233 Mbps with core 1 at 55%, core 2 at 90%

Note that despite the numbering scheme the 86U is a newer and more power router than the 88U.
 
Last edited:

doczenith1

Very Senior Member
Set a new speed record tonight on my 86U (384.7). I updated my PIA config to use the AES-128-GCM cipher. I wasn't sure what to set Auth digest to with GCM so I set it to default. Compression is set to none but I think I remember from another post that the server sets it anyway and most likely to none. I also have fast-io in my custom config. My best download speed was 242 Mbps.

 

RMerlin

Asuswrt-Merlin dev

doczenith1

Very Senior Member
That was my understanding. I just wasn't sure if default or none would be the best choice.
 

Odkrys

Senior Member
@RMerlin

Openvpn 2.5 will support Chacha20-Poly1305 in data channel.

https://github.com/OpenVPN/openvpn/...3e94b68#diff-cd48a9282e5d5c787dacbd9d65e68ea8

Code:
@RT-AC86U-69B8:/tmp/mnt/opt/entware# /opt/sbin/openvpn --version
OpenVPN 2.5_git aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Code:
@RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher chacha20-poly1305
Mon Oct 15 23:36:40 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 11.36s
user    0m 11.33s
sys     0m 0.00s
@RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Mon Oct 15 23:37:00 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 10.55s
user    0m 10.50s
sys     0m 0.01s
@RT-AC86U-69B8:/tmp/mnt/opt/entware# taskset -c 1 time /opt/sbin/openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
Mon Oct 15 23:37:14 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 10.62s
user    0m 10.58s
sys     0m 0.01s
I tested on RT-AC86U, its speed didn't above aes-gcm since AC86U support aes acceleration.
But I think other supported models will earn better speed from chacha20-poly1305.
Is there no way to work around limitation of built-in openssl 1.0.2, really?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top