OpenVPN performance of the RT-AC86U

JoeBee

Regular Contributor
Sabai Technology offers preconfigured mini PCs (VPN Accelerator). Not inexpensive but if you don't want to be bothered setting up a system on your own it is a possibility. You probably can expect to get up-to 95% of your line speed using a VPN appliance. Never tested my VPN appliance with a full gig connection but I have no problems getting close to 700 Mbps on a VPN client on my network.

thanks that does sound ideal, trying to get my head around this Sabia VPN accelerator Z device, so its basically a mini pc with Sabia OS similar to merlin or tomato, with policy routing, kill switch, openVPN support?

I see the VPN accelerator has only 2 ethernet ports, one for the router/modem isp connection I guess and the other for openvpn, could a switch be used to hook up other devices, Pc, consoles, tv?

Glad you are getting 700Mbps at least, at least its possible to have good speeds given the issues with VPN providers, OpenVPN, WG, singe core openvpn etc
 

CaptainSTX

Part of the Furniture
It's a credit card accelerator - $620 with VPN Pre-Configuration. :)
Yes as I mentioned not inexpensive but if you go the roll your own approach using PCs such as Quotoms from China with an I5 processor and four Ethernet ports are also expensive these days. Using a full size PC will be more power hungry. A Quotom with a laptop processor uses 14 watts.

Everyone has to decide what their ability level is and the value of their time is worth. Pfsense or another OS is going to have a learning curve. To some people saving $100 - $200 isn't worth the hassle so a preconfigured option is worth it to them.

In the end if you want VPN speed it comes with a price.
 

sfx2000

Part of the Furniture
It's a credit card accelerator - $620 with VPN Pre-Configuration.

That is a lot of mark-up for what is basically a Zotac Zbox CI329 - one can pick up a barebones box on Amazon for $210 (US), drop in a 4gb DDR stick, along with a 128gb SSD - install ubuntu on it, and bob is your uncle - should be a fairly performant box, whether it is OpenVPN, or Wireguard...

(oh, BTW - OpenWRT is available for x86/amd64, might be a good place to start)
 

CaptainSTX

Part of the Furniture
thanks that does sound ideal, trying to get my head around this Sabia VPN accelerator Z device, so its basically a mini pc with Sabia OS similar to merlin or tomato, with policy routing, kill switch, openVPN support?

I see the VPN accelerator has only 2 ethernet ports, one for the router/modem isp connection I guess and the other for openvpn, could a switch be used to hook up other devices, Pc, consoles, tv?

Glad you are getting 700Mbps at least, at least its possible to have good speeds given the issues with VPN providers, OpenVPN, WG, singe core openvpn etc
With a powerful enough processor it is possible to get that speed either with WireGuard or OpenVPN. Some VPN providers may not be able to support higher speeds and as always your distance from the server will impact the speed.

If you are interested I suggest that you contact Sabai as their pre and post sale technical support is A+ superior. No script kiddies just very knowledgeable individuals. Ruth Petty can make anything and everything work and if you want assistance she will dial into your system and tweak anything and everything.
 

JoeBee

Regular Contributor
That is a lot of mark-up for what is basically a Zotac Zbox CI329 - one can pick up a barebones box on Amazon for $210 (US), drop in a 4gb DDR stick, along with a 128gb SSD - install ubuntu on it, and bob is your uncle - should be a fairly performant box, whether it is OpenVPN, or Wireguard...

(oh, BTW - OpenWRT is available for x86/amd64, might be a good place to start)

thanks that was one I missed with OpenWRT on x86/amd pc, had a quick check but it feels similar to pfsense and others so requires a bit of a learning curve, I was more looking for something user friendly and plug and play like Merlins firmware is.

I have used pfsense off a mini pc but its a steep learning curve for myself, especially when you factor in policy routing and kill switch and making sure its rock solid also. Lots of VPN providers have pfsense guides, but they are either out dated, not as secure or miss policy routing etc
 

JoeBee

Regular Contributor
With a powerful enough processor it is possible to get that speed either with WireGuard or OpenVPN. Some VPN providers may not be able to support higher speeds and as always your distance from the server will impact the speed.

If you are interested I suggest that you contact Sabai as their pre and post sale technical support is A+ superior. No script kiddies just very knowledgeable individuals. Ruth Petty can make anything and everything work and if you want assistance she will dial into your system and tweak anything and everything.

Thanks I will ask their support my questions see how it goes. As long as Sabai os is similar to Asusmerlin and plug and play with easy policy routing and kill switch its probably going to be the best solution for me.
 

JoeBee

Regular Contributor
It's a credit card accelerator - $620 with VPN Pre-Configuration. :)

Thinking about this a bit more you and sfx have a good point, sounds like this VPN accelerator is just a minipc box with OpenVPN client running, which one might be able to do with a much cheaper 2nd hand mini pc or nuc.

I think this accelerator might sit between the ISP router and the Asus 86u, so basically pumps out a full OpenVPN performance since the 86u wont be doing that no longer, maybe then the 86u can just do the policy routing and kill switch business.

Not as network savvy so might be off on that bit

I think I will try some experimenting, see what I can come up with at least I know I can simply set my PC or another device to WAN (clear net) and use my Client software with mullvad to get full VPN speeds of 350Mbps+.
 

JoeBee

Regular Contributor
No. It has to be done on the box. I don't know what the software they offer is capable of.

basically they said the VPN accelerator has 2 ethernet ports:-
Left network port (WAN) connects to the isp router/modem
Right network port (LAN) connects to the Asus router

All the VPN accelerator does is run Openvpn, rest of the firewall and routing stuff they said its handled by the Asus 86u, so I think that means the policy routing, kill switch and rest of features.

They quoted $400 for just the software, but this comes with no support or guarantee it would work on any PC, hardware or router set up, so its pretty much easier to buy the entire accelerator unit.
 

Tech9

Part of the Furniture
so I think that means the policy routing, kill switch and rest of features.

No. You can’t have policy based routing. Your router won’t know you are running VPN. What’s the general idea with this VPN?
 

JoeBee

Regular Contributor
No. You can’t have policy based routing. Your router won’t know you are running VPN. What’s the general idea with this VPN?

Ok that was where I was getting confused with, their tech team were a bit vague when I asked them directly if the Asus still does the policy routing and kill switch alongside the vpn accelerator, since that was my main buying point.

General idea with my VPN set up was just to try and get my full bandwidth speeds with openvpn, losing a good 35-40% speeds in general. I prefer the Asus router handling the VPN work load with its kill switch, but sure I can set my PC to wan (clear net) and simply use the Client software to get max speeds. I think that is the easiest and cheapest option.
 

Tech9

Part of the Furniture
I don't run VPN client on my firewall. VPN is used when needed and on-device. My advice to you is to do the same.
 

PR3MIUM

Regular Contributor
Got upgraded to 350Mbps free from my ISP today, Asus Ac86u still only getting 186Mbps while under MullvadVPN openvpn though. If I go with normal internet connection WAN and Mullvad software hit 340Mbps though so the server appears fine.

I take it there is not much I can do and limited by the Asus Ac86u processor here?

Have tried 384.19, 386.3, 386.4 beta firmware's also, qos and AI switched off also.

SIP and DOCSIS, users without VPN are coming first (called burning the wire/line).
For me 150Mbits over VPN max. with a 250Mbits without.
 

BosseSwede

Regular Contributor
Picking up this thread I just found...
I have two locations (home and cottage) where I have had fiber at home for 8 years and just got fiber at the cottage.
At home I use an ASUS RT-AC86U (the topic of this thread) and at the cottage I have set up an ASUS RT-AC68U.
Ther cottage LAN and the home LAN use different network IP ranges (192.168.117.x and 192.168.119.x)
The cottage router connects to my home OpenVPN server (an Ubuntu Server 20.04.3) in order to connect the cottage LAN to the home LAN for all devices there.
And I have a ccd directive that issues an iroute when the cottage LAN connects in order for the home LAN devices to be able to access the cottage LAN devices.
Finally I have a route entry on my home router to direct the 192.168.117.x traffic via the OpenVPN server.
The VPN connection is only for the home LAN so all other traffic on the cottage LAN will travel through the router gateway to the Internet.

This works well in principle but transfers are a bit slow...

This is what I have done in the server side conf regarding cipher and routing etc after reading posts on page 2 of this thread:

Code:
cipher AES-256-CBC
#Disable compression and push this to the client
comp-lzo no
push "comp-lzo no"
client-config-dir /etc/openvpn/ccdl
route 192.168.117.0 255.255.255.0
client-to-client
push "route 192.168.117.0 255.255.255.0"

Additionally I have this in the ccd directive for the cottage router client where I have changed the cipher according to page 2 of this thread:

Code:
iroute 192.168.117.0 255.255.255.0
#Disable compression and push it to the client
comp-lzo no
push "comp-lzo no"
#Set different cipher for the ASUS router client
cipher AES-128-GCM
push "cipher AES-128-GCM"

And finally I have this in the client ovpn file:
Code:
cipher AES-256-CBC
comp-lzo

The client ovpn file was installed in the router before I was aware of the transfer speed problems, that is why I have now changed it on the server side so it pushes the new cipher and comp settings on connection.

And this raises the question:
How can I check that this works?
The cottage is 100 km away and was set up with the fiber installation on Feb 9th, so now I have only LAN-LAN connectivity to it...

If I stop the VPN server service then the connection will obviously stop working, but I think that the client keeps on running for reconnection asap and I don't know if it will re-read the ovpn file content when it does.
Nor do I know if the server side will regard the reconnection as a new connection and push the new settings according to the ccd settings...

Any suggestions on how to proceed to get this working with the faster cipher?
 

doczenith1

Very Senior Member
I'm no expert here so hopefully the smart folks will chime in and correct any erroneous statements that I may make.

In my limited research it seems as if the ChaCha20-Poly1305 cipher performs better on non-AES-NI capable routers (AC68U) than the GCM ciphers which perform better on AES-NI capable routers (AC86U). It may be worth a few minutes of your time to test the ChaCha20-Poly1305 cipher and see if you get any performance gains.

I also on occasion use my old 68U to connect to my 86U via a VPN and if my memory serves me correctly (it's been a while since I tested) the ChaCha20-Poly1305 cipher had similar speeds downloading from the 86 to the 68 but uploads were quite a bit faster.
 
Last edited:

L&LD

Part of the Furniture
Small correction. It's just 'AES', AES-NI is for Intel CPUs.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top