OpenVPN performance of the RT-AC86U

cloudbuster

Occasional Visitor
Merlin question
For the killswitch
Would I have to add he IP and the Subnet mask?
IP star with 192..
Subnet with 255...

or would the IP cover everything?

Thanks.
 

RMerlin

Asuswrt-Merlin dev
Merlin question
For the killswitch
Would I have to add he IP and the Subnet mask?
IP star with 192..
Subnet with 255...

or would the IP cover everything?

Thanks.
I don't understand what you mean - the killswitch is just an enable/disable toggle, there's no IP configuration involved.
 

RMerlin

Asuswrt-Merlin dev
That's not for the killswitch specifically, but rather to determine which clients you want routed through the tunnel.

If you only want to route one specific client, then you can just enter its IP, no need for a netmask.
 

cloudbuster

Occasional Visitor
Thanks,

Oh I see so doing it that way that’s went everything would be connected using the VPN?

Step 3 make it sound that if not enable it won’t work:
“Block routed clients if tunnel goes down”
So if no IP are specified would it still block them from the internet?


Just enable on step 2 and save exit?
 

JJQuin

Regular Contributor
As I understand it the Kill Switch can only be activated if you turn on Policy Rules or Policy Rules (Strict). The Kill switch only affects the devices who's IP address are set in the Policy Rules below it to use the VPN (Iface = VPN). If you want one specific device to use the VPN then just enter it's IP address under source IP, leave the destination IP blank and set the Iface to VPN. If you want all your devices to use the VPN then enter 192.168.50.1/24 or your network's IP address if it is different.

If you want all but a few devices to use the VPN then first setup your whole network (again 192.168.50.1/24 or your IP range), then make exception rules for the devices to bypass it and set their Iface = VPN.

I have mine setup as follows

Description - Source IP - Destination IP - Iface
Whole network - 192.68.50.1/24 - (destination blank) - VPN
Exceptions - 192.168.50.1/28 - (destination blank) - WAN

All devices between addresses 1 and 15 will bypass the WAN. I use this for testing purposes if I run into an issue with a website I can set my PCs ip address for one of the addresses then test without the VPN without having to turn the VPN off.
 

RMerlin

Asuswrt-Merlin dev
So if no IP are specified would it still block them from the internet?
If no IP is specified, then both policy routing and the killswitch will have no effect - default policy is to use the WAN.
 

maxbraketorque

Very Senior Member
When using the AC86U as a VPN server with the latest ASUS firmware (384.20308), data rates from my home network to the remote device (Macbook Pro running OpenVPN) are highly variable from moment-to-moment. I see about 2-4 seconds of data coming in at the full outbound speed of my home network connection to the internet, and then all flow stops or slows down greatly for 1-2 seconds, and then speeds jump back up. In comparison, if I transfer data via a VNC connection that uses 128 bit encryption, I get non-stop full saturation of the outbound speed of my home network connection to the internet. The OpenVPN server settings on my AC86U are AES-128-CBC, SHA1, and 2048 bits. Its not particularly heavy duty settings by current secure standards, so I was hoping that VPN performance would be good, but maybe I'm wrong on this? One thing I have noticed is that 20308 is significantly better 10007, but still far from what I see over VNC. Any thoughts as to what can be changed to improve the speeds?
 

Xentrk

Part of the Furniture
When using the AC86U as a VPN server with the latest ASUS firmware (384.20308), data rates from my home network to the remote device (Macbook Pro running OpenVPN) are highly variable from moment-to-moment. I see about 2-4 seconds of data coming in at the full outbound speed of my home network connection to the internet, and then all flow stops or slows down greatly for 1-2 seconds, and then speeds jump back up. In comparison, if I transfer data via a VNC connection that uses 128 bit encryption, I get non-stop full saturation of the outbound speed of my home network connection to the internet. The OpenVPN server settings on my AC86U are AES-128-CBC, SHA1, and 2048 bits. Its not particularly heavy duty settings by current secure standards, so I was hoping that VPN performance would be good, but maybe I'm wrong on this? One thing I have noticed is that 20308 is significantly better 10007, but still far from what I see over VNC. Any thoughts as to what can be changed to improve the speeds?
I cant' help with your specific situation. But I noticed a similar speed issue with VPN over WiFi when compared to using an ethernet connection.

I recently converted an old PC into a pfSense router that has a CPU that supports AES-NI. My VPN speeds are near line speeds when using Ethernet. But the improvement over WiFi is not as noticeable. My theory is the the WiFi is encrypting the packets that are already encrypted by the VPN, and this slows things down. Just a theory. Kind of similar to being connected to a VPN server. Then, opening up another tunnel to a second site - VPN within a VPN. The performance to the second site will not be as responsive and will be sluggish.
 

RMerlin

Asuswrt-Merlin dev
And for the sake of comparing, here are the benchmark results of the RT-AC86U running IPSEC:

Code:
P:\Tools>iperf -c 192.168.1.51 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 192.168.1.51, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[292] local 10.10.10.1 port 2754 connected with 192.168.1.51 port 5001
[ ID] Interval       Transfer     Bandwidth
[292]  0.0-30.0 sec  1.07 GBytes    307 Mbits/sec
The endpoints were my i7 desktop running the client + iperf client, and my laptop was running the iperf server. IPSEC server was on the RT-AC86U between the two.

That's using a fairly straightforward aarch64 build of OpenSSL:

Code:
compiler: /opt/toolchains/crosstools-aarch64-gcc-5.3-linux-4.1-glibc-2.22-binutils-2.25/usr/bin/aarch64-buildroot-linux-gnu-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -DL_ENDIAN -O3 -march=armv8-a -fomit-frame-pointer -mabi=lp64 -ffixed-r8 -D__ARM_ARCH_8A__ -ffunction-sections -fdata-sections -O3 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
Might be interesting next to retest it with cryptodev + bcmspu (the Broadcom crypto engine driver) to see if it brings a more positive impact than it did with OpenVPN (where bcmspu reduced performancee). I suspect results won't be any better due to the cryptodev ovearhead.
 
Last edited:

iamlee2002

New Around Here
Hi, ive had this router now for over a month, at first after configured the speeds use to max my cable connection (200 down) however now im only getting half of this. Have tried different vpn providers still the same. I have restored it and updated it still the same. Can anyone suggest the optimum settings to increase the speed? Im with privateinternetaccess, have followed their setup etc does not improve nothing. In the Custom config part i have the following:

tls-client
remote-cert-tls server
disable-occ
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

Shall i remove / add anything to this? I have now upgraded my speed to 350mb line and it achieves almost 400 without vpn.

Thanks in advance for any help, much appreciated
 

RMerlin

Asuswrt-Merlin dev
Hi, ive had this router now for over a month, at first after configured the speeds use to max my cable connection (200 down) however now im only getting half of this. Have tried different vpn providers still the same. I have restored it and updated it still the same. Can anyone suggest the optimum settings to increase the speed? Im with privateinternetaccess, have followed their setup etc does not improve nothing. In the Custom config part i have the following:

tls-client
remote-cert-tls server
disable-occ
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

Shall i remove / add anything to this? I have now upgraded my speed to 350mb line and it achieves almost 400 without vpn.

Thanks in advance for any help, much appreciated
Remove those buffer tweaks, and make sure you use Client 1, 3 or 5 for best CPU allocation. Clients 2 and 4 will share CPU time with other network services.
 

CaptainSTX

Part of the Furniture
You can try adding the following:

fast-io

I also have the following which Merlin suggested you remove:

sndbuf 524288
rcvbuf 524288


Because of the variability in VPN connections it is difficult to determine which changes to a configuration really make a difference in the wild.

Merlin is running his tests on an internal network so his recommendations probably more valid than other's recommendations.
 

doczenith1

Very Senior Member
Your values look very close to mine. I have TLS Renegotiation Time set to 0 and Connection Retry set to -1. I am using the settings that I imported for an openvpn config file downloaded from the link below. The fast-io option gave me about a ten percent boost in speed.

I just ran some test on the closest PIA to my physical location. I got 180 Mbps down and 285 up. On a server clear across the country I got 90 Mbps down and 94 up. Have you tried different PIA servers? And not all speedtest.net (for example) servers are created equal either. Some are much faster than others. I just tried a different speedtest.net server and got 58 Mbps down and 22 up.

https://helpdesk.privateinternetacc...een-the-OpenVPN-config-files-on-your-website-
 

sfx2000

Part of the Furniture
I cant' help with your specific situation. But I noticed a similar speed issue with VPN over WiFi when compared to using an ethernet connection.
Wifi is half-duplex, and there's no jumbo frames like on the wire...
 

jasonho

Occasional Visitor
I run openvpn server in AC86U with merlin 384.4, my pc is cable link to the router. when I test the speed with speedtest.com
the speed is 936.21 Mbps / 933.61. Mbps
but I set the pc as vpn client of the router, the speed drop to 93.8 Mbps / 135.2Mbps. It cant reach 200M .
 

CaptainSTX

Part of the Furniture
When you run a VPN server on your router and connect to it using a VPN client on your PC your connection speed is going to be some percentage of your NON VPN upload speed.

You listed your download speed, but I am not clear on what your upload speed is. Is it 933.61 Mbps?

If it is that high I'm not sure if anyone else on this forum has an upload speed that high and can tell you if your speed is good or bad.

The 200 Mbps you mention is the bench mark best speed certain users on this forum have been getting running a VPN client on their AC86U and connecting to PIA.
 

jasonho

Occasional Visitor
When you run a VPN server on your router and connect to it using a VPN client on your PC your connection speed is going to be some percentage of your NON VPN upload speed.

You listed your download speed, but I am not clear on what your upload speed is. Is it 933.61 Mbps?

If it is that high I'm not sure if anyone else on this forum has an upload speed that high and can tell you if your speed is good or bad.

The 200 Mbps you mention is the bench mark best speed certain users on this forum have been getting running a VPN client on their AC86U and connecting to PIA.

TEST 1 .: PC cable to AC86U
firefox in pc to http://speedtest3.ofca.gov.hk/peedtest.php?lang=en

Selection_020.png
Selection_021.png

Test 2 PC (openvpn client) - cable -> AC86U (openvpn server)
firefox test to http://speedtest3.ofca.gov.hk/speedtest.php?lang=en

with oepnvpn connect, speed less than 100M compare without vpn, over 900M.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top