1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN performance of the RT-AC86U

Discussion in 'VPN' started by RMerlin, Sep 14, 2017.

  1. cloudbuster

    cloudbuster Occasional Visitor

    Joined:
    Jan 26, 2012
    Messages:
    40
    Merlin question
    For the killswitch
    Would I have to add he IP and the Subnet mask?
    IP star with 192..
    Subnet with 255...

    or would the IP cover everything?

    Thanks.
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    I don't understand what you mean - the killswitch is just an enable/disable toggle, there's no IP configuration involved.
     
  3. cloudbuster

    cloudbuster Occasional Visitor

    Joined:
    Jan 26, 2012
    Messages:
    40
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    That's not for the killswitch specifically, but rather to determine which clients you want routed through the tunnel.

    If you only want to route one specific client, then you can just enter its IP, no need for a netmask.
     
  5. cloudbuster

    cloudbuster Occasional Visitor

    Joined:
    Jan 26, 2012
    Messages:
    40
    Thanks,

    Oh I see so doing it that way that’s went everything would be connected using the VPN?

    Step 3 make it sound that if not enable it won’t work:
    “Block routed clients if tunnel goes down”
    So if no IP are specified would it still block them from the internet?


    Just enable on step 2 and save exit?
     
  6. JJQuin

    JJQuin Regular Contributor

    Joined:
    Jan 10, 2018
    Messages:
    54
    Location:
    USA
    As I understand it the Kill Switch can only be activated if you turn on Policy Rules or Policy Rules (Strict). The Kill switch only affects the devices who's IP address are set in the Policy Rules below it to use the VPN (Iface = VPN). If you want one specific device to use the VPN then just enter it's IP address under source IP, leave the destination IP blank and set the Iface to VPN. If you want all your devices to use the VPN then enter 192.168.50.1/24 or your network's IP address if it is different.

    If you want all but a few devices to use the VPN then first setup your whole network (again 192.168.50.1/24 or your IP range), then make exception rules for the devices to bypass it and set their Iface = VPN.

    I have mine setup as follows

    Description - Source IP - Destination IP - Iface
    Whole network - 192.68.50.1/24 - (destination blank) - VPN
    Exceptions - 192.168.50.1/28 - (destination blank) - WAN

    All devices between addresses 1 and 15 will bypass the WAN. I use this for testing purposes if I run into an issue with a website I can set my PCs ip address for one of the addresses then test without the VPN without having to turn the VPN off.
     
    JoeBee likes this.
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    If no IP is specified, then both policy routing and the killswitch will have no effect - default policy is to use the WAN.
     
    JoeBee likes this.
  8. maxbraketorque

    maxbraketorque Very Senior Member

    Joined:
    Dec 6, 2015
    Messages:
    692
    When using the AC86U as a VPN server with the latest ASUS firmware (384.20308), data rates from my home network to the remote device (Macbook Pro running OpenVPN) are highly variable from moment-to-moment. I see about 2-4 seconds of data coming in at the full outbound speed of my home network connection to the internet, and then all flow stops or slows down greatly for 1-2 seconds, and then speeds jump back up. In comparison, if I transfer data via a VNC connection that uses 128 bit encryption, I get non-stop full saturation of the outbound speed of my home network connection to the internet. The OpenVPN server settings on my AC86U are AES-128-CBC, SHA1, and 2048 bits. Its not particularly heavy duty settings by current secure standards, so I was hoping that VPN performance would be good, but maybe I'm wrong on this? One thing I have noticed is that 20308 is significantly better 10007, but still far from what I see over VNC. Any thoughts as to what can be changed to improve the speeds?
     
  9. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,748
    Location:
    The Land of Smiles
    I cant' help with your specific situation. But I noticed a similar speed issue with VPN over WiFi when compared to using an ethernet connection.

    I recently converted an old PC into a pfSense router that has a CPU that supports AES-NI. My VPN speeds are near line speeds when using Ethernet. But the improvement over WiFi is not as noticeable. My theory is the the WiFi is encrypting the packets that are already encrypted by the VPN, and this slows things down. Just a theory. Kind of similar to being connected to a VPN server. Then, opening up another tunnel to a second site - VPN within a VPN. The performance to the second site will not be as responsive and will be sluggish.
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    And for the sake of comparing, here are the benchmark results of the RT-AC86U running IPSEC:

    Code:
    P:\Tools>iperf -c 192.168.1.51 -M 1400 -N -t 30
    ------------------------------------------------------------
    Client connecting to 192.168.1.51, TCP port 5001
    TCP window size: 64.0 KByte (default)
    ------------------------------------------------------------
    [292] local 10.10.10.1 port 2754 connected with 192.168.1.51 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [292]  0.0-30.0 sec  1.07 GBytes    307 Mbits/sec
    
    The endpoints were my i7 desktop running the client + iperf client, and my laptop was running the iperf server. IPSEC server was on the RT-AC86U between the two.

    That's using a fairly straightforward aarch64 build of OpenSSL:

    Code:
    compiler: /opt/toolchains/crosstools-aarch64-gcc-5.3-linux-4.1-glibc-2.22-binutils-2.25/usr/bin/aarch64-buildroot-linux-gnu-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -DL_ENDIAN -O3 -march=armv8-a -fomit-frame-pointer -mabi=lp64 -ffixed-r8 -D__ARM_ARCH_8A__ -ffunction-sections -fdata-sections -O3 -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
    
    Might be interesting next to retest it with cryptodev + bcmspu (the Broadcom crypto engine driver) to see if it brings a more positive impact than it did with OpenVPN (where bcmspu reduced performancee). I suspect results won't be any better due to the cryptodev ovearhead.
     
    Last edited: Feb 21, 2018
    JoeBee and Xentrk like this.
  11. iamlee2002

    iamlee2002 New Around Here

    Joined:
    Feb 21, 2018
    Messages:
    3
    Hi, ive had this router now for over a month, at first after configured the speeds use to max my cable connection (200 down) however now im only getting half of this. Have tried different vpn providers still the same. I have restored it and updated it still the same. Can anyone suggest the optimum settings to increase the speed? Im with privateinternetaccess, have followed their setup etc does not improve nothing. In the Custom config part i have the following:

    tls-client
    remote-cert-tls server
    disable-occ
    auth-nocache
    sndbuf 524288
    rcvbuf 524288
    push "sndbuf 524288"
    push "rcvbuf 524288"

    Shall i remove / add anything to this? I have now upgraded my speed to 350mb line and it achieves almost 400 without vpn.

    Thanks in advance for any help, much appreciated
     
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    Remove those buffer tweaks, and make sure you use Client 1, 3 or 5 for best CPU allocation. Clients 2 and 4 will share CPU time with other network services.
     
    JoeBee likes this.
  13. iamlee2002

    iamlee2002 New Around Here

    Joined:
    Feb 21, 2018
    Messages:
    3
    [​IMG]
    [​IMG]
    [​IMG]

    does that all look good to you
     
    Marin likes this.
  14. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,391
    You can try adding the following:

    fast-io

    I also have the following which Merlin suggested you remove:

    sndbuf 524288
    rcvbuf 524288


    Because of the variability in VPN connections it is difficult to determine which changes to a configuration really make a difference in the wild.

    Merlin is running his tests on an internal network so his recommendations probably more valid than other's recommendations.
     
  15. iamlee2002

    iamlee2002 New Around Here

    Joined:
    Feb 21, 2018
    Messages:
    3
    Ok many thanks both for the reply, i will give these a try :)
     
  16. doczenith1

    doczenith1 Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    636
    Location:
    MI
    Your values look very close to mine. I have TLS Renegotiation Time set to 0 and Connection Retry set to -1. I am using the settings that I imported for an openvpn config file downloaded from the link below. The fast-io option gave me about a ten percent boost in speed.

    I just ran some test on the closest PIA to my physical location. I got 180 Mbps down and 285 up. On a server clear across the country I got 90 Mbps down and 94 up. Have you tried different PIA servers? And not all speedtest.net (for example) servers are created equal either. Some are much faster than others. I just tried a different speedtest.net server and got 58 Mbps down and 22 up.

    https://helpdesk.privateinternetacc...een-the-OpenVPN-config-files-on-your-website-
     
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Wifi is half-duplex, and there's no jumbo frames like on the wire...
     
    Xentrk likes this.
  18. jasonho

    jasonho Occasional Visitor

    Joined:
    Jan 23, 2018
    Messages:
    43
    I run openvpn server in AC86U with merlin 384.4, my pc is cable link to the router. when I test the speed with speedtest.com
    the speed is 936.21 Mbps / 933.61. Mbps
    but I set the pc as vpn client of the router, the speed drop to 93.8 Mbps / 135.2Mbps. It cant reach 200M .
     
  19. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,391
    When you run a VPN server on your router and connect to it using a VPN client on your PC your connection speed is going to be some percentage of your NON VPN upload speed.

    You listed your download speed, but I am not clear on what your upload speed is. Is it 933.61 Mbps?

    If it is that high I'm not sure if anyone else on this forum has an upload speed that high and can tell you if your speed is good or bad.

    The 200 Mbps you mention is the bench mark best speed certain users on this forum have been getting running a VPN client on their AC86U and connecting to PIA.
     
  20. jasonho

    jasonho Occasional Visitor

    Joined:
    Jan 23, 2018
    Messages:
    43

    TEST 1 .: PC cable to AC86U
    firefox in pc to http://speedtest3.ofca.gov.hk/peedtest.php?lang=en

    Selection_020.png Selection_021.png
    Test 2 PC (openvpn client) - cable -> AC86U (openvpn server)
    firefox test to http://speedtest3.ofca.gov.hk/speedtest.php?lang=en

    with oepnvpn connect, speed less than 100M compare without vpn, over 900M.
     
    Last edited: Feb 26, 2018