OpenVPN performance question.

[henrikk]

I have access to a private OpenVPN server. When I connect to the server directly from a Mac I get 50Mbps download speeds (the limit of Internet connection). When I configure my RT-N66U to be a client of the same OpenVPN server the download speed is about 10Mbps. Unless I am doing something wrong, the RT-N66U seems to be limited (cpu wise?) to 10Mbps or so.

Are other people seeing similar speeds or better?

Have people experimented with different ciphers to see if they get better speeds?

- Henrik

 

[RMerlin]

Best raw throughput I can get with OpenVPN is 22 Mbits. The router's CPU can't do more than this - I have already optimized as much as I could (original throughput was around 17 MBits).

 

[CaptainSTX]

I have access to a private OpenVPN server. When I connect to the server directly from a Mac I get 50Mbps download speeds (the limit of Internet connection). When I configure my RT-N66U to be a client of the same OpenVPN server the download speed is about 10Mbps. Unless I am doing something wrong, the RT-N66U seems to be limited (cpu wise?) to 10Mbps or so.

Are other people seeing similar speeds or better?

Have people experimented with different ciphers to see if they get better speeds?

- Henrik

The RT-N66U has a fast processor for a router and a fair amount of memory however compared to a newer PC they aren't much. OpenVPN requires a fair amount of proessing so you might want to try PPTP (not very secure but more than adequate if you are just trying to avoid geo blocking ) as it is less processor intensive.

The best solution is to move the VPN processing off your router. Sabai Technology sells a VPN accelerator that attaches to your router and handles the VPN processing. The accelerator has two gigabytes of memory.

I have an accelerator and it works well. I use it attached to an E3000 router setup as an AP behind my N66U. The accelerator is not an inexpensive device at $299 but it does get the job done. The accelerator only works with a VPN router from Sabai running their customized firmware.

Sabai sells the N66U configured with their modified Tomato VPN dual gateway firmware as well as some other router models. The N66U is their top of the line solution.

I needed maximum throughput in my network as not only do I need to run a VPN the nearest server VPN to my location is 1,200 miles which further reduces download speeds.

 

[henrikk]

Best raw throughput I can get with OpenVPN is 22 Mbits. The router's CPU can't do more than this - I have already optimized as much as I could (original throughput was around 17 MBits).

Darn. What then (I ask rhetorically) am I doing wrong? Even turning off encryption ond LZO compression I cannot get much more then 10 to 12 Mbps when I use my RT unit to connect to a fast VPN server.

Are your 22 Mbps when testing the RT as a server or as a client? Or both?

- Henrik

 

[henrikk]

The best solution is to move the VPN processing off your router. Sabai Technology sells a VPN accelerator that attaches to your router and handles the VPN processing. The accelerator has two gigabytes of memory.

Thanks for the suggestion. An accelerator is certainly an option. I have the option of moving my OpenVPN server on to a fast Linux box if I need OpenVPN server performance.... and an hardware accelerator is another option.

In any case, part of my question is testing to see at what point I need to find alternative solutions.

- Henrik

 

[RMerlin]

Darn. What then (I ask rhetorically) am I doing wrong? Even turning off encryption ond LZO compression I cannot get much more then 10 to 12 Mbps when I use my RT unit to connect to a fast VPN server.

Are your 22 Mbps when testing the RT as a server or as a client? Or both?

- Henrik

Could be that your provider uses a stronger key than in my tests. I used either a 512 bits or 1024 bits key, I don't remember. The router was acting as a server.

Your provider could also be the one limiting bandwidth.

 

[henrikk]

Could be that your provider uses a stronger key than in my tests. I used either a 512 bits or 1024 bits key, I don't remember. The router was acting as a server.

Your provider could also be the one limiting bandwidth.

I control the OpenVPN server (the provider). When I use OpenVPN from a laptop "client" connected to the OpenVPN server my speeds are 50 Mbps+. When I use the router as OpenVPN client connected to the same OpenVPN server my speeds are 10 or 12 Mbps+. I can turn off encryption and compression on both ends and the speeds do not change much. When I observe the CPU activity inside the router while this is happening I do not see the CPU maxed out, so I do not think my bandwidth is limited by CPU. I would expect the CPU to be the limiting factor when I hit 20 Mbps+.

I have not tested the throughput if I use my RT unit as an OpenVPN server. I may need to do this to see if I see the speeds you observe when the RT unit is a server.

Have you tested throughput using the RT as an OpenVPN client to a fast external OpenVPN server?

- Henrik

 

[somms]

FWIW: Shibby's Tomato firmware for the RT-N66U doesn't provide any better OpenVPN throughput than Merlin's...



Normal (bypassing OpenVPN tunnel) WAN throughput




Connected thru OpenVPN tunnel

 

[henrikk]

FWIW: Shibby's Tomato firmware for the RT-N66U doesn't provide any better OpenVPN throughput than Merlin's...

This helps a lot! Still do not quite understand why the performance is this poor, but it good to know I am not the exceptions.

Thanks somms for these numbers.

- Henrik

 

[netware5]

I control the OpenVPN server (the provider). When I use OpenVPN from a laptop "client" connected to the OpenVPN server my speeds are 50 Mbps+. When I use the router as OpenVPN client connected to the same OpenVPN server my speeds are 10 or 12 Mbps+. I can turn off encryption and compression on both ends and the speeds do not change much. When I observe the CPU activity inside the router while this is happening I do not see the CPU maxed out, so I do not think my bandwidth is limited by CPU. I would expect the CPU to be the limiting factor when I hit 20 Mbps+.

I have not tested the throughput if I use my RT unit as an OpenVPN server. I may need to do this to see if I see the speeds you observe when the RT unit is a server.

Have you tested throughput using the RT as an OpenVPN client to a fast external OpenVPN server?

- Henrik

As other people already said you should move the OpenVPN processing out from the router. If you have some important reason to run the client on router (i.e. if you want all your internal network devices including handheld ones to access the OpenVPN server) you should use Sabai device or similar. If the above is not so important it is strongly advised to use your PC or laptop as OpenVPN client. There is no SOHO router device that is comparable to any modern x86 CPU performing crypto tasks.

 

[CaptainSTX]

Test VPN Processing Power

If you want to do some simple experiments on your own see the effect of faster router processors and more RAM take a Linksys 54G running DD-WRT and set the clock speed as low as it will go (183Mhz) and then set it up to handle PPTP VPN. With a 54's 16Mb of ram this will be slow. Slowly ratchet the clock speed up to either 233 or 250Mhz one step at a time and you will see some improvement.

Then test a PPTP connection on a router with a faster processor and more RAM. You should be able to see the difference processor speed and memory make. Unfortunately not enough to be as fast as what you can do running VPN on your PC.

I recommend that anyone that wants to test use PPTP as it is simple to install. OPenVPN takes even more processing power so the results will be even slower for all processor speeds.

 

[henrikk]

As other people already said you should move the OpenVPN processing out from the router. If you have some important reason to run the client on router (i.e. if you want all your internal network devices including handheld ones to access the OpenVPN server) you should use Sabai device or similar. If the above is not so important it is strongly advised to use your PC or laptop as OpenVPN client. There is no SOHO router device that is comparable to any modern x86 CPU performing crypto tasks.

I agree with you. If I want performance I need to move this off the SOHO device. Nonetheless, I do not understand the performance I am seeing --- especially when I disable encryption on the VPN tunnel and (based on admittedly casual observation) the CPU is not the bottleneck.

- Henrik

 

[RMerlin]

FWIW: Shibby's Tomato firmware for the RT-N66U doesn't provide any better OpenVPN throughput than Merlin's...

It shouldn't either - we use the same code, and Shibby also implemented the same optimizations that I implemented in Asuswrt-Merlin (OpenSSL asm backport, compiler optimization to OpenSSL and OpenVN, etc...), so we should have nearly the same performance with OpenVPN.

 

[RMerlin]

I control the OpenVPN server (the provider). When I use OpenVPN from a laptop "client" connected to the OpenVPN server my speeds are 50 Mbps+. When I use the router as OpenVPN client connected to the same OpenVPN server my speeds are 10 or 12 Mbps+. I can turn off encryption and compression on both ends and the speeds do not change much. When I observe the CPU activity inside the router while this is happening I do not see the CPU maxed out, so I do not think my bandwidth is limited by CPU. I would expect the CPU to be the limiting factor when I hit 20 Mbps+.

I have not tested the throughput if I use my RT unit as an OpenVPN server. I may need to do this to see if I see the speeds you observe when the RT unit is a server.

Have you tested throughput using the RT as an OpenVPN client to a fast external OpenVPN server?

- Henrik

It's not just the CPU. Bus bandwidth, RAM speed, etc...

I used a 1024 bits key if I recall. You might try using a smaller key and see if it has any impact.

I never really tested it as a client.

 

[somms]

It shouldn't either - we use the same code, and Shibby also implemented the same optimizations that I implemented in Asuswrt-Merlin (OpenSSL asm backport, compiler optimization to OpenSSL and OpenVN, etc...), so we should have nearly the same performance with OpenVPN.

Thanks for the conformation that there should be no difference in OpenVPN performance between your firmware and Shibby's!

BTW: I am fine with the OpenVPN tunnel 10Mb/s symmetrical throughput since I'm usually connecting remotely via 3G back to the OpenVPN server running on my RT-N66U for wireless security purposes, file sharing on my home PC, remote desktop, ect...

 

[Mistermoonlight]

OpenVPN 10Mb/sec is good for my setup also. I didn't benchmark it as a server, but this speed is actually faster than my ISP speed

Thanks Merlin for this nice feature!

 

[henrikk]

It's not just the CPU. Bus bandwidth, RAM speed, etc...

I used a 1024 bits key if I recall. You might try using a smaller key and see if it has any impact.

It will be interesting to know what the bottleneck actually is.

Thanks for putting the OpenVPN server/client into the firmware. Overall a fantastic job.

-Henrik

 

[wiz561]

Thanks for bringing this up. I unfortunately just discovered this tonight. I understand it's not a software issue and just a limitation of the hardware.

Is it possible to offload the openvpn processing to a linux box? I haven't seen anything like this before until the one user posted something about Sabai's solution. I'm not exactly sure how this works...the only thing I can think of is that the accelerator sites in front of the router and the router just pushes the configs to the accelerator.

Thanks!

 

[RMerlin]

Thanks for bringing this up. I unfortunately just discovered this tonight. I understand it's not a software issue and just a limitation of the hardware.

Is it possible to offload the openvpn processing to a linux box? I haven't seen anything like this before until the one user posted something about Sabai's solution. I'm not exactly sure how this works...the only thing I can think of is that the accelerator sites in front of the router and the router just pushes the configs to the accelerator.

Thanks!

You could run the OpenVPN server on the Linux (or Windows) box itself if you really need better performance.

The new Asus routers coming in the next few weeks also have much better OpenVPN throughput.

 

[somms]

Update: Now able to achieve @30Mb/s TAP UDP OpenVPN tunnel throughput using Shibby's tomato-R7000-ARM-119-VPN-64K flashed onto the Netgear R7000 functioning as OpenVPN server!