What's new

OpenVPN performance

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I had a weird idea last night and found a couple of CTF drivers in the firmware repository. What if playing a mix&match..? Boom, indeed one set is better!

I come to realise turning off HW NAT is really not a cool thing regardless how you may think it's not absolutely necessary. Now, I don't have to.

Would you be able share with us which CTF driver is working with OpenVPN properly? Maybe this option can be included in the next Merlin release?

EDIT: Just discovered that on a AC68U, using the OpenVPN server with the TAP device (instead of TUN) is valid workaround for the low performance with NAT acceleration enabled. Just remember to set the valid IP range for the OpenVPN server as the DHCP option didn't work for me.
 
Last edited:
Would you be able share with us which CTF driver is working with OpenVPN properly? Maybe this option can be included in the next Merlin release?

EDIT: Just discovered that on a AC68U, using the OpenVPN server with the TAP device (instead of TUN) is valid workaround for the low performance with NAT acceleration enabled. Just remember to set the valid IP range for the OpenVPN server as the DHCP option didn't work for me.

Using TAP is indeed another workaround on NAT slowing down throughput. TAP is less 'efficient' though and also not supported on iOS which is bigger problem for many users.

What Asus router do you run OpenVPN server..AC68U? Do you intend to compile your own firmware..?
 
Using TAP is indeed another workaround on NAT slowing down throughput. TAP is less 'efficient' though and also not supported on iOS which is bigger problem for many users.

What Asus router do you run OpenVPN server..AC68U? Do you intend to compile your own firmware..?

Yes, it is a AC68U. I haven't compiled custom asuswrt firmware before, but I don't have a problem with doing so.
 
Yes, it is a AC68U. I haven't compiled custom asuswrt firmware before, but I don't have a problem with doing so.

Try setting CTF_PPTP_L2TP=n in "src-rt-6.x.4708/target.mak". Rename
"src-rt-6.x.4708/router/ctf_arm/bcm6x" to bcm6. Then rebuilt the firmware.

It worked very well for me in 378.55 before I switched to IPsec VPN..
 
With Asus? How??

Yes, indeed. I was told we need Strongswan in user space to manage keys, and a custom kernel (with an important piece of bug fix) to run the actual IPsec tunnel.

But the guy is not happy with a growing number of folks on this forum violating GPL and waiting for justice be done before sharing this functionality with the broader community.

At the moment the guy only shared with me, and I'm running IPsec VPN in my custom build of 378.55..
 
Yes, indeed. I was told we need Strongswan in user space to manage keys, and a custom kernel (with an important piece of bug fix) to run the actual IPsec tunnel.

But the guy is not happy with a growing number of folks on this forum violating GPL and waiting for justice be done before sharing this functionality with the broader community.

At the moment the guy only shared with me, and I'm running IPsec VPN in my custom build of 378.55..

Note that I stopped compiling the ARM kernel with IPSEC support because it caused symbol versions issues. That was preventing the Trend Micro DPI engine from loading. So any solution that involves kernel modules will have some less-than-ideal drawbacks...
 
Note that I stopped compiling the ARM kernel with IPSEC support because it caused symbol versions issues. That was preventing the Trend Micro DPI engine from loading. So any solution that involves kernel modules will have some less-than-ideal drawbacks...

One of the better ways to resolve symbol issues is here.. I believe you could build a sound case to Asus. Adding another key feature to their firmware too. A win-win situation for all parties. :rolleyes:
 
One of the better ways to resolve symbol issues is here.. I believe you could build a sound case to Asus. Adding another key feature to their firmware too. A win-win situation for all parties. :rolleyes:

Tell that to Trend Micro, not Asus.
 
Tell that to Trend Micro, not Asus.

One thing outsiders aren't sure is if Asus knows what they're getting for the price they paid. Asus may have chosen this way so that they get better control over their firmware. After all I believe GPL is an obligation for them not community service...
 
Thanks guys, another reason to go pfsense..

I've been thinking of this for a long time. pfSense 3.0 will be very exciting! Right time to make a move...if you're a power user and like tinkering..

Myself I'll see how long I can survive with my little AC56U. Besides I can't decide pfsense, ubnt or mikrokit or something else. LOL
 
Myself I'll see how long I can survive with my little AC56U. Besides I can't decide pfsense, ubnt or mikrokit or something else. LOL
Will switch to a Netgate rackmount appliance soon. Asus is playing foolish now, charging 300$ for new routers with crappy cpus and made of plastic, considering you can buy a T100Chi with that money. They're using outdated version of the linux kernel, same GUI since 2011 (I think), and thanks to Merlin and hggomes for making their firmwares waaaay better (including the GUI!!).
Sorry but when I spend good money I want to make sure it's going into a good product.
 
To be fair to Asus, the old kernel is decided by broadcom's SDK. Every vendor using broadcom chipset is on the same boat. Newer SDK might come with a new kernel. People could reasonably expect a newer kernel (perhaps 3.2.x series) for the new 64bit chipset.

Once a platform is chosen (hw+sdk), vendors usually won't upgrade SDK in the middle of production. There is zero stream of revenue in service of consumer routers..

I encourage ppl in favour of power and 'tinkerbility' to move to better platforms. Share with us your journey of pfSense, perhaps on another sub-forum, once you get it, @DomFel :)
 
Try setting CTF_PPTP_L2TP=n in "src-rt-6.x.4708/target.mak". Rename
"src-rt-6.x.4708/router/ctf_arm/bcm6x" to bcm6. Then rebuilt the firmware.

It worked very well for me in 378.55 before I switched to IPsec VPN..

I am trying to follow your changes but I don't see a "bcm6x" directory in the latest asuswrt-merlin repo.
 
You don't need to change the CTF binary blobs or the kernel configuration anymore due to the commit I posted.
Nice. Thanks for your replies.
Does this mean we should see OpenVPN improvements with CTF enabled (NAT acceleration) in future builds?
I've managed to get a build with latest code, I might try it on my AC87U.
 
Nice. Thanks for your replies.
Does this mean we should see OpenVPN improvements with CTF enabled (NAT acceleration) in future builds?
I've managed to get a build with latest code, I might try it on my AC87U.

CTF is closed source, and completely out of my control. I don't even know how it works exactly, only Broadcom does.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top