What's new

OpenVPN slow on ASUS Quad-Core CPU

Ola Malmstrom

Regular Contributor
I get 10 Mbps (yes, 10 Mbps) between two NASes when running an OpenVPN server on my AX88U router. The NASes are connected with fiber 250 Mbps both directions. The remote NAS is a client to the OpenVPN server.

When opening a port on the remote router and skip the VPN I get 220-230 Mbps.

If I use my old AC3200 router I get more or less exactly the same results.
  1. How can I verify that the AES-NI on the AX88U works correctly?
  2. Does AES-NI need to be started in some way?
  3. Should I replace the ncp_ciphers line in the configuration both for the VPN server and the VPN client with this line: "ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC" ?
  4. Do I have a HW fault in the AX88U? Does it need to be replaced? Everything else works well...
 
Last edited:

RMerlin

Asuswrt-Merlin dev
How can I verify that the AES-NI on the AX88U works correctly?
It's not a feature to be enabled or checked, it's simply an inherent feature of the CPU. Code compiled for that CPU will use the feature.
 

Ola Malmstrom

Regular Contributor
OK thanks.....But.... my AX88U delivers more or less the same speed over OpenVPN as my old AC3200. I probably need something more to be able to convince the dealer to take it back and give me a new one.....

Would you consider 10 Mbps as a normal speed with OpenVPN when I get 220-230 Mbps without?

If you were working in the place where I got this router, would you accept my conclusion that AES-NI doesn't work and that it should be replaced due to HW fault? If not, what more evidence would you ask for?

Background: I want to be able to backup data between my NAS and a second NAS I have placed at my brother-in-law's place. Unfortunately I consider some of the data as highly confidential......
 

L&LD

Part of the Furniture
What settings are you initiating on your VPN connections to slow them down that much?
 

CaptainSTX

Part of the Furniture
If you want to test if AES-NI is the issue sign up for a trial with a commercial VPN service and then activate one of the VPN clients on your AX88. With most big name VPN providers, given your location you connect to one of their VPN servers either in Sweden, Oslo, or Helsinki you should get download speeds of over 200 Mbps. Can't say what you will get for uploads as I don't have a symmetrical connection but if you get the 200+ Mbps download speed then your AES-NI is functional and your problem lies elsewhere.
 

RMerlin

Asuswrt-Merlin dev
Would you consider 10 Mbps as a normal speed with OpenVPN when I get 220-230 Mbps without?
Depends on your configuration. I was able to hit over 200 Mbps in my tests using AES-128-GCM.

If you were working in the place where I got this router, would you accept my conclusion that AES-NI doesn't work and that it should be replaced due to HW fault?
No. As I said, AES acceleration is not a particular feature, it's inherent to the CPU. If the CPU were defective, then your router wouldn't even boot at all.
 

Ola Malmstrom

Regular Contributor
Great very much thanks to all of you for your patience!! Seems to be something fundamental here that I don't get.

@RMerlin - Thanks!! Conclusion - no HW failure.

What I do currently is:
  • Start an OpenVPN server on my router with port 1194 open.
  • Import the .ovpn file into the OpenVPN client on NAS01 (the NAS in my brother-in-law's place). I can't use his router as OpenVPN client if that would be needed. It is an Apple router with very limited functionality.
  • Connect from NAS02 in my environment to NAS01 using the IP address 10.16.0.2. Seems to work but very low speed.
  • I have played around with settings (hard coded the IP address in the .ovpn file, changed the cipher/cipher negotiation setting, changed the DNS server used by NAS01 - one change at a time) to no avail.
    upload_2020-5-17_7-41-12.png
I am using the standard ASUS/Merlin configuration with one change only: The cipher negotiation has been disabled.

The .ovpn file looks like this:

client
dev tun
proto udp
remote *****.asuscomm.com 1194
float
cipher AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
*****
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind​

If I use an external VPN supplier such as ExpressVPN, I believe I need to do the following:
  • Establish 2 OpenVPN client configuration files.
    • One for my router (or for NAS02 in my place??)
    • One for NAS01 at my brother-in-law's place
    • Start both clients
    • Test the connection between NAS02 and NAS01
  • Is this the correct way of doing it?
 

L&LD

Part of the Furniture
@Ola Malmstrom, it seems you're testing correctly. But, what model NAS is the 'NAS01' your brother-in-law has? :)

We know your router's capabilities, we know the weakest ISP is your brother-in-law's which is half of yours at 250Mbps up/down. The weakest part of the chain now seems to be his NAS, logically.

Give us the NAS' specs to prove or disprove this logical conclusion from this end. :)
 

RMerlin

Asuswrt-Merlin dev
Check your QoS setting, test with it disabled if it was enabled.

Keep in mind that many home NAS have very weak CPUs. If his NAS only has an Atom for instance, then it will be much slower than your router.
 

Ola Malmstrom

Regular Contributor
NAS01 is my old NAS used for backup purposes. A QNAP TS-219PII. Marvell, 2 cores 1 GHz, 512 MB RAM if I remember correctly. I moved it to his place in order to keep backup data in a separate place. He has 250/250 Mb/s ISP speed.

NAS02 is my new NAS. A QNAP TS-231P2. 4 cores ARM 32 bit 1.7 GHz, 8 GB RAM. 500/500 Mb/s ISP speed. If I understand correctly it should have HW supported encryption.

QoS has been disabled all the time on both my routers, both the AX88U and the AC3200.

Based on your comments I start to see where I may have the problem: Too weak CPU on NAS01. Possibly also on NAS02... When copying data or anything else the poor CPU is probably maxed out. I checked NAS02 and my router but not that carefully. They seemed to be quite OK but I didn't really document it. I didn't check NAS01 though......

Unfortunately I have lost the connection to my ISP. A DHCP problem. Due to the Covid-19 situation they don't have any support until Monday morning...... I'm writing this with my telephone as the modem just so that you know what's happening here.

I will document more carefully what happens on both NASes once the connection comes back. I can use Putty to log in to both NASes. Exactly what should I check for? What processes?

If the NAS01 CPU is a bottleneck I will probably change strategy. Instead of backing up to my old NAS, I will backup to his new NAS (A Synology with similar specs as my NAS02). Instead of using my old NAS, I can connect a 4 TB USB3 disk to his new NAS. 4 TB should be enough for my needs. Possibly also forget about the VPN and keep the most sensitive data at home.
 

CaptainSTX

Part of the Furniture
NAS01 is probably the biggest part of the problem.

You might be able to work around it if you took the VPN function off the NAS01 and installed a router at that location that supported AES-NI. Even without replacing the AC3200 and running the VPN on it instead of the NAS you probably could double your throughput.
 

Ola Malmstrom

Regular Contributor
Data transfer speed. OpenVPN client on NAS01 at remote location and OpenVPN server on router AX88U with NAS02 locally:

upload_2020-5-18_15-28-43.png


NAS01 is too weak for the OpenVPN client. It is constantly at 100% CPU utilization. It might be better if the remote router could run the VPN client instead. However this might lead saturation on NAS02 as well.

So without really knowing, I suspect that more powerful CPUs on both sides possibly with AES-NI support would be recommended
 

RMerlin

Asuswrt-Merlin dev
I have a Marvell-based NAS that I use for storing backups, and its CPU isn't even fast enough to handle rsync at full Gigabit speed within my own LAN. The best it can achieve with rsync is about 70-75 MB/s.

Those NAS have very weak CPUs, only meant for very basic NAS usage.
 

Ola Malmstrom

Regular Contributor
Which ASUS routers supports AES-NI? I know AX88U and AC-86U does but not the AX58U. I have searched but it is not easily found and I may have missed something.

Background: My brother-in-law will eventually get a new router to replace his old Apple router. I have shown him the benefits of Merlin FW and he is genuinely interested.
 

L&LD

Part of the Furniture
Afaik, only the RT-AC86U and the RT-AX88U support AES-NI (while also supported by RMerlin firmware too).
 

RMerlin

Asuswrt-Merlin dev
Which ASUS routers supports AES-NI? I know AX88U and AC-86U does but not the AX58U. I have searched but it is not easily found and I may have missed something.
You need a router with a BCM4906 or BCM4908 CPU. You can look them up on a Wikidevi mirror. Basically that's RT-AC86U, RT-AX88U, RT-AX92U, GT-AC5300, GT-AX11000.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top