R7000 vs. AC68 for OpenVPN

[flowrider]

So bear with me if you will.

I'm trying to decide between these 2 routers (R7000 and AC68U) which I will use DD-WRT or Merlin to connect to my Private Internet Access VPN service so that I can access other region Netflix and of course surf anonymously. I think this may be the easiest solution for me for right now. I am moving to a new house in a couple of months that is completely wired with Cat5e and may end up rebuilding my pfSense box to serve the entire house but I don't know how that will work with video and DVR surveillance system that is included with the house. So that's up in the air.

This is why I'm thinking of going the OpenVPN on the router way. Anyway to my question. Which one of these will have better OpenVPN performance? General wireless performance? Is trying to service a 3500 sq. ft. house with 2 floors and a basement asking too much of any router? Looking for maximum uptime with as few reboots as possible although if can be scheduled that's okay too.

Any suggestions or even something else I haven't thought of would be appreciated.

 

[flowrider]

Thought I'd add what devices will be on the network
NAS
AC phones (iPhone 6 and new Samsung soon)
2 Mac laptops. Would like to be able to use Time Machine with these with the router but not a deal breaker as I will likely back up to NAS.
iPads
Desktop - wired
Security system with 3 cameras and DVR (pretty sure wired with ethernet)
PS3
2 Apple TV's (hence the reason for using PIA)

 

[Trip]

For OpenVPN, I think you'll find 25-40Mb/s to be the max for the units you highlighted. If that's good enough, then either one would probably suit you well. If you're intent on pushing well beyond that, then I'd look to multi-core x86, PPC or Tile-based solutions (ie. pfSense on an Intel x86 box, higher-end EdgeRouter model, or MikroTik CCR).

For wifi, you might be able to pull it off with a single all-in-one, well-placed in a central location, but since the new house will be wired with Cat5e, multiple access points will probably work better. If you keep them the same brand/model, then you could use WDS for seamless handoff. Either another AC a-i-o set into AP mode, or a pair or more of purpose-built APs like EnGenius. For mesh/managed solutions, look at UniFi, Open-Mesh and/or Meraki.

 

[flowrider]

Thanks for the reply Trip.
My internet is 25mbps down and 5mbps up right now but I do know that there is overhead with using a VPN like PIA. Even running the PIA client on my MacMini results in a 5mbps loss in speed but I'd consider that acceptable.

WDS is what I thinking about before but couldn't verbalize it!! To do that would it be as simple as having the same SSID on the different access points? Would I still be able to have one running OpenVPN connected to PIA and the others just distributing unfiltered internet or am I just asking for trouble?

Another thought was for me to have separate routers. One running the PIA access and the other regular internet. Each of course with separate SSID's on different channels.

 

[sfx2000]

I would definitely consider running the VPN end-point on the pfSense box rather than on the routers... much better performance there, and you'll have more flexibility with your routing rulesets...

The dual-core ARM Cortex-A9 chipset has miserable memory bandwidth, and since OpenVPN runs in user space, it thrashes the heck out of memory, and this will impact all use of the router..

 

[flowrider]

Thanks for your suggestion. I guess I'll try and resurrect my pfSense box. It's kind of sat by the wayside when my service provided updated the modem's firmware and locked out bridging. I only just got bridging back by asking for a newer modem (Actiontec T1200H) but now I'm having issues reconfiguring pfSense. Mind you I didn't find it particularly easy to set up in the first place!!

 

[sfx2000]

I think you'll be happier with the pfSense box doing the heavy lifting... it doesn't have to be the primary router, just being the VPN end-point, and then port forward it out for Tx/Rx connections... and consider alternatives like L2TP - OpenVPN, while very portable (living in UserLand) beats the hell out of the client/host CPU's - other VPN's like L2TP are pretty much included in the network stacks of most common operating systems....

Note 2 - TimeMachine backups - might want to reconsider this, and keep things on a local attached drive perhaps, sparsebundles on network mounts can be pretty spooky, and can fail suddenly - Apple doesn't document how it works, so it's very dependent on reverse engineering and experimentation...

 

[flowrider]

Thanks for the help. I've resurrected my pfSense box and am happily motoring along now. I've gone from 25mbps to about 18mbps so I still have some tweaking to do but the throughput seems to be okay. Point taken about the TimeMachine backups but it's much more convenient for the 2 laptops to back up this way. My Synology has TimeMachine support so perhaps thats more reliable? I also have an earlier gen. Airport Extreme that I can use as well.