RT-AC86U OpenVPN Fast Download, Extremely Slow Upload

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

eponymous

New Around Here
Hi all,

I’ve spent the last several weeks setting up a secure home network through OpenVPN on my router. I’m having a persistent issue with slow upload speeds that I can't seem to resolve, so I’m asking for your advice. I’ve spent many hours reading through these forums as well as other websites, but I haven’t yet found a solution, nor a description of this exact issue. Apologies if this is solved elsewhere.

I started out with an older RT-AC68U, flashed to the latest Merlin firmware (RT-AC68U_386.1_2), set up an OpenVPN client using the opvn file from my provider for the closest server, and connected just fine. My only complaint was the relatively slow download speeds (I was getting 10-15Mbps download), much slower than my Comcast bandwidth (200 Mbps down, 5Mbps up). After reading through these forums, I saw that the likely issue was the processing speed of the router hardware, and several people reported that specific versions of ASUS routers enabled higher OpenVPN speeds with hardware acceleration. After evaluating the available models, I decided to buy a brand new RT-AC86U (ASUS AC2900), with the AES acceleration, as described on these threads/websites:


My new router arrived and I flashed to Merlin (RT-AC86U_386.1_2), installed the VPN configuration for the closest server, and connected. My first website was Speedtest, where I was pleased to see that the download speed was now much faster that what it was with the RT-AC68U. Over several tests, I saw that download speeds ranged from ~40Mbps to 80Mbps, pretty good given that I normally saw ~100Mbps without using a VPN. However, there was something odd - the upload speed was painfully, excruciatingly slow. When the upload part of the test started, the needle would jump to about 1-2 Mbps for a fraction of a second, then drop to about 0.5 Mbps and stay there for the rest of the test. I did this repeatedly, and always the same result. Upload Mbps averages around 0.5 Mbps, never once has it averaged above 1 Mbps in any of my tests while connected to VPN using the RT-AC86U. I tested multiple VPN servers all over the country - download speed tended to vary with distance from the server (but usually fell in the range of 30-80 Mbps), but upload speed always averaged about 0.5 Mbps.

So I thought - perhaps my OpenVPN provider has really slow upload speeds, or maybe Comcast just throttles OpenVPN uploads somehow. To test this, I connected to the OpenVPN using my laptop (Tunnelblick) with the router VPN turned off. Download speed was a little faster with Tunnelblick (50 - 100 Mbps), but upload speed was much faster, maxing out at 5-6 Mbps, which the limit of my upload bandwidth. I ran this test multiple times, at different times of day, to multiple servers. So clearly my VPN provider can handle it, and Comcast doesn’t appear to be doing any OpenVPN upload throttling.

Thinking Merlin might be the issue, or some setting that I had changed, I reset my router back to factory settings, and tried setting up the VPN using the standard ASUS firmware without making any other changes. Upload speeds still 0.5 Mbps.

As another test, I actually upgraded my Comcast service, increasing it to 10 Mbps upload bandwidth. After rebooting the router, etc, I confirmed that non-VPN uploads were now at 10-12 Mbps, as expected. Connecting to OpenVPN using Tunnelblick on my laptop gives me upload speeds of 10-12 Mbps, virtually no difference from non-VPN. But running the VPN directly through the RT-AC86U ASUS router gives me 0.5 Mbps, just as before, across multiple tests. Download speeds are still in the range of 40-80 Mbps.

Then I had an idea that I thought must be the solution. My VPN provider provides different ovpn files for different configurations (e.g. specific for Tunnelblick, specific for ASUS firmware, specific for Merlin). They provide ASUS-Merlin specific opvn config files, presumably using lower encryption standards to better support the hardware (e.g. 128-CBC). I set up the OpenVPN on my router using the config files intended for Tunnelblick, the exact same file that currently gives me 10-12 Mbps upload speed over OpenVPN using Tunnelblick on my laptop. Using the RT-AC86U ASUS router, VPN upload speeds are at 0.5 Mbps, download speeds 40-50 Mbps.

So at this point I am completely stumped. The hardware on the RT-AC86U can clearly handle high speed transfers over OpenVPN. But something is keeping my upload speed at 0.5 Mbps, and I don’t know what else to try. I had a thought that OpenVPN could be somehow asymmetric, and the hardware has to work harder to send/encrypt packets over a tunnel than to receive/decrypt them. But the CPU doesn’t max out during upload speed tests, in fact it barely even seems to notice. And it seems there are many testimonials all over this website reporting upload speeds of 10-30 Mbps using this exact same device. The hardware should be capable of handing upload speeds better than 0.5Mbps.

Any ideas?
 

ColinTaylor

Part of the Furniture
There seems to be a contradiction here. Ignoring the VPN issue for the moment you said "my Comcast bandwidth (200 Mbps down, 5Mbps up)". But then you said "...pretty good given that I normally saw ~100Mbps without using a VPN".

So you have a 200Mbps service but only get ~100Mbps out of it?
 

eponymous

New Around Here
There seems to be a contradiction here. Ignoring the VPN issue for the moment you said "my Comcast bandwidth (200 Mbps down, 5Mbps up)". But then you said "...pretty good given that I normally saw ~100Mbps without using a VPN".

So you have a 200Mbps service but only get ~100Mbps out of it?

Yes, the advertised download bandwidth by Comcast was 200 Mbps down/5 Mbps up (600 Mbps down / 10 Mbps up after I upgraded), but I don't actually see those download speeds. I just ran a speed test (not connected to VPN) and got 85.49 Mbps down and 11.88 Mbps up. I've seen it go as high as 140 Mbps down without a VPN, but not higher than this, even with my 'upgraded' 600 Mbps service.
 

ColinTaylor

Part of the Furniture
Yes, the advertised download bandwidth by Comcast was 200 Mbps down/5 Mbps up (600 Mbps down / 10 Mbps up after I upgraded), but I don't actually see those download speeds. I just ran a speed test (not connected to VPN) and got 85.49 Mbps down and 11.88 Mbps up. I've seen it go as high as 140 Mbps down without a VPN, but not higher than this, even with my 'upgraded' 600 Mbps service.
With such a massive discrepancy between the advertised and actual speed, and a 40% variation I wouldn't be surprised if that isn't contributing to the VPN problems. What type of internet service do you have, cable, satellite, etc?

VPNs tend to use UDP by default with can be very sensitive to poor line quality. Try changing to a TCP VPN profile and see if that improves things. But ultimately I think your priority should be sorting out the problem with your internet service.
 

eponymous

New Around Here
With such a massive discrepancy between the advertised and actual speed, and a 40% variation I wouldn't be surprised if that isn't contributing to the VPN problems. What type of internet service do you have, cable, satellite, etc?

VPNs tend to use UDP by default with can be very sensitive to poor line quality. Try changing to a TCP VPN profile and see if that improves things. But ultimately I think your priority should be sorting out the problem with your internet service.
Thanks for the suggestions. I have cable Internet service.

I went ahead and set up a TCP VPN profile, as you suggested. This did make a difference - now my download speed is only 11.5 Mbps, but my upload speed jumped to 13.25 Mbps. That feels like progress.

I logged into the Cable modem and the signal to noise ratio, power, etc., seem to be within the standard ranges, but perhaps there is something that Comcast can do to improve the signal. I will contact them to see if something else can be done.
 

ColinTaylor

Part of the Furniture
I logged into the Cable modem and the signal to noise ratio, power, etc., seem to be within the standard ranges, but perhaps there is something that Comcast can do to improve the signal. I will contact them to see if something else can be done.
Good idea. At the very least if you're paying for 600 Mbps and getting less than 100 Mpbs that's unacceptable. Is your cable modem supplied by your ISP or do you have to buy your own?
 

eponymous

New Around Here
I have supplied my own modem. After checking the capacity of my current modem I found that it was not powerful enough to support the advertised bandwidth, so I upgraded to a 1 Gbps model. Now my non-VPN download speed is reliably ~480 Mbps down and 12-13 Mbps up, so considerably faster than it was before, and much closer to the advertised bandwidth limit of 600 Mbps down / 10 Mbps up.

When I connect to the VPN server via Tunnelblick on my laptop (OpenVPN), I got a download speed of ~140 Mbps down and 11-12 Mbps up. The download speed is improved and the upload speed is still roughly maxing out my advertised upload bandwidth.

To this same server, I connected to VPN using ASUS RT-AC86U running the latest Merlin firmware, using the identical OpenVPN configuration. Over more than 10 speed tests I see a reliable 120-140 Mbps down and ~1.5-2.5 Mbps up. My download speed on the ASUS RT-AC86U is about as fast as what I get using my laptop over Tunnelblick. The upload speed is still lagging behind, but this is a substantial improvement over what it was before.

I admit I still don't understand why it is the case that download speeds over OpenVPN on the RT-AC86U are about the same as with Tunnelblick while upload speeds are about 20-25% as fast.

Thanks for your help so far, it had not occurred to me that the Cable modem would be a major factor in this.
 

ColinTaylor

Part of the Furniture
I'm at a loss as to why your VPN upload speed is so low compared to the Windows client. By comparison (on my 660/44 line) my old RT-AC68U does ~200/35 using the Windows client and ~55/35 using the router's client. So I can't think why your router couldn't easily get 10Mbps on the upload when mine is getting 35Mbps. This is with NordVPN.
 

eponymous

New Around Here
Ok, I figured it out, though I can't exactly explain the technical reasons why. I was tweaking different OpenVPN settings in my ovpn file: mssfix, tun-mtu, tun-mtu-extra, cipher, etc. Nothing made a difference. Since lots of people use NordVPN and have success with it (I happen to not use NordVPN), I signed up for a single month to test it out.

I got a NordVPN OpenVPN config file in my city, connected via ASUS RT-AC86U, and boom, started uploading at 11 Mbps and downloading at 130 Mbps on the first try. So now I know it's not my router, it must be a configuration option that is somehow slowing the router but not slowing Tunnelblick on my laptop. No idea what that would be though.

I went through each config file line by line and compared them. I noticed a line in the NordVPN config that wasn't in my provider's config: fast-io.

Here is the description of this option from a website I found: Optimizing OpenVPN Throughput

fast-io​

This little flag which is supported in non-windows systems, improves your CPU usage when dealing with UDP packets by using non-blocking write operations. It only applies to UDP tunnels.

So I thought, why not? I added it to my VPN provider config, right before the cipher specification, and now I'm getting 140+ Mbps down and 11 Mbps up. I guess something about non-blocking write operations makes a difference on the RT-AC86U hardware.
 

CaptainSTX

Part of the Furniture
I went through each config file line by line and compared them. I noticed a line in the NordVPN config that wasn't in my provider's config: fast-io.

I have tried using "fast-io" with PIA, StrongVPN and Astrill. Never seemed to make a difference I could quantify.
 

CaptainSTX

Part of the Furniture
That interesting. I wonder if it depends on a combination of what router you are using and the VPN provider. What is your router model?
Currently running StrongVPN on one client and PIA on another. Both on an AC86 with the latest Merlin firmware. In the past I have also experimented with custom settings on an AC1900P and even and my old trusty N66.

Never could satisfy myself at the 95% confidence level that fast IO made any difference. Part of the problem is the speed on VPN tunnels is much more variable during the day than the speed you get from your ISP meaning two standard deviations is a big number.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top