RT-AC86U - Slow OpenVPN Server

[fryrpc]

I have a new RT-AC86U which is sat on a FTTP 250mbps / 30mpbs connection.
Upgraded firmware to latest 3.0.0.4.382.16466 - even flashed it again just in case this would fix it.
Locally everything is working OK and full speed access to the internet is not a problem.

I have configured the OpenVPN Server and can connect to it remotely OK from both a fast 4G phone and an external fast internet connected PC.
The problem is that from these devices the Routers Web Interface is painfully slow and when I configure the OpenVPN server to send all client traffic down the OpenVPN tunnel, to be sent on the routers fiber connection, that is also very slow - confirmed by speed testing at 0.5mbps / 6mbps. I understand that the up and down figures would be reversed as data is tunneling through the router i.e. max 30/250 at the client end.

I have tested using aes256/sha256/adaptive compression and aes128/sha1/disabled compression - both with no real difference in client connected speed, which is what I was expecting as CPU at both ends, PC and Router, were just idling. I tested with AI / QOS / Traffic Monitoring off and again no difference to when they are on.

Looking for advice / pointers to try and resolve this.
Thanks
Richard

 

[fryrpc]

Update - case logged with Asus who asked for it to be tested from factory reset - same issue - still awaiting further information.

In the meantime I found that adding the following to Custom Configuration box helped a little on the default UDP OpenVPN Server - sometimes 10 Mbps down and up.
sndbuf 0
rcvbuf 0
Switching to TCP instead helped a lot - not on ping ms but on down/up speed.

Still hoping for Asus to advise on optimum configuration / firmware fix as this should work better than this out of the box. But in the meantime I have something that is at least usable. It's not great or speed predictable but when it is working it can be 25 Mbps down and 25 Mbps up.

Something is still not quite right as UDP should be faster than TCP and even at these speeds the CPU is only around 50% used on one core.

 

[fryrpc]

Update on UDP configuration
Using the following extra configuration in the Asus OpenVPN Server provided 26 Mbps down and up over UDP - don't think the fast-io added much tbh.

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
fast-io

 

[RMerlin]

I would experiment with MTU settings on the OpenVPN server, in case you are suffering from fragmentation. This might especially be important for 4G.

 

[payandplay]

I have a new RT-AC86U which is sat on a FTTP 250mbps / 30mpbs connection.
Upgraded firmware to latest 3.0.0.4.382.16466 - even flashed it again just in case this would fix it.
Locally everything is working OK and full speed access to the internet is not a problem.

I have configured the OpenVPN Server and can connect to it remotely OK from both a fast 4G phone and an external fast internet connected PC.
The problem is that from these devices the Routers Web Interface is painfully slow and when I configure the OpenVPN server to send all client traffic down the OpenVPN tunnel, to be sent on the routers fiber connection, that is also very slow - confirmed by speed testing at 0.5mbps / 6mbps. I understand that the up and down figures would be reversed as data is tunneling through the router i.e. max 30/250 at the client end.

I have tested using aes256/sha256/adaptive compression and aes128/sha1/disabled compression - both with no real difference in client connected speed, which is what I was expecting as CPU at both ends, PC and Router, were just idling. I tested with AI / QOS / Traffic Monitoring off and again no difference to when they are on.

Looking for advice / pointers to try and resolve this.
Thanks
Richard

Hi fryrpc,

Thank you very much for sharing this thread.
It seems you have the same router as me and the same VPN server issue.

I have followed what you shared and now my speed is 60 mpbs/ 60 mpbs. Very satisfied now
It seems that the process cannot handle more bandwith because it goes to 80 % CPU during speed test.

What speed do you get now, after the entries are added?

Did Asus support tell you to add these entries in to the OpenVPN server config?
Do you know what does it mean?
Can we increase sndbuf 524288 and rcvbuf 524288 to 1000000 for example?

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
fast-io

 

[payandplay]

Sometimes when I run speed test and when upload is very low this time and in the log fime of OpenVPN client i get :

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89899 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89900 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89901 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89902 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89903 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

 

[fryrpc]

Hi fryrpc,

Thank you very much for sharing this thread.
It seems you have the same router as me and the same VPN server issue.

I have followed what you shared and now my speed is 60 mpbs/ 60 mpbs. Very satisfied now
It seems that the process cannot handle more bandwith because it goes to 80 % CPU during speed test.

What speed do you get now, after the entries are added?

Did Asus support tell you to add these entries in to the OpenVPN server config?
Do you know what does it mean?
Can we increase sndbuf 524288 and rcvbuf 524288 to 1000000 for example?

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
fast-io

I now get 26Mbps down and up from my cloud based windows desktop using OpenVPN client. I tested it last night from my phone connected to someone elses 250/30 service and got 43Mbps down and 29Mbps up. So I am quite pleased and probably at the limit of my testing client connection. Good to hear you can get 60/60Mbps from your 200/120 internet service.

Asus support has not provided any information about additional settings to use. I was just looking at things I could test whilst I await an official response from them. I think if settings like these are a requirement then they should be built into the firmware, either by default or as selectable options.

I have not tested setting values above these as I have not found anything on the internet to suggest that higher values either work or are advisable - some clients might not like using more than 512k buffers, the default appears to be 64k. It sounds like you are getting close to CPU limit anyway.

 

[fryrpc]

Sometimes when I run speed test and when upload is very low this time and in the log fime of OpenVPN client i get :

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89899 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89900 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89901 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89902 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Oct 25 16:46:43 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #89903 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Sorry - I have not seen anything like this.

 

[payandplay]

I completely agree with you, if these settings sndbuf and rcvbuf are requirements should be built in the firmware for sure. Probably next firmware release will fix that, who knows.

Do you have any troubles accessing network storage through the VPN? For some reason i can ping the NAS device, but not connecting to it?

I access the router with SSH and add the following rules:

iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Still not possible to access NAS via the VPN

 

[fryrpc]

I completely agree with you, if these settings sndbuf and rcvbuf are requirements should be built in the firmware for sure. Probably next firmware release will fix that, who knows.

Do you have any troubles accessing network storage through the VPN? For some reason i can ping the NAS device, but not connecting to it?

I access the router with SSH and add the following rules:

iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Still not possible to access NAS via the VPN

I do not have any problem accessing my NAS either the web interface or the file shares over the VPN - I did not do anything extra in SSH / iptables. It just worked - I access them by IP not name.
My Router and NAS are both in the the 192.168.192.x network and my VPN connection is in the default 10.8.0.x network.

 

[payandplay]

My setup is the same NAS is 192.168.1.0 network and the Router is the same network, but no able to access files in the NAS.
I am able to ping the IP address of the NAS via VPN but not to access files, which is strange.

Do you have any port forwarding setup in WAN section or any firewall settings in the firewall section of the router?

 

[payandplay]

When you are connected with VPN client in the TAP adapter in Windows do you see any address assigned to IPv4 Default Gateway

 

[fryrpc]

No port forwarding or firewall configuration - standard factory configuration on mine. I would only touch these if I wanted access from the internet without using an inbound VPN

 

[fryrpc]

When you are connected with VPN client in the TAP adapter in Windows do you see any address assigned to IPv4 Default Gateway


View attachment 10769

No - I believe it is pushed through as a route (Start - CMD - route print).

 

[payandplay]

Thank you , fryrpc.

I just found what is the issue.

I had to SSH into the router and then to add the following NAT routes:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


As soon as i entered this i got access to the NAS via the VPN tunnel.
It seems, when all the traffic is routed via the VPN additional NAT routes are necessary.

I face one issue , when routre is rebooted config is lost.Any idea how to permanently save the firewall settings?

 

[fryrpc]

Thank you , fryrpc.

I just found what is the issue.

I had to SSH into the router and then to add the following NAT routes:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


As soon as i entered this i got access to the NAS via the VPN tunnel.
It seems, when all the traffic is routed via the VPN additional NAT routes are necessary.

I face one issue , when routre is rebooted config is lost.Any idea how to permanently save the firewall settings?

That is strange - I have not had to do anything like that and my OpenVPN Server is set to route all traffic too - clutching at straws - a firewall on your NAS perhaps. I assume you are testing from a remote internet connection and not from a client on your LAN.

 

[ludo14]

Is openvpn still a single core process like all previous routers?

That has always been the bottle neck for openvpn on these routers.

I asked Merlin before and purchased the 1900p 1.4 dual core but it still ran on single core.
It improved a bit on speed due to higher ghz but it is still stuck on single core.

 

[RMerlin]

Is openvpn still a single core process like all previous routers?

Yes. The original plan for the OpenVPN devs was for multi-threading to get implemented in OpenVPN 3.x. No idea where the OpenVPN 3.x development has gone since that initial roadmap, it hasn't been updated for a couple of years now.