VPN makes internet slow

[Aaron_A]

Hello,

I am running an openvpn client on my ASUS AC5300 router running the latest Merlin firmware.
Without the openvpn client, ookla consistently shows that I get 45mb/s download.
With the openvpn client running, ookla consistently shows that I only get 10mb/s download.

I am aware that VPNs slow the connection, however mine is being reduced in speed by 75%, which is not normal or acceptable.

What can I do to speed up the connection without lowering the encryption of the VPN?

Thanks in advance.

 

[Marin]

Well there could be a variety of reasons for this. But first can you give us some more info about what VPN are you using? Would you be willing to share a screenshot of VPN setup screen?

 

[Aaron_A]

I am using Cyberghost VPN. Connected to one of the Melbourne servers. I live just out of Melbourne.
I've attached screenshots of the openvpn client configuration page.
This is what I have in the "Custom Configuration" section:

resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 4
comp-lzo
auth-nocache

 

[Marin]

Does your VPN provider recommend that you use a 443 port for their servers? If not can you research what ports they recommend for this setup? Could you try 1194 or 1195? For example, NordVPN recommends 1194.ovpn files for Asus router setups and best speeds.

 

[Aaron_A]

Yes, Cyberghost says I should use port 443. Do you think I should experiment using port 1194 for the VPN client?

 

[Marin]

give it a try and see if it makes a difference

 

[Aaron_A]

I tried ports 1194 and 1195, however the openvpn client could not connect. Seems it only works with port 443.

 

[RMerlin]

cipher AES-256-CBC
auth SHA256

These two settings are both performance killers on a low-powered CPU as what your router has.

You will have to see if your provider offers alternate servers with different parameters.

 

[Aaron_A]

These two settings are both performance killers on a low-powered CPU as what your router has.

You will have to see if your provider offers alternate servers with different parameters.

Will just deleting these inputs from the "custom configuration" section have any unwanted impact on the security of my connection? As far as I am aware, this is consistent on all servers that CyberGhost offers.

 

[Marin]

Did the inputs in Custom Config section come from setup instructions for DDWRT configured routers by any chance? Did the ones (which are automatically loaded in Merlin's OpenVPN page) not work for you when you first set up your VPN client page? Could you redo your OpenVPN setup by just leaving Merlin's custom config input there and see if this makes a difference?

 

[Marin]

I am assuming you looked at this...

https://support.cyberghostvpn.com/h...-configure-OpenVPN-for-TomatoUSB-Merlin-Build

 

[Aaron_A]

I did indeed look at that page Marin.

 

[RMerlin]

Will just deleting these inputs from the "custom configuration" section have any unwanted impact on the security of my connection? As far as I am aware, this is consistent on all servers that CyberGhost offers.

Read the second line of my answer. You cannot just delete them, your provider server must be able to work with a different cipher and a different HMAC.

 

[Aaron_A]

Did you read the second line of my answer? This is consistent on all servers that CyberGhost offers. I'm fairly sure it's consistent among most VPN providers. SHA256 is secure, which is why it is the standard choice. Hopefully soon there will be a firmware update to merlin.

 

[kfp]

Did you read the second line of my answer? This is consistent on all servers that CyberGhost offers. I'm fairly sure it's consistent among most VPN providers. SHA256 is secure, which is why it is the standard choice. Hopefully soon there will be a firmware update to merlin.

Updates for what though? SHA1/2 and AES are pretty mature and heavily optimized in openssl, I doubt you can squeeze out much more performance without tinkering with the toolchain that Asus provides.

And needless to say, a firmware update is not going to produce a hardware crypto offload chip out of thin air either.

 

[coxhaus]

To make VPN worthwhile you need a certain level of encryption which keeps getting higher and higher as computer become more powerful. To use less just means they can read your traffic on the fly so there is no reason to use VPN and take the slowdown hit.

 

[ColinTaylor]

To use less just means they can read your traffic on the fly so there is no reason to use VPN and take the slowdown hit.

That depends on why someone wants to use a VPN and who "they" are. I suspect that in the majority of cases a VPN isn't being used to thwart government surveillance but to bypass geo-blocking of video streaming and download illegal torrents (so encryption is largely irrelevant because you just want to hide the protocol from your ISP and obfuscate your IP address).

 

[coxhaus]

My answers are all from the US perspective. It is what I know. But I see your point if you are outside the US.

 

[sfx2000]

That depends on why someone wants to use a VPN and who "they" are. I suspect that in the majority of cases a VPN isn't being used to thwart government surveillance but to bypass geo-blocking of video streaming and download illegal torrents (so encryption is largely irrelevant because you just want to hide the protocol from your ISP and obfuscate your IP address).

Exactly - and there are many places in the world where VPN is a plus - many assume Geo-Unlocking of content, and that's fair, but having been there/done that with the GFW of China, there is a valid reason why some would want VPN full-time...

VPN is going to incur some overhead - even on the fastest processor, compared to a non-VPN type of connection - so the best approach is to scale/size the ciphers to match - @RMerlin noted that with this router/AP, choose carefully the cipher and auth combo's

 

[Xentrk]

From the testing and bench marking some of us did earlier this year, I consider AES-GCM-128 cipher as the best for speed and performance. OpenVPN Performance