VPN Speed problems: Merlin vs Advanced Tomato

[john9527]

Also make sure you are using AES-128-CBC with compression disabled and take out comp-lzo in custom configurations if you put it there. that will make a difference in your speed as well.

At least for me, PIA has been pushing a 'comp-lzo no' directive during connect for sometime now. Don't know if that's a regional specific change.

 

[yorgi]

At least for me, PIA has been pushing a 'comp-lzo no' directive during connect for sometime now. Don't know if that's a regional specific change.

I stopped using comp lzo from a last year
everything is compressed why compress again

 

[mirage22]

I stopped using comp lzo from a last year
everything is compressed why compress again

True, compression happens from the web server to the client.

But does this setting mean, compression from client to web server?

 

[RMerlin]

True, compression happens from the web server to the client.

But does this setting mean, compression from client to web server?

A typical client request is maybe 20-50 bytes long, there's not much to compress there. Plus, it can't be compressed if it's sent over HTTPS (encrypted data is too random to be compressible).

 

[mirage22]

A typical client request is maybe 20-50 bytes long, there's not much to compress there. Plus, it can't be compressed if it's sent over HTTPS (encrypted data is too random to be compressible).

I tried disabling compression. But then i had no internet access. The system logs reported "write to TUN/TAP : Invalid argument (code=22)". Which on googling lead me to understand that my vpn provider is pushing for lzo-compression from the server. So the client has to accept compression as well. Setting compression to adaptive solved the issue.

Is there a way to force this to disabled state if I can get better performance from the router?

 

[RMerlin]

I tried disabling compression. But then i had no internet access. The system logs reported "write to TUN/TAP : Invalid argument (code=22)". Which on googling lead me to understand that my vpn provider is pushing for lzo-compression from the server. So the client has to accept compression as well. Setting compression to adaptive solved the issue.

Is there a way to force this to disabled state if I can get better performance from the router?

It must be disabled on both sides. If your provider enables it, then you also must do so.

 

[yorgi]

I tried disabling compression. But then i had no internet access. The system logs reported "write to TUN/TAP : Invalid argument (code=22)". Which on googling lead me to understand that my vpn provider is pushing for lzo-compression from the server. So the client has to accept compression as well. Setting compression to adaptive solved the issue.

Is there a way to force this to disabled state if I can get better performance from the router?

If you put the option to none instead of disable it will work.
The Provider uses compression but if you say none you are not using any.
Disabling it stops the tunnel for some reason but none works fine and you are not using compression.

 

[mirage22]

Interestingly, that didn't work either!.. hmmm

 

[yorgi]

Interestingly, that didn't work either!.. hmmm

Are you with PIA? you can put none with PIA not sure with other companies.
does your VPN work when you enable compression?

 

[mirage22]

Are you with PIA? you can put none with PIA not sure with other companies.
does your VPN work when you enable compression?

No i am not. seems my vpn provider has a tight grip on matters. they even override DNS Settings configured on the router to their own DNS server.

Think i will change the vpn provider on expiry of the service.

I don't mind PIA - they are cheap as well. but the only problem I am facing is a way to update my VPN IP to OpenDNS to enforce parental controls across the house.

 

[yorgi]

No i am not. seems my vpn provider has a tight grip on matters. they even override DNS Settings configured on the router to their own DNS server.

Think i will change the vpn provider on expiry of the service.

I don't mind PIA - they are cheap as well. but the only problem I am facing is a way to update my VPN IP to OpenDNS to enforce parental controls across the house.

I think you are a bit confused. It is normal for the DNS to be that of the VPN. If you use openDNS for your DNS when on VPN its leaking DNS which defeats the purpose of a VPN. What you should do is setup your VPN as policy rules "selective routing"
Put all traffic to VPN except devices such as your children's, and then use DNSfiltering and assign opendns DNS to those devices
this way you will be sure they are using the proper DNS

use this as example it explains policy rules and dnsfiltering

http://www.snbforums.com/threads/ho...y-step-how-to-guide-ver-380-58-updated.30851/

 

[mirage22]

Hi, had done all those things perfectly. Everything was working fine until a few days ago.

As I suspected. On contacting my VPN provider they mentioned that they did some migrations that wouldn't allow DNS to leak upstream. On my request they set my VPN to OpenDNS in their settings.

 

[yorgi]

Hi, had done all those things perfectly. Everything was working fine until a few days ago.

As I suspected. On contacting my VPN provider they mentioned that they did some migrations that wouldn't allow DNS to leak upstream. On my request they set my VPN to OpenDNS in their settings.

Hi
I am not understanding one thing. Why would do you need to use a VPN?
The majority of people do it for downloading movies and geometric locations and to have an anonymous IP so that they can surf a little more securely.
When you have a VPN the IP address and DNS are suppose to be the Same. This normal because in order to setup a secure line from the server to the client.
this way anytime your browser will call for a address the DNS from the VPN will work and not opendns. If you download movies from pirate bay or other torrents, they will know right away who you are, because opendns are public. So why would you want to have open dns for all devices?
Wouldn't you want to control which devices have VPN and which don't? and control their DNS as well?
You can easily do it via selective routing use Policy Rules in VPN client also enable if tunnel goes down drop connections and put the following;
192.168.1.0/24 source IP 0.0.0.0 destination IP and lface VPN this will force all traffic to the VPN
then you can put all the devices that you don't want using the VPN
for example your kids iPad 192.168.1.75 source IP 0.0.0.0 destination and lface WAN this will use your local internet service provider
You can easily Assign static IP for each device as I used in the example and have devices that you don't want using the VPN.
then you can go to DNSfiltering and point openDNS to the IP address's that you didn't want to be on the VPN.
Now any device that is not on the WAN rule and its traffic will use the VPN and its DNS which is secure.
and all the devices that are on local internet ISP will be surfing with openDNS for kids or whatever you choose because when you use dnsfiltering you can put up to 3 dns so your kids can have opnedns and you can have opendns for adults or google etc.
You can even do it where you add specific address's to use VPN and automatically every other device will go through your Local ISP and you can setup dnsfiltering for the devices that you want to use openddns
Its all explained here
http://www.snbforums.com/threads/ho...y-step-how-to-guide-ver-380-58-updated.30851/
Think about what you did, You really don't need a VPN if you are going about it the way you are.
good luck

 

[ImaStinker]

@yorgi

Lastly, use VPN client 1 which uses the second core leaving the first core for routing and the second for compression.

The setup you are showing in the link you posted is using "client 2"

 

[yorgi]

@yorgi


The setup you are showing in the link you posted is using "client 2"

you are right with the new firmware Merlin changed the client order and in the article it is correct I just made an error in this thread
thanks for pointing that out.
I just corrected it

 

[dhruvcasper]

Hi @yorgi,

you have been great help in my intial setup but i am stuck at a point. I followed your guide for open vpn but while using my VPN provier PureVPN i am not getting the speed on merlin firmware. It ranges from 2M/bs to 5 M/bs, ISP speed is 30 M/bs.

My router is asus ac66u and tried both UDP and TCP for PureVPN. I want open vpn to get routing table in place. Using frimware version 380.58, purevpn vpn needs aes-256-cbc encryption. below is the custom script. tried all the servers and best speed is 5 M/bs. Nat disabled, compression none, TCP port 80 and UDP is 53.

mute 20
route-method exe
route-delay 2
auth-retry interact
auth-nocache
tls-client
remote-cert-tls server

any other help will be great.

 

[yorgi]

Hi @yorgi,

you have been great help in my intial setup but i am stuck at a point. I followed your guide for open vpn but while using my VPN provier PureVPN i am not getting the speed on merlin firmware. It ranges from 2M/bs to 5 M/bs, ISP speed is 30 M/bs.

My router is asus ac66u and tried both UDP and TCP for PureVPN. I want open vpn to get routing table in place. Using frimware version 380.58, purevpn vpn needs aes-256-cbc encryption. below is the custom script. tried all the servers and best speed is 5 M/bs. Nat disabled, compression none, TCP port 80 and UDP is 53.

mute 20
route-method exe
route-delay 2
auth-retry interact
auth-nocache
tls-client
remote-cert-tls server

View attachment 6177

any other help will be great.

The readings you are getting are normal because the routers cpu is not strong enough to do the job because its a single core cpu and slow in comparison to the newer generation routers from ASUS.
I would suggest you use AES-128-CBC instead of AES-256-CBC that will definitively help and I would also make sure to enable block routed clients if tunnel goes down.
When you change aes-128 the max you will get is 8-10 mbps no more then that.
if you want to get better results you should upgrade to a 68U then you will get 30mbps as your ISP.

 

[dhruvcasper]

I would suggest you use AES-128-CBC instead of AES-256-CBC that will definitively help and I would also make sure to enable block routed clients if tunnel goes down. When you change aes-128 the max you will get is 8-10 mbps no more then that.
if you want to get better results you should upgrade to a 68U then you will get 30mbps as your ISP.

purevpn does not allow AES-128 encryption. so only option left is to buy new box. this is third router i had bought. being in UAE, first you dont get right hardware. if you do they are expensive or shipping cost from abroad increases the cost. i will look for some reslae deal. is there any chart or site for router hardware and firmware options?

 

[yorgi]

purevpn does not allow AES-128 encryption. so only option left is to buy new box. this is third router i had bought. being in UAE, first you dont get right hardware. if you do they are expensive or shipping cost from abroad increases the cost. i will look for some reslae deal. is there any chart or site for router hardware and firmware options?

Why buy more hardware if you don't need it right away. Just get rid of the purevpn and get on PIA.
40 USD a year and your rocking. your router will at least give you 10mbps on VPN with 128 AES which is plenty if you want to stream or download a movie or browse.
If you get the RT-AC68U its a dual core cpu and it will easily do your 30mbps and I would suggest you put Merlin firmware on it to get the full advantage of your router.
If you get anything cheaper then the 68U you will be wasting your money. I don't know of any other routers that give you the features that ASUS does for the money you pay for them.
Just remember VPN takes a lot of cpu power in order to work properly so you need at least a dual core CPU with Merlin firmware so you can take it to the next level