VPN speeds with RT-AC87U

[madfusker]

I search this forum for some threads on RT-AC87U VPN speeds and didn't really find any. I am looking for encryption performance data to make sure I am getting what I should be from the device. Is anyone getting more than 20M down when using AES-128-CBC? To my surprise, even with AES-256-CBC I still get a solid 20M and I thought it would slow it more with higher encryption. But I did notice the router CPU is only about 40% when pulling a solid 20M stream down, so seems like it could do more with some configuration. Here's my test sets on 384.4_2 firmware, solid 135M down cable connection, and using speedtest.net and speedtest.xfinity.com:

PC using torguard client (87U is not doing any VPN at all, and just routing):
- I get ~130M down on both AES-128 and AES-256.
-This is using a powerful PC to do the encryption and so I get full speed
-Shows my VPN is capable of giving me speeds of my cable modem connection spec 135M/8M.

Asus RT-87U router connected to either PIA or Torguard:
- 20M down regardless of AES-128 or AES-256 (I can confirm the connection encryption in the logs)

Apr 27 10:07:04 ovpn-client1[11215]: VERIFY EKU OK
Apr 27 10:07:04 ovpn-client1[11215]: VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Apr 27 10:07:04 ovpn-client1[11215]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1570'
Apr 27 10:07:04 ovpn-client1[11215]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Apr 27 10:07:04 ovpn-client1[11215]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 27 10:07:04 ovpn-client1[11215]: [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]69.12.94.138:1912
Apr 27 10:07:05 ovpn-client1[11215]: SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
Apr 27 10:07:05 ovpn-client1[11215]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.35.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.35.0.14 10.35.0.13,peer-id 2'
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: route options modified
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: peer-id set
Apr 27 10:07:05 ovpn-client1[11215]: OPTIONS IMPORT: adjusting link_mtu to 1657
Apr 27 10:07:05 ovpn-client1[11215]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 27 10:07:05 ovpn-client1[11215]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 27 10:07:05 ovpn-client1[11215]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 27 10:07:05 ovpn-client1[11215]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

So what I really want to know, is there anyone with RT-87U getting higher speeds over VPN, and if so can you share settings on how you did it?

 

[skeal]

View attachment 12830

Those settings are fine. You could add this maybe it will speed things up a small amount.

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

Add to custom config section.

 

[madfusker]

Thanks skeal. That did help some and now I'm showing a consistent slight increase to 25M!

My initial post got botched so see above for context. I upgraded from AC68U to get better CPU for VPN, but seems like I should be able to get more out of the 87U.

Here are my custom settings:

remote-cert-tls server
setenv CLIENT_CERT 0
tls-version-min 1.2
tun-mtu-extra 32
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

 

[skeal]

Thanks skeal. That did help some and now I'm showing a consistent slight increase to 25M!

My initial post got botched so see above for context. I upgraded from AC68U to get better CPU for VPN, but seems like I should be able to get more out of the 87U.

Here are my custom settings:
remote-cert-tls server
setenv CLIENT_CERT 0
tls-version-min 1.2
tun-mtu-extra 32
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

Those stats are great for your model. Mine is the same and I have a ac3100. The real vpn performance is the ac86u it has a crypto chip and just flys.

 

[Zastoff]

My best result with my RT-ac87u is 9.11MB = 72.88Mbit
Client with my computer 21.3MB = 170.4Mbit
Tested with wget downloading a 100MB file in 11sec and 4.9sec with client in computer
Running OVPN AES-256CBC
Try switching to TCP (port 443) instead of UDP if possible made alot for me

 

[madfusker]

Those stats are great for your model. Mine is the same and I have a ac3100. The real vpn performance is the ac86u it has a crypto chip and just flys.

Cool! Looking at the specs on your AC3100, the only difference between it and 88U is LAC. Can anyone comment what the 88U gets? I assume this is the upgrade from the 87U.

Anyone have any stats they can share on AC86U? Might not be worth it for me to upgrade if I only get about 40-50M, however if I could get 80-100M or closer to my true connection speed, it would be.

 

[Adamm]

Anyone have any stats they can share on AC86U? Might not be worth it for me to upgrade if I only get about 40-50M, however if I could get 80-100M or closer to my true connection speed, it would be.

I can saturate my 100/40 connection using my Astrill VPN account with an AC86U, from memory I've seen people say they can get in excess of 200Mbit

 

[madfusker]

My best result with my RT-ac87u is 9.11MB = 72.88Mbit
Client with my computer 21.3MB = 170.4Mbit
Tested with wget downloading a 100MB file in 11sec and 4.9sec with client in computer
Running OVPN AES-256CBC
Try switching to TCP (port 443) instead of UDP if possible made alot for me

-Command: $ wget https://github.com/MythTV/mythtv/archive/v29.1.tar.gz
-When going through the router and "VPN off", I have put that machine's IP in the rules list for NOT running its' traffic through the VPN tunnel, even though the router VPN is on (policy exception list). Linux PC is an older Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz.

Windows 10 PC going through the AC87U/UDP/Port 1912/AES-128:
#1) 87U VPN on: v29.1.tar.gz 100%[===========================================>] 100.72M 1.94MB/s in 51s
#2) 87U VPN off: v29.1.tar.gz 100%[===========================================>] 100.72M 15.7MB/s in 6.7s

Linux PC going through the AC87U/TCP/Port 443/AES-128
#3) 87U VPN on: v29.1.tar.gz 100%[============================================>] 100.72M 4.40MB/s in 31s
#4) 87U VPN off:v29.1.tar.gz 100%[============================================>] 100.72M 15.7MB/s in 7.2s

Now with the downloaded client on the PC:
Linux PC not using router at all/UDP/Port 1912/AES-128 (using linux torguard client directly on the Linux PC and no router)
#5) TG Client VPN on v29.1.tar.gz 100%[========================================>] 100.72M 9.62MB/s in 17s
#6) TG Client VPN off v29.1.tar.gz 100%[========================================>] 100.72M 15.7MB/s in 6.8s

-I believe it's clear there are no issues with the VPN services and I get the same results on PIA as well as Torguard.
-Test #2,#4,#6 shows that no with no VPN I can grab that file in about 7 seconds
-Test #1,#3 shows I can grab it in 51 seconds with UDP, and 31 seconds with TCP 443 (thanks Zastoff for the TCP tip, though I thought UDP was supposed to be better!)
-Test #5 shows I can grab in 6.8 sec when using the client on the Linux PC. The windows PC shows the same high speed. This shows when using VPN client on the PC it's still fast. Points to the 87U being the bottleneck.

In summary, when using the Torguard or PIA client I can saturate my connection and get a full 100M+, but anything through the 87U gets me 20M. Zastoff, let me know if my config is any different from yours (attached).

@Adamm, looks like AC86U is the machine to have for full speed! If I could just get the ~70M that Zastoff has I'd probably call it good.

 

[Zastoff]

Hmm dosent look that diffrent
TLS control channel security: outgoing auth (1) on mine.
Legacy/fallback cipher: AES-256-CBC
TLS Renegotiation Time: 432000
Poll Interval: 0 (change it to 30 now)
Some ISP`s lower speeds on traffic they cant recognize so thats why TCP (port443)works better sometimes
Remember reading somewhere about disable NAT-acceleration under LAN/switch Control only need that on if you have higher speeds then 300Mbit (mine is set to off)

 

[elbubi]

Have you tried cpu overclocking?

 

[madfusker]

Have you tried cpu overclocking?

I have not, but I don't see the router go over 30-40% load when pulling the solid 20M. Just doesn't seem to be maxed out and Zastoff is getting ~70M ish.

 

[madfusker]

Just to update everyone, I purchased an AC86U yesterday and now I get my full connection speed on my 200M cable modem. Router is the shiz when it comes to VPN speeds.

 

[elbubi]

Thanks for the update madfusker. If ever using a vpn + fast ISP, guess I'll have to change gear too.

For the time being, no vpn and blazing fast 15Mb connection, still long and prosper life for my 87U =P

Cheers!

 

[Xentrk]

I posted some metrics a few months back. In a nutshell, I found the AES-128-GCM to be the best go to cipher for performance, replacing AES-128-CBC.

 

[madfusker]

I'd love to see that post if you can link me.

Now I need to sell both of my 87U, one used, and one unused spare. Does this forum have a for-sale section? Or does anyone know a good place to sell outside of the obvious like ebay? I guess I'm looking for the swappa.com (phones) equivalent if anyone knows of anything like that.

 

[unsynaps]

I never got more than 50 megabit on my 87.

More realistic was 40-45.

AES-128-CBC

200 or so on my 86.

 

[Geraner]

I upgraded from an RT-AC88U to an RT-AC86U because I wanted more VPN Speed.
Since the RT-AC88U CPU is missing AES-IN it's slower when it compes to an OpenVPN connection. The same applies on the RT-AC87U.
See my test published.

 

[doczenith1]

I did some testing a while back (January 2017) that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN client on three different ASUS routers. All routers running Asuswrt-Merlin 380 branch firmware. Connecting to PIA VPN servers on port 1198 via UDP.

AC3100 (1.4 Ghz dual core)
CTF (Cut Through Forwarding NAT Acceleration)
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
DL :74 Mbps with core 1 at 30%, core 2 at 85% with mods*
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%


AC86U (1.8 Ghz dual core) (tested 12/20/17)
Flow Cache enabled
DL: 223 Mbps with core 1 at 35%, core 2 at 70%
UL: 233 Mbps with core 1 at 55%, core 2 at 90%

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

*Adding the following lines to the custom configuration bumped the DL speeds to 74 Mbps.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

I also got a little speed increase by adding:
fast-io