VPN Throughput loss

[Uthall]

Hello,

I have a 50Mb link, and find that enabling an OpeNVPN session on the router generally loses me 50% of my download bandwidth.

For example, a speedtest to a site giveS me 21Mb down without VPN, and then 9Mb down with VPN.

Uploads dont seem anywhere as badly affected.

Is the 68U just not powerful enough for VPN?

 

[netware5]

Hello,

I have a 50Mb link, and find that enabling an OpeNVPN session on the router generally loses me 50% of my download bandwidth.

For example, a speedtest to a site giveS me 21Mb down without VPN, and then 9Mb down with VPN.

Uploads dont seem anywhere as badly affected.

Is the 68U just not powerful enough for VPN?

This is normal. You cannot expect a consumer-grade router to have sufficient CPU power to perform OpenVPN encryption/decryption. Do some search in this forum to see typical OpenVPN speeds of Asus routers. It also depends on encryption settings, compression settings, type of OpenVPN tunnel (TCP or UDP) and OpenVPN version.

 

[Uthall]

OK no worries,

Any chance you could point me to the relevant thread?

Id be keen to know the best setting to ensure fastest throughput

 

[netware5]

Just a couple of questions:
1. As I understood you want to run OpenVPN client on the router in order to tunnel whole traffic of your LAN devices to the OpenVPN server of your OpenVPN service provider. Isn't it?
2. If this is the case, what are the requirements or supported options of your OpenVPN service provider? Cipher (AES256, AES 128, or any other)? Compression (lzo, lz4, or none)? Version of OpenVPN (2.3.x or 2.4.x)? What is the tunnel speed that your OpenVPN provider declares to guarantee? What is the upload speed provided by your ISP?
3. Do you have any other CPU consuming services running on you router (Samba, DLNA, Torrent client, etc.)? Do you use the router as a NAS?

 

[Uthall]

Yes to that, although i may be selective with traffic at some point.

Im using PIA or ExpressVPN, so whatever their normal specs are.

My internet speeds are 50Mb down and 20Mb up.

 

[netware5]

I am not familiar with PIA or ExpressVPN. I am using my router in opposite way - as a private OpenVPN server in order to connect to it from outside. I am a road warrior

In theory and in practice your router should be about twice faster than mine. In theory my router should reach about 25 Mbps with AES-128 encryption according to some old Merlin's tests. In practice I am using OpenVPN 2.4.x with AES-256-GCM encryption and lz4 compression. I am able to reach 12-14 Mbps under these conditions. My ISP speed is 50 Mbps download and 30 Mbps upload.

I am asking for your OpenVPN provider requirements, because you shall follow them and you have no control over them. While I am able to change the tunnel parameters according to my needs, because I have control over my OpenVPN server.

Simply speaking:

1. AES-256 is slower than AES-128
2. AES GCM is faster that AES CBC
3. lz4 is faster than lzo
4. it is better to avoid lzo - use lz4 (if both client and server are OpenVPN 2.4.x) or use "none" if one of the peers is OpenVPN 2.3.x.
5. UDP tunnel is faster than TCP tunnel

In any case you should be able to reach about 25 Mbps with your router and even more. If you are not able, then your OpenVPN provider is the bottleneck or your router is overloaded by other services.

 

[Uthall]

Thanks

There must be a limitation on my RT-AC68U then, as regardless of config, im going from 45Mb without VPN to 15Mb with.....

Ive tried 3 separate VPN providers all giving around the same result.......

Curious, does QOS or NAT acceleration have an affect?

 

[netware5]

Thanks

There must be a limitation on my RT-AC68U then, as regardless of config, im going from 45Mb without VPN to 15Mb with.....

Ive tried 3 separate VPN providers all giving around the same result.......

Curious, does QOS or NAT acceleration have an affect?

Yes, both may affect. Do some experiments with/without. How your PC used to do speedtest is connected to the router - LAN or Wi-Fi?

 

[Alfsu]

My openvpn client (UDP with AES-128) in an AC68P clocked @ 1 GHz, is connected to my own openvpn server (Odroid C2 - quad core @ 2 GHz) across the Atlantic with FTTH on both ends, and I can almost get the entire bandwidth of the client's ISP (50 Mbps).
Some days are better than others, probably due to the limitations of the bandwidth of the ISP plus the country's censorship servers (the router is located in the middle east).
So it is possible to get decent speeds from an AC68U, check if yours is running @ 800 MHz and clock it to 1000 MHz to see if there is any improvement.

Good luck!

 

[doczenith1]

I did some testing a while back (January 2017) that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN client running Asuswrt-Merlin 380.64 firmware. Connecting to PIA VPN servers on port 1198.

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128-CBC
Data authentication: SHA1
Handshake: RSA-2048

Curious, does QOS or NAT acceleration have an affect?

I don't think I tried any speed tests with NAT acceleration off. I not sure that having it on would help. In my experience when not using the VPN core 1 seems to max out when running speed test and having NAT acceleration on brings the cpu usage down. Core 2 usage is negligible during the speed tests. Looking at the results above using the VPN it appears that the VPN is powered by core 2 so the NAT reducing core 1 might not have that big of an effect. I have no idea about QOS.