What would be the best possible NordVPN bandwidth for RT-AC5300?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Elrendhel

New Around Here
Good afternoon folks!

I just set up NordVPN on my RT-AC5300, and worked with their support folks on tweaking some aspects of the configuration, and finally got everything working except the bandwidth. I am very lucky to have access to 1G Fiber, so I usually get 930Mbit Down & 900Mbit Up under normal circumstances (non-VPN). Originally I was told that I could expect a 30% drop in bandwidth, and I'm fine with that. But in reality, with VPN enabled I'm getting 67Mbit Down and 60Mbit Up.

I got bounced around a lot towards the end of the support chat, but the guy that I worked with last seemed like he really didn't want to be bothered to dig-in and provide any real support. After confirming I was set to UDP and had already changed the VPN Server IP once before, he quickly threw-up the white flag. He even had a prepared response that he just copy/pasted on me:

The downside to OpenVPN is that in its current architecture, it is not scalable. It runs as a monolithic process and cannot run multi-threaded. This means that if you have a beefy processor with 8 cores and each of the core has 8 threads, OpenVPN will use only a single thread in one of the available cores. Regarding routers - they do not have powerful CPUs, thus encrypting and decrypting OpenVPN traffic is a real challenge for them. For that reason, the speed can drop by a large amount. You could try increasing your speed by connecting to a few different servers (preferably to the ones in yours or neighbouring country) or changing between TCP and UDP. If these changes do not help and you are getting better speeds while connected to the same servers with our software on your computer, then, unfortunately, your router's hardware cannot encrypt the internet traffic fast enough and this is the reason for speed drop. In this case, there is nothing that I can suggest you, unfortunately.

I have no doubt that OpenVPN is not very efficient, but I was expecting that I would at least be able to get about 300-650Mbit out of the connection with VPN enabled, especially with the more heavy-duty RT-AC5300 in my corner. I asked him why then does my CPU only show 3 to 5% utilization? He never replied back after that. So just out of curiosity:

1.) Is he being lazy, or does anyone think that 67Mbit Up & Down the probably the best I can hope for with an RT-AC5300 and NordVPN?

2.) What is the best bandwidth speed you could obtain on what ASUS/Merlin router via NordVPN?

I'd really appreciate anyone who could take a few minutes to post their thoughts or contribute their findings along this line. Thank you ALL.

-Elrendhel
 

eibgrad

Very Senior Member
Honestly, much of his response is correct, *except* the reason performance is so poor w/ these consumer routers is NOT due primarily to encryption. Yes, having AES-NI assist helps, but its effects are relatively marginal (ppl routinely overstate its impact). Assisted encryption might improve matters 5-15% (hard to be exact), but the real culprit is the fact that OpenVPN has to run in user-space and NOT the kernel! As such, it's subject to constant ring changes to manage the tunnel. That's why you can take the exact same hardware, install firmware w/ Wireguard support (which does run in the kernel), and get triple the performance, AES-NI or no AES-NI. Just ask dd-wrt users.

The only solution for OpenVPN on the router is just more raw horsepower. I always tell ppl at least 1.4GHz (which according to wikidevi is the case for your RT-AC5300), but more is always better.

This is one of the reasons I moved my own OpenVPN client off the router (RT-AC68U, 800MHz, so even worse) and over to a small form-factor PC running dd-wrt x86. Even though the specs are pitiful for a PC by today's standards (circa 2013), it blows the pants off even the best, modern consumer router. And that's because the PC architecture, even the old stuff, can handle the ring changes with relative ease.

P.S. Although out of favor these days (and for good reason), PPTP suffers from the same problems as OpenVPN.
 

joe scian

Very Senior Member
Good afternoon folks!

I just set up NordVPN on my RT-AC5300, and worked with their support folks on tweaking some aspects of the configuration, and finally got everything working except the bandwidth. I am very lucky to have access to 1G Fiber, so I usually get 930Mbit Down & 900Mbit Up under normal circumstances (non-VPN). Originally I was told that I could expect a 30% drop in bandwidth, and I'm fine with that. But in reality, with VPN enabled I'm getting 67Mbit Down and 60Mbit Up.

I got bounced around a lot towards the end of the support chat, but the guy that I worked with last seemed like he really didn't want to be bothered to dig-in and provide any real support. After confirming I was set to UDP and had already changed the VPN Server IP once before, he quickly threw-up the white flag. He even had a prepared response that he just copy/pasted on me:



I have no doubt that OpenVPN is not very efficient, but I was expecting that I would at least be able to get about 300-650Mbit out of the connection with VPN enabled, especially with the more heavy-duty RT-AC5300 in my corner. I asked him why then does my CPU only show 3 to 5% utilization? He never replied back after that. So just out of curiosity:

1.) Is he being lazy, or does anyone think that 67Mbit Up & Down the probably the best I can hope for with an RT-AC5300 and NordVPN?

2.) What is the best bandwidth speed you could obtain on what ASUS/Merlin router via NordVPN?

I'd really appreciate anyone who could take a few minutes to post their thoughts or contribute their findings along this line. Thank you ALL.

-Elrendhel
I got much better OVPN Server performance when I upgraded the RT-AC5300 to the RT-AC86U and my RT-AX86U is even better performance.
 
Last edited:

Elrendhel

New Around Here
but the real culprit is the fact that OpenVPN has to run in user-space and NOT the kernel! As such, it's subject to constant ring changes to manage the tunnel. That's why you can take the exact same hardware, install firmware w/ Wireguard support (which does run in the kernel), and get triple the performance, AES-NI or no AES-NI. Just ask dd-wrt users.
Thank you for the response eibgrad!

Is there any hope for using Merlin to get that Wireguard support, or is it limited to firmware like DD-WRT only?

If not, then I might be more inclined to follow your example and just build a separate PC Server to host the VPN. In that case, would Wireguard be the preferred software to use, and is NordVPN compatible with it?
 

Viktor Jaep

Regular Contributor
I'd really appreciate anyone who could take a few minutes to post their thoughts or contribute their findings along this line. Thank you ALL.

-Elrendhel

I can't speak for NordVPN, but as an ExpressVPN user was experiencing some of the same issues that you may have been facing. I used to run an RT-AC3100, and was lucky if I could get 15Mbps down and 5Mbps up... I upgraded to the AC86U with a dedicated AES processor, and it jumped up to a max around 140-150Mbps down/20Mbps up. I'm on a 300Mbps Xfinity cable connection, and get that or slightly higher outside of the vpn. Of course, speeds are variable depending on how far away you choose your endpoint to be, so mileage may vary (no pun intended). ;)
 

Elrendhel

New Around Here
I can't speak for NordVPN, but as an ExpressVPN user was experiencing some of the same issues that you may have been facing. I used to run an RT-AC3100, and was lucky if I could get 15Mbps down and 5Mbps up... I upgraded to the AC86U with a dedicated AES processor, and it jumped up to a max around 140-150Mbps down/20Mbps up.
Thank you Viktor! Very much appreciated!

Now that I have the RT-AC5300 and two RT-AC88U's set up, I have great coverage and am leaning away from the purchase of further router/mesh hardware for the sake of improving the VPN connection speed. It would seem more appropriate to just build a PC-based VPN server like eibgrad above.

Thank you again for your thoughts!
 

eibgrad

Very Senior Member
@Elrendhel

Is there any hope for using Merlin to get that Wireguard support, or is it limited to firmware like DD-WRT only?

Merlin is a bit unique when it comes to third-party firmware. Much of what he supports is dictated by what ASUS is willing to support in their own OEM firmware. So I have no idea if and when Wireguard support might come to ASUS and/or Merlin. What support you might find is among the script writers (a common avenue of attack when the firmware won't budge), but even so, I suspect Wireguard might only be available for execution in user-space, negating much of its performance benefits.

Of course, if you go w/ dd-wrt, then you lose all the other benefits of Merlin, and for many, that's not acceptable.

If not, then I might be more inclined to follow your example and just build a separate PC Server to host the VPN. In that case, would Wireguard be the preferred software to use, and is NordVPN compatible with it?

We could spend hours debating the pluses and minuses of OpenVPN vs. Wireguard, or any other VPN. But let me whittle it down to the essentials from the narrow perspective of these consumer routers.

The *biggest* difference between Wireguard and any other VPN is that (afaik) it's the only one that runs in the kernel. That's like being given a 10 lap headstart @ Indy! No other VPN can compete, at least when measured on performance alone. Given the same router (i.e., all other things being equal), and performance being your *only* criteria, you'd be crazy NOT to use Wireguard. That is until your router is so ridiculously overpowered for a small embedded device (like my PC), that the performance differences finally begin to diminish, and the advantages/disadvantages of Wireguard vs. some other VPN become more nuanced (e.g., some users may gravitate to Wireguard because of its simplicity, while others, concerned about its security implications due to running in the kernel, gravitate to OpenVPN).

So would *I* chose to use Wireguard on my PC? NO! OpenVPN works flawlessly, has a long history of features and proven success, does NOT run in the kernel (relieving my security concerns), and offers features Wireguard does NOT (e.g., OpenVPN supports both routed and bridged tunnels, whereas Wireguard only supports the former).

In a nutshell, I don't need/want what Wireguard is offering given I'm no longer handcuffed by a low-powered, consumer router to support my VPN.
As far as NordVPN, OpenVPN is a standard, so the PC will support any OpenVPN provider I want. FWIW, I'm using ExpressVPN at the moment.

P.S. I just realized you were probably concerned about Wireguard support w/ NordVPN. I have no idea. Ask them. I know some VPN providers support it, but sometimes only via their own client app (e.g., ExpressVPN, they call it Lightway).
 
Last edited:

ColinTaylor

Part of the Furniture
Yes, having AES-NI assist helps, but its effects are relatively marginal (ppl routinely overstate its impact). Assisted encryption might improve matters 5-15% (hard to be exact), but the real culprit is the fact that OpenVPN has to run in user-space and NOT the kernel!
This is not entirely true. Whilst OpenVPN on the router does indeed have many issues, like being single threaded, having AES-NI does have a significant impact. There are numerous posts and threads (like this one) where people are typically getting 200Mbps on an RT-AC86U using OpenVPN. By your calculation they should only be getting about 95Mbps based on its 28% faster CPU compared to the RT-AC5300.

However, any comparisons between OpenVPN and Wireguard are academic if you're using NordVPN. To use Wireguard with NordVPN you must use their app which (AFAIK) is not available for Asus routers.
 

eibgrad

Very Senior Member
This is not entirely true. Whilst OpenVPN on the router does indeed have many issues, like being single threaded, having AES-NI does have a significant impact. There are numerous posts and threads (like this one) where people are typically getting 200Mbps on an RT-AC86U using OpenVPN. By your calculation they should only be getting about 95Mbps based on its 28% faster CPU compared to the RT-AC5300.

Encryption might very well have a bigger impact w/ higher end routers, but you have to get there first!

When it comes to the more modest routers (which is what I'm talking about) that struggle to get any decent performance w/ OpenVPN, the benefits of AES-NI, in relative terms, doesn't matter all that much. That's NOT what's causing the problem for *those* routers. That's my point.

I've done extensive testing in this regard, including configuring my own VPS w/ OpenVPN server, testing both PTMP (point to multipoint) and PTP (point-to-point) OpenVPN configurations. In the latter case, I even disabled encryption entirely! Just an unencrypted, in the clear, plain ol' tunnel. It doesn't get any simpler or less demanding. Yet, no matter the OpenVPN configuration, the results were always pretty much the same, regardless of third-party firmware. They might have differed ever so slightly due to encryption, but at 25-30Mbps w/ my RT-AC68U, 5-15% does mean all that much. It certainly isn't the difference maker when it comes to *those* routers. Again, that's my point.

Once you have a high-end router and get beyond this issue, all bets are off.
 
Last edited:

ColinTaylor

Part of the Furniture
But that's not a valid comparison because a) the RT-AC68U does not have AES-NI so there's no way to test it, and b) this thread is not talking about the RT-AC68U it's talking about the RT-AC5300 which is more comparable to the RT-AC86U. So to make a blanket statement that AES-NI only offers a 5-15% improvement is simply no true.
 

octopus

Very Senior Member
With my old RT-AC68U I get 25-35 Mbps with 128-GCM chiper.
On my RT-AX86U with CHACHA20-POLY1305 I can reach ~200Mbps with AES-NI it's 85% faster.
 

eibgrad

Very Senior Member

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top