Will a high-end consumer router have enough processing power to function as 1000 Mbps+ Wireguard VPN client?

[MustacheSwe]

QUESTION:
Will a modern high-end consumer router such as Asus RT-AXE7800 have enough processing horsepower to function as 1000 Mbps+ Wireguard VPN client?

BACKGROUND:
I currently have a 1 Gbps (1000 Mbps) fiber broadband connection to my home. With my current Asus RT-AC86U router, my wifi will reach maximum 650 Mbps speeds. When I activate the OpenVPN client in the router (for several different reasons, I must use a VPN), the speeds go down to 200-250 Mbps. This is not disastrous, but with three teens and friends streaming and gaming practically 24/7, and two parents videoconferencing for work, I would gladly pay for more bandwidth. All stationary devices such as gaming desktops, NAS units etc in the household are wired, but we still run out of bandwidth once in a while.

My understanding has been that it is the slower OpenVPN protocol itself that is the major and unavoidable factor in losing throughput (possibly further limited by the weak processing power of an entry-level consumer router?).

A few years ago, I looked into the possibility of using the faster Wireguard VPN protocol, which my VPN provider also offers. My Asus router can indeed use the more advanced Merlin firmware to get Wireguard VPN functionality, but I decided not to go that route since I did not feel comfortable replacing the router firmware, and potentially introducing more complexity and higher need for maintenance. I want my router to be something more "set and forget", with basically zero maintenance and downtime, once it it set up.

Recently, my broadband provider started offering reasonably priced 10 Gbps (10 000 Mbps) capacity. That made me look at my setup again. I discovered that higher-end consumer routers such as the Wifi 6E Asus RT-AXE7800 (or even the cheaper Wifi 6 Asus RT-AX86U?) now offer Wireguard VPN functionality out of the box. They also offer 2,5 Gbps WAN port. And they offer the Wifi 6 and Wifi 6E wifi protocol. (We currently have few clients in the household that can use Wifi 6E, but most do support Wifi 6 today.)

Am I wrong in thinking that, if I upgrade my broadband to 10 Gbps, and upgrade my router to something like Asus RT-AXE7800, I should be able to reach wifi (with Wireguard VPN) speeds of up to maybe 1000-1200 Mbps? It seems like the limiting factor will still be the VPN client speed of the router? (In fact, upgrading the broadband may not be necessary, since the wifi thoughput and the VPN will probably cap bandwith at around 1000 Mbps anyway?)

 

[Piotrek]

Will a modern high-end consumer router such as Asus RT-AXE7800 have enough processing horsepower to function as 1000 Mbps+ Wireguard VPN client?

No.

 

[Tech9]

I discovered that higher-end consumer routers such as the Wifi 6E Asus RT-AXE7800 (or even the cheaper Wifi 6 Asus RT-AX86U?) now offer Wireguard VPN functionality out of the box.

You failed to discover that RT-AXE7800 is not a high-end router. It has a weaker CPU than RT-AX86U and is slower on OpenVPN than your old RT-AC86U. It also has weak 2x2 2.4GHz and 6GHz radios. Forget about Gigabit VPN on consumer routers and don't even dream about 10Gbps. Why is your gaming, streaming and videoconferencing going through VPN is another question you perhaps have no good answer to. Your Wi-Fi speeds - limited by client capabilities. If you want close to Gigabit on Wi-Fi you have to upgrade your Wi-Fi clients as well. The router only is not enough.

 

[Tech Junky]

Wireguard works different from ovpn in that it scales and spawns more instances of the process as demand increases for bandwidth. It's lightweight in terms of demand of the CPU. Using a diy setup I could get line speed through WG and ovpn would top out at 600mbps.

Consumer gear though might get you there but, if you want whole house VPN I would invest in something more substantial than something off the shelf at your local store.

 

[CaptainSTX]

QUESTION:
Will a modern high-end consumer router such as Asus RT-AXE7800 have enough processing horsepower to function as 1000 Mbps+ Wireguard VPN client?

BACKGROUND:
I currently have a 1 Gbps (1000 Mbps) fiber broadband connection to my home. With my current Asus RT-AC86U router, my wifi will reach maximum 650 Mbps speeds. When I activate the OpenVPN client in the router (for several different reasons, I must use a VPN), the speeds go down to 200-250 Mbps. This is not disastrous, but with three teens and friends streaming and gaming practically 24/7, and two parents videoconferencing for work, I would gladly pay for more bandwidth. All stationary devices such as gaming desktops, NAS units etc in the household are wired, but we still run out of bandwidth once in a while.

My understanding has been that it is the slower OpenVPN protocol itself that is the major and unavoidable factor in losing throughput (possibly further limited by the weak processing power of an entry-level consumer router?).

A few years ago, I looked into the possibility of using the faster Wireguard VPN protocol, which my VPN provider also offers. My Asus router can indeed use the more advanced Merlin firmware to get Wireguard VPN functionality, but I decided not to go that route since I did not feel comfortable replacing the router firmware, and potentially introducing more complexity and higher need for maintenance. I want my router to be something more "set and forget", with basically zero maintenance and downtime, once it it set up.

Recently, my broadband provider started offering reasonably priced 10 Gbps (10 000 Mbps) capacity. That made me look at my setup again. I discovered that higher-end consumer routers such as the Wifi 6E Asus RT-AXE7800 (or even the cheaper Wifi 6 Asus RT-AX86U?) now offer Wireguard VPN functionality out of the box. They also offer 2,5 Gbps WAN port. And they offer the Wifi 6 and Wifi 6E wifi protocol. (We currently have few clients in the household that can use Wifi 6E, but most do support Wifi 6 today.)

Am I wrong in thinking that, if I upgrade my broadband to 10 Gbps, and upgrade my router to something like Asus RT-AXE7800, I should be able to reach wifi (with Wireguard VPN) speeds of up to maybe 1000-1200 Mbps? It seems like the limiting factor will still be the VPN client speed of the router? (In fact, upgrading the broadband may not be necessary, since the wifi thoughput and the VPN will probably cap bandwith at around 1000 Mbps anyway?)

I have a 1.2 gig connection and I run a Wireguard VPN client on my VPN appliance which has an I7 processor, and my download speeds are normally around 650 - 750 Mbps with an occasional peak speed up to 850 Mbps. While commercial VPN providers seemed to have increased their bandwidth in recent years, I doubt that many willing and able to support connection speeds in excess of 1,000 Mbps.

 

[Tech Junky]

I doubt that many willing and able to support connection speeds in excess of 1,000 Mbps.

Nord does consistently.

 

[MustacheSwe]

You failed to discover that RT-AXE7800 is not a high-end router. It has a weaker CPU than RT-AX86U and is slower on OpenVPN than your old RT-AC86U. It also has weak 2x2 2.4GHz and 6GHz radios. Forget about Gigabit VPN on consumer routers and don't even dream about 10Gbps. Why is your gaming, streaming and videoconferencing going through VPN is another question you perhaps have no good answer to. Your Wi-Fi speeds - limited by client capabilities. If you want close to Gigabit on Wi-Fi you have to upgrade your Wi-Fi clients as well. The router only is not enough.

Thanks for your valid comments!

Regarding CPU: I saw that the RT-AXE7800 has a quad core processor, and since my understanding of Wireguard is that it (in contrast to OpenVPN) is multi-threaded, I simply assumed that performance would be higher if I would use Wireguard on a quad core CPU, rather than OpenVPN on my current dual core CPU?..

Regarding what to tunnel through VPN, you do have a point that it may seem unneccessary to have for example gaming go though the VPN. But as far as I have understood, VPN policies can "only" be applied to IP addesses and/or MAC addresses? The problem is that both my teens and my wife and me use the same computers for both streaming/videoconferencing and for web surfing etc. Therefore, I would not want to exclude entire computers from the VPN tunnel. I could theoretically exclude from the VPN certain IP adresses of for example streaming services such as Youtube, Netflix, Teams calls, etc. But that would become quite a long list to set up, maintain and update as new services are used... Or am I missing some other way of channeling traffic inside/outside the VPN tunnel?

 

[MustacheSwe]

Nord does consistently.

I have a 1.2 gig connection and I run a Wireguard VPN client on my VPN appliance which has an I7 processor, and my download speeds are normally around 650 - 750 Mbps with an occasional peak speed up to 850 Mbps. While commercial VPN providers seemed to have increased their bandwidth in recent years, I doubt that many willing and able to support connection speeds in excess of 1,000 Mbps.

Thanks @Tech Junky and @CaptainSTX ! Really good insights! But also a little disappointing that even a powerful i7-processor cannot give 1Gbps+ VPN throughput with Wireguard... :-( I clearly was over-optimistic to believe that modern consumer routers were now powerful enough for this...

 

[CaptainSTX]

Thanks @Tech Junky and @CaptainSTX ! Really good insights! But also a little disappointing that even a powerful i7-processor cannot give 1Gbps+ VPN throughput with Wireguard... :-( I clearly was over-optimistic to believe that modern consumer routers were now powerful enough for this...

I'm not sure how much is processor and how much is the commercial VPN provider's server. Also your distance from the server is a contributing factor.

 

[Tech Junky]

provider

I tested a few when I was up for renewal to maybe shave a few dollars off the total but, they all had niche things to activate on boot or overall just slower. Distance didn't really play into performance for me at least. Distance might affect first hop out of the ISP latency / ping. What's more important is their backhaul and subscriber saturation. Then the location of their registration for incorporation for spying on your data by the government. The whole point is to keep your data private from outside entities.

 

[Clark Griswald]

Recently, my broadband provider started offering reasonably priced 10 Gbps (10 000 Mbps) capacity.

With comcrap prices for 1G-up 40-down, I can barely keep food on the table.

EDIT: I would pay slightly more, if the UL speed would match the DL speed!
Recently put OVPN and WG on my router, and I am pleased with how well the two work together.

 

[Tech Junky]

With comcrap prices for 1G-up 40-down, I can barely keep food on the table.

Then you'd have real food issues with their pro 2ge fiber at $300/mo. Not sure if that's current pricing as I haven't looked lately. At least it's symmetrical speeds and no data cap. You should look into FWA as both TMO and VZW are quite cheaper and higher upload. Your cell phone should give you an idea of what speeds to expect.

 

[kildare]

Draytek Vigor 3910:

The Vigor 3910 allows you to have up to 500 simultaneous VPN tunnels to remote offices or teleworkers, with over 3Gbps of VPN throughput.

Vigor 3910

The Vigor 3910 router is a Multi-WAN VPN concentrator, supporting Remote Access, Firewalling, Load-Balancing and Failover - ideal for enterprise networks.

www.draytek.co.uk

 

[MustacheSwe]

With comcrap prices for 1G-up 40-down, I can barely keep food on the table.

EDIT: I would pay slightly more, if the UL speed would match the DL speed!
Recently put OVPN and WG on my router, and I am pleased with how well the two work together.

Haha, sorry to hear that!! This is in Sweden, and 10 Gbps (symmetric) will cost me about 45 USD/month, including the modem (or whatever you call it? Between the fiber connection and your own switch or wifi router). The 1 Gbps (symmetric) I have currently costs 25 USD/mth).

Edit: no data caps.

 

[Piotrek]

The problem is that both my teens and my wife and me use the same computers for both streaming/videoconferencing and for web surfing etc.

Why is your streaming/videoconferencing and web surfing etc. going through VPN?

The Vigor 3910 allows you to have up to 500 simultaneous VPN tunnels to remote offices or teleworkers, with over 3Gbps of VPN throughput.

Not for OpenVPN/Wireguard
Max. Concurrent OpenVPN + SSL VPN: 200
IPsec VPN Performance: 3.3 Gbps*
SSL VPN Performance: 1.6 Gbps*
*LAN-LAN routing mode.
The throughput figures are maximum, based on DrayTek internal testing with optimal conditions. The actual performance may vary depending on the different network conditions and applications activated.

 

[drinkingbird]

Thanks for your valid comments!

Regarding CPU: I saw that the RT-AXE7800 has a quad core processor, and since my understanding of Wireguard is that it (in contrast to OpenVPN) is multi-threaded, I simply assumed that performance would be higher if I would use Wireguard on a quad core CPU, rather than OpenVPN on my current dual core CPU?..

Regarding what to tunnel through VPN, you do have a point that it may seem unneccessary to have for example gaming go though the VPN. But as far as I have understood, VPN policies can "only" be applied to IP addesses and/or MAC addresses? The problem is that both my teens and my wife and me use the same computers for both streaming/videoconferencing and for web surfing etc. Therefore, I would not want to exclude entire computers from the VPN tunnel. I could theoretically exclude from the VPN certain IP adresses of for example streaming services such as Youtube, Netflix, Teams calls, etc. But that would become quite a long list to set up, maintain and update as new services are used... Or am I missing some other way of channeling traffic inside/outside the VPN tunnel?

From previous discussions here, wireguard on Asus is still single threaded (unless potentially you set up multiple tunnels, but not sure if even that helps). Top of the line Asus router, maybe 500 mbit (and until the upcoming flow cache bypass is put in, that's maxing out the CPU and nothing else can run). IPSEC and Wireguard in server mode can approach 1G but that's not what you need.

For what you're looking for, the most price effective solution will probably be an x86 based mini PC, they can be found for under $150 on amazon but you may need a higher end one to hit 1G. Over 1G plan on spending a nice chunk of change, and your VPN provider probably won't support that speed anyway.

 

[MustacheSwe]

From previous discussions here, wireguard on Asus is still single threaded (unless potentially you set up multiple tunnels, but not sure if even that helps). Top of the line Asus router, maybe 500 mbit (and until the upcoming flow cache bypass is put in, that's maxing out the CPU and nothing else can run). IPSEC and Wireguard in server mode can approach 1G but that's not what you need.

For what you're looking for, the most price effective solution will probably be an x86 based mini PC, they can be found for under $150 on amazon but you may need a higher end one to hit 1G. Over 1G plan on spending a nice chunk of change, and your VPN provider probably won't support that speed anyway.

Thanks! This is *very* valuable information about the limitations of Asus routers — gives me something to start searching fir more knowledge about!

Also thanks for recommendation of mini PC. You are probably right. (I am, however, a little surprised that a beefier mini PC (i5-i7) for this purpose is fairly expensive…)

 

[MustacheSwe]

Why is your streaming/videoconferencing and web surfing etc. going through VPN?

Regarding what to tunnel through VPN, you do have a point that it may seem unneccessary to have for example gaming go though the VPN. But as far as I have understood, VPN policies can "only" be applied to IP addesses and/or MAC addresses? The problem is that both my teens and my wife and me use the same computers for both streaming/videoconferencing and for web surfing etc. Therefore, I would not want to exclude entire computers from the VPN tunnel. I could theoretically exclude from the VPN certain IP adresses of for example streaming services such as Youtube, Netflix, Teams calls, etc. But that would become quite a long list to set up, maintain and update as new services are used... Or am I missing some other way of channeling traffic inside/outside the VPN tunnel?

 

[Tech Junky]

channeling traffic inside/outside the VPN tunnel?

I run mine on a PC+Linux and for things I want to bypass like banks I add routes that push traffic out the wan instead. It takes a bit of detective work for some and others a quick nslookup of the domain gives the IPs needed. There are some curated lists out there though for things like Netflix or Amazon that make it easy to gather info on of needed. Apps to monitor traffic like ntopng or netwatch can make it easy to spot the traffic destination.

 

[Tech9]

The problem is that both my teens and my wife and me use the same computers for both streaming/videoconferencing and for web surfing etc.

Why you run VPN client on the router? Run it on the PC instead and only when needed. You already have fast x86 hardware available.