Jump to content
Not connected, Your IP: 100.24.122.228
batanun

Decent routers for streaming? And possible to disable encryption?

Recommended Posts

Hi,

 

I have tried this service a little bit now, and it seems to work fine for my needs. However I now have two obstacles that I can't seem to overcome with my current setup:

 

1. All supported vpn-clients seem to require admin privileges (Windows) each time I connect to AirVPN, but for my work laptop I need to request admin privileges each and every time (and say why I need them), so it is not feasible in the long run.

 

2. Even if I have my phone or laptop connected to VPN, when I try streaming to my TV using Chromecast (1st gen) it doesn't work, because Chromecast actually performs the http requests itself (ie outside the VPN).

 

The only proper solution to these two problems, as far as understand it, is to have a router with the VPN connection, and then connect both my laptop and Chromecast to this router (using wifi). However, when browsing the forum, many people talk about most standard routers out there having too little CPU power for this. But having a dedicated server for this is out of the question for me, since I need a simple and easy setup, suitable for travel. On the other hand, I don't need "amazing" speed. My current internet connection is 10/1 Mbps, and I think if it drops down to 4-8 Mbps when using a standard DD WRT router setup I still can watch Netflix and similar at decent quality. Anything faster then that would of course be nice, but nothing I am prepared to pay extra for, or spend extra time setting up (unless we talk like 30 minutes extra).

 

So, can someone recommend a decent router that could handle this? Would I need something like Netgear Nighthawk R7000, or can I get away with something cheaper?

 

Preconfigured routers from an online shop is not an option for me, since I am in Thailand at the moment and don't trust the postal service here, also I basically want to find something that I can start using like today or tomorrow. So a list of recommended routers would be really helpful, then I can go to some local IT shop and check what they have and compare to that list.

 

Also, I see that the main reason for the VPN putting so much strain on the router CPU is the encryption and decryption of the data. But is there no way to disable this encryption when not needed? What would be the reason for encrypting my Netflix traffic, for example? I know that the "main" feature of an VPN usually is considered to be privacy of some sort, but in cases when it really isn't needed there should be a way to optimize for speed, right? Because, if encryption could be disabled, surely a much cheaper router would work, and still give good speeds, I am sure...

 

Regards

/Jimi

Share this post


Link to post

For the speeds you're talking about, any recent model router that you can flash with dd-wrt should work fine.  When I first started with AirVPN I was picking up used dlink DIR-615 routers and flashing them.  They worked fine except they could only sustain 7-8 Mbps when connected to the vpn.  This wasn't acceptable for me, but sounds like it would be for you.  So really any flashable router made in the last few years should be fine.  I ended up building myself a pfsense box, which can easily sustain the full speed of my connection (and well beyond).

 

If you want Netflix from another locale then you must route through the vpn and the vpn is always an encrypted connection.  You can't connect to a vpn and have that link not be encrypted, simply not an option.  If you don't want Netflix to be encrypted then you must route such traffic directly through your ISP instead of the through the vpn.  But if you want access to US Netflix, for example, then you must go through the vpn and vpn traffic is always encrypted.

Share this post


Link to post

For the speeds you're talking about, any recent model router that you can flash with dd-wrt should work fine.  When I first started with AirVPN I was picking up used dlink DIR-615 routers and flashing them.  They worked fine except they could only sustain 7-8 Mbps when connected to the vpn.  This wasn't acceptable for me, but sounds like it would be for you.  So really any flashable router made in the last few years should be fine.  I ended up building myself a pfsense box, which can easily sustain the full speed of my connection (and well beyond).

 

If you want Netflix from another locale then you must route through the vpn and the vpn is always an encrypted connection.  You can't connect to a vpn and have that link not be encrypted, simply not an option.  If you don't want Netflix to be encrypted then you must route such traffic directly through your ISP instead of the through the vpn.  But if you want access to US Netflix, for example, then you must go through the vpn and vpn traffic is always encrypted.

 

not 100% true.  I've seen VPN providers that had options to connect with openvpn but with no data channel cipher so that, in theory, routers could run faster for situations where encryption isn't really needed but just a "proxy".

Share this post


Link to post

Interesting.  AirVPN definitely won't provide such a connection, all of their connections are encrypted.  Seems to me that if you don't get an encrypted vpn service then you might just as well jump on any random proxy server and save yourself the money.  The traffic on any vpn tunnel that isn't encrypted can easily be identified by your ISP, the government, etc.  Although I guess if it's just for bypassing Netflix geoblocking then it may not be a big deal.  But then again, if all you're doing is Nexflix rerouting then a dns service is probably a lot less complicated to setup (and more feature rich for the Netflix specific use case).

Share this post


Link to post

I'm not sure about the Netgear routers but if you have an asus router flashed with Merlin and you know a little about scripting you can set up two WiFi networks of which one has vpn connection and the other not. So all you have to do is switch network on the device you don't need vpn on and all other devices are still protected.

 

Without scripting you can set-up rules in the vpn client. Which device goes directly to and wan which device will always go through vpn. This is without scripting but then again you will always need to login on the router.

 

As the router is slower with handling a vpn then a laptop or desktop I would recommend to have the laptop or desktop not connected to the vpn in the router but with the client itself.

 

Good luck

Share this post


Link to post

I'm not sure about the Netgear routers but if you have an asus router flashed with Merlin and you know a little about scripting you can set up two WiFi networks of which one has vpn connection and the other not. So all you have to do is switch network on the device you don't need vpn on and all other devices are still protected.

 

Without scripting you can set-up rules in the vpn client. Which device goes directly to and wan which device will always go through vpn. This is without scripting but then again you will always need to login on the router.

 

As the router is slower with handling a vpn then a laptop or desktop I would recommend to have the laptop or desktop not connected to the vpn in the router but with the client itself.

 

Good luck

 

you don't need scripting to do this with asus merlin firmware.  he's got policy routing for openvpn built into the gui now.  in the openvpn client choose policy routing for the redirect internet traffic option.  read about how to use policy routing in the firmware documentation. 

Share this post


Link to post

 

I'm not sure about the Netgear routers but if you have an asus router flashed with Merlin and you know a little about scripting you can set up two WiFi networks of which one has vpn connection and the other not. So all you have to do is switch network on the device you don't need vpn on and all other devices are still protected.

 

Without scripting you can set-up rules in the vpn client. Which device goes directly to and wan which device will always go through vpn. This is without scripting but then again you will always need to login on the router.

 

As the router is slower with handling a vpn then a laptop or desktop I would recommend to have the laptop or desktop not connected to the vpn in the router but with the client itself.

 

Good luck

 

you don't need scripting to do this with asus merlin firmware.  he's got policy routing for openvpn built into the gui now.  in the openvpn client choose policy routing for the redirect internet traffic option.  read about how to use policy routing in the firmware documentation. 

Didn't know it was implemented for separate SSID's (one for ISP and one for VPN) now.

Share this post


Link to post

 

 

I'm not sure about the Netgear routers but if you have an asus router flashed with Merlin and you know a little about scripting you can set up two WiFi networks of which one has vpn connection and the other not. So all you have to do is switch network on the device you don't need vpn on and all other devices are still protected.

 

Without scripting you can set-up rules in the vpn client. Which device goes directly to and wan which device will always go through vpn. This is without scripting but then again you will always need to login on the router.

 

As the router is slower with handling a vpn then a laptop or desktop I would recommend to have the laptop or desktop not connected to the vpn in the router but with the client itself.

 

Good luck

 

you don't need scripting to do this with asus merlin firmware.  he's got policy routing for openvpn built into the gui now.  in the openvpn client choose policy routing for the redirect internet traffic option.  read about how to use policy routing in the firmware documentation. 

Didn't know it was implemented for separate SSID's (one for ISP and one for VPN) now.

 

no need to worry about separate SSID's.  just set rules for each IP address or a rule to apply to your whole local network.

Share this post


Link to post

 

quotes

 

no need to worry about separate SSID's.  just set rules for each IP address or a rule to apply to your whole local network.

separate SSID's make the switching between VPN or nonVPN switching easier for everyone in your household that doesn't have or isn't allowed acces to the router

Share this post


Link to post

Would this box be fast enough to build my own router with Linux?

 

https://www.zotac.com/nl/product/mini_pcs/zbox-ci323-nano#spec

 

It's got an Intel N3150 quad-core 1.6GHz, up to 2.08GHz, max 8GB DDR3L, M2 SSD & 2.5" SATA slot. Dual Gigabit, 5Ghz wifi. And it's pretty cheap too. Looks like the ideal box to me, but is it fast enough for up to a 100mbit vpn connection?

 

that processor has AES-NI so it can definitely do 100mbit/s openvpn, as long as the cipher is AES.

Share this post


Link to post

Cool.

 

And to be clear, the line in the config file for airvpn that says "cipher AES-256-CBC" is all that matters for this, or do the certificates have a play in this as well?

 

Thanks!

Share this post


Link to post

Cool.

 

And to be clear, the line in the config file for airvpn that says "cipher AES-256-CBC" is all that matters for this, or do the certificates have a play in this as well?

 

Thanks!

 

the high majority of the computations are required for the bulk or payload cipher which is AES-256-CBC.

Share this post


Link to post

Would this box be fast enough to build my own router with Linux?

 

https://www.zotac.com/nl/product/mini_pcs/zbox-ci323-nano#spec

 

It's got an Intel N3150 quad-core 1.6GHz, up to 2.08GHz, max 8GB DDR3L, M2 SSD & 2.5" SATA slot. Dual Gigabit, 5Ghz wifi. And it's pretty cheap too. Looks like the ideal box to me, but is it fast enough for up to a 100mbit vpn connection?

 

I tested  the Zotac ci323 using pfSense on a 160 Mb/s connection and got a max of 126 Mb/s through Airvpn. In comparison I get max 152 Mb/s through Airvpn with an Athlon 5350.

 

My test result was in line (as far as my simple test goes) with mrz comments in this thread

http://forum.mikrotik.com/viewtopic.php?t=103673

 

As it is slow for OpenVPN I will probably use it as a TV box, which it seemed ok at, although it did freeze a couple of time under Ubuntu

Share this post


Link to post

I just bought a CI323 and run pfsense on it with Air.  My internet is only 55mbps down/10mbps up but the CI323 barely breaks a sweat running that speed over OpenVPN.  The CPU on this box supports AES-NI h/w acceleration for crypto and AES-CBC-256 is one of the ciphers it accelerates.  With AES-NI enabled, the CI323 barely hits 5% CPU while sustaining 55mbps.  I don't see why the CI323 couldn't easily do 250Mbs (or more) over OpenVPN with AES-NI enabled.  As always, YMMV (and I've only tested it @ 55mbps).

Share this post


Link to post

Hi SirJohnEh

 

I think pfSense uses AES-NI by default now.

 

Anyway I can't turn it off. I tried swapping 

 

/System/Advance/Miscellaneous/Cryptographic Hardware  from "AES-NI Cpu based Acceleration (aesni)"  to "None"

 

And 

 

/VPN/OpenVPN/Client/Hardware Crypto from "BSD cryptodev engine RSA, DSA, DH" to "No hardware crypto acceleration"

 

Without any effect.

 

I'm not sure what you mean by 5% CPU. 

 

When I ssh into pfsense and use top I see an openvpn process using 70% of WCPU at 126Mb/s. It is possible it gets to 100% and is time averaged down as my download is short.

 

So 126Mb/s  appears to be the real life limit for AES-256-CBC openvpn on the CI232. Confirmed by other testers in the thread I linked to.

 

If you could show me that I'm wrong I would be very grateful as it would mean I could use the CI323 as I intended rather than as an anemic toy.

Share this post


Link to post

I'm really enjoing my Netgear Nighthawk R7000 flashed with Tomato. The dual-core 1GHz processor doesn't falter when doing the encryption and I can get the full speed of my 20/4 connection and the processor isn't even working that hard. I've never used more powerful hardware or pfsense, but I do like the easy of configuration of Tomato, especially on the latest builds.

Share this post


Link to post

@Ernst89

 

I guess I had my numbers mixed up.  Just did some testing now and at 55mbps it's more like 25-30% CPU and uploading at 10mpbs sustained was ~5% CPU.  So your findings are in line with what I'm seeing.  So yeah, I guess these boxes are limited to ~120mbps.

 

But Zotac does make boxes with Intel i5 or even i7 (I think) in them so if you really want a tiny form factor for your router, I think there are Zotacs that can still be had that will be able to handle your inet speed.

Share this post


Link to post

So 126Mb/s  appears to be the real life limit for AES-256-CBC openvpn on the CI232. Confirmed by other testers in the thread I linked to.

 

You are probably wrong with this assumption. Without going much into details, if your CPU is AES-NI capable, you can get at least 250Mb/s with

AES-256-CBC on a local network.

The number can be much higher, in fact, but the 250Mbit is usually what an average recent i5 CPU can do.

 

You should check your speed on a local network and eliminate ISP issues and latency.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

So 126Mb/s  appears to be the real life limit for AES-256-CBC openvpn on the CI232. Confirmed by other testers in the thread I linked to.

 

You are probably wrong with this assumption. Without going much into details, if your CPU is AES-NI capable, you can get at least 250Mb/s with

AES-256-CBC on a local network.

The number can be much higher, in fact, but the 250Mbit is usually what an average recent i5 CPU can do.

 

You should check your speed on a local network and eliminate ISP issues and latency.

 

I agree. I just built my own pfsense router based on Gigabyte GA-n3150n-D3V motherboard. Unfortunately I'm waiting to expand my ISP throughput from 40Mbps to 128Mbps, cannot say for sure what is the upper limit. However it seems that 126Mbps limit may apply to this processor without AES-NI support enabled.

 

As an example:

 

My old Asus RT-AC87U router was capable of providing ~40Mbps with following openssl results:

 

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-256-cbc      23002.51k    25947.38k    26494.71k    27123.03k    27271.17k

 

My pfSense router with Celeron N3150 and AES-NI enabled:

 

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-256-cbc      40691.94k   164077.18k  1016619.75k  2500160.95k 42008576.00k

 

load 0,2

 

this is (for 8K blocks) like *1500 times* faster than decent asus router, doing well with 40Mbps of VPN. You read it right - 1500 times faster encryption on N3150 than on 2 core 1,4 Ghz ARM in Asus.

 

For sake of comparison, Celeron N3150 WITHOUT AES-NI:

 

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-256 cbc      23200.16k    28882.77k    29854.05k    75342.85k    76390.40k

 

load 0,6

 

As You can see Celeron N3150 is more or less 3 times faster than quite decent asus RT-AC87U capable of doing at least 40Mbps. This basically sums up to 120Mbps. 

 

I guess that this 126Mbps limit is without AES-NI support. 

Share this post


Link to post

 

So 126Mb/s  appears to be the real life limit for AES-256-CBC openvpn on the CI232. Confirmed by other testers in the thread I linked to.

 

You are probably wrong with this assumption. Without going much into details, if your CPU is AES-NI capable, you can get at least 250Mb/s with

AES-256-CBC on a local network.

The number can be much higher, in fact, but the 250Mbit is usually what an average recent i5 CPU can do.

 

You should check your speed on a local network and eliminate ISP issues and latency.

 

Note I mistakenly called it the CI232 in this quote when it should be CI323.

 

In order to avoid further confusion  can you clarify your response. I have performed a test on this actual hardware which whilst not rigorous was relatively consistent. It also concurs with other testers which I cited. I would have liked to confirmed further by turning AES-NI off but could not work out how to do this in pfSense.

 

Before investing time testing further I would like an indication of your level of confidence that I'm wrong.

 

For instance do you understand that the CI323 uses the intel low power 6W Braswell chip N3150. I would expect this chip to be at least twice as slow as a standard i5 CPU.

 

One of the reasons I posted my findings is to help other people buying hardware. If after further reflection you think your comments might be unhelpful could you correct them so as not to confuse other readers. If you don't think they are wrong could you elaborate on why they are correct.

Share this post


Link to post

You are probably wrong with this assumption. Without going much into details, if your CPU is AES-NI capable, you can get at least 250Mb/s with

 

For instance do you understand that the CI323 uses the intel low power 6W Braswell chip N3150. I would expect this chip to be at least twice as slow as a standard i5 CPU.

 

One of the reasons I posted my findings is to help other people buying hardware. If after further reflection you think your comments might be unhelpful could you correct them so as not to confuse other readers. If you don't think they are wrong could you elaborate on why they are correct.

 

When it comes to AES acceleration, there is no such a big difference between different processors. Sure encryption is not the only thing that should be taken into account, but very important. For sure even low end Atom processors can achieve ~100 - 120 Mbps withouth AES-NI acceleration over OpenVPN (like low end pfSense boxes).

 

I suspect that AES NI support may be disabled in You case. Can You log into Your box and provide output of:

 

(if You use linux)

$ lsmod | grep aes

 

(if You use pfSense/freebsd):

 

$ kldstat | grep aes

 

and also can You check output of. Just curious:

 

$ openssl speed -evp aes-256-cbc

Share this post


Link to post

[2.2.6-RELEASE][root@router.home.lan]/root: kldstat|grep aes
 2    1 0xffffffff82611000 54e5     aesni.ko
[2.2.6-RELEASE][root@router.home.lan]/root: openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 688137 aes-256-cbc's in 0.33s
Doing aes-256-cbc for 3s on 64 size blocks: 666199 aes-256-cbc's in 0.32s
Doing aes-256-cbc for 3s on 256 size blocks: 527944 aes-256-cbc's in 0.27s
Doing aes-256-cbc for 3s on 1024 size blocks: 306611 aes-256-cbc's in 0.13s
Doing aes-256-cbc for 3s on 8192 size blocks: 61542 aes-256-cbc's in 0.03s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      33554.87k   133109.81k   508813.79k  2511757.31k 16132866.05k

 

That's the output for my CI323 running pfSense 2.2.6.

 

Share this post


Link to post

[2.2.6-RELEASE][root@router.home.lan]/root: kldstat|grep aes

 2    1 0xffffffff82611000 54e5     aesni.ko

[2.2.6-RELEASE][root@router.home.lan]/root: openssl speed -evp aes-256-cbc

Doing aes-256-cbc for 3s on 16 size blocks: 688137 aes-256-cbc's in 0.33s

Doing aes-256-cbc for 3s on 64 size blocks: 666199 aes-256-cbc's in 0.32s

Doing aes-256-cbc for 3s on 256 size blocks: 527944 aes-256-cbc's in 0.27s

Doing aes-256-cbc for 3s on 1024 size blocks: 306611 aes-256-cbc's in 0.13s

Doing aes-256-cbc for 3s on 8192 size blocks: 61542 aes-256-cbc's in 0.03s

OpenSSL 1.0.1l-freebsd 15 Jan 2015

built on: date not available

options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)

compiler: clang

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-256-cbc      33554.87k   133109.81k   508813.79k  2511757.31k 16132866.05k

 

That's the output for my CI323 running pfSense 2.2.6.

 

So I was wrong. You definitely have AES-NI enabled. One more thing: have You enabled it in pfSense System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration? and in OpenVPN Client config for AIR (Hardware Crypto - cryptodev in client configuration)?

 

You may also try to temporarily disable PowerD in System > Advanced > Miscellaneous in Power Savings. Because my N3150 gives 2-4 times better results in openssl speed test (however, even Your result should be enough).

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...