Jump to content
Not connected, Your IP: 44.200.169.91

Recommended Posts

Hi there.

 

After some research i spend a lot of money and bought an asus ac87u especially for using the vpn client. regarding to some tests elsewhere and posts here in the forum the router has enough power to do the en/decryption.

I'm on a 50 MBit line and i have this speed without vpn. After connecting to airvpn the speeds drops to something around 10-20 MBit/s. This is when i connect to nl.vpn.airdns.org. Every other server in countrys around me (single servers or other country entry urls) gave me less than that. The server near my location are slower than the nl servers. I tried different protocols,ports and the real ips of the server to get dns out of the equation, to no avail)

While downloading or during a speedtest the cpu never goes about 50% usage.

To me it looks like the only thing that can be the reason for the slow speed must be the airvpn servers.

 

Does anyone have some advice what i can do to get more bandwidth from the vpn?

 

Thanks in advance.

 

Justin

 

Share this post


Link to post

Hello,

 

you have reached the limit due to the processing power of your router CPU to encrypt/decrypt an AES-256 flow.

 

Kind regards

Share this post


Link to post

Hi.

 

Beg your pardon but as i said the router never goes about 50% CPU Usage.

And for example here is stated that more bandwidth than that is no problem: https://airvpn.org/topic/16636-download-capped-on-asuswrt-router/?do=findComment&comment=36909

There someone has 40-50% Speed from 100Mbit. That is a lot more bandwidth compared to what i can get with the same router.

 

Don't get me wrong.I don't want to blame someone or be offensive in any way. I just want understand why to blame the router when there is a lot of horsepower left and others achieve twice the speed with the same router. I may not understand what's going on but i want to learn. Can someone explain please?

 

Regards,

 

Justin

Share this post


Link to post

Hi.

 

Beg your pardon but as i said the router never goes about 50% CPU Usage.

 

 

OpenVPN does not scale (no multithreading etc.) on multicore processors. That 50% load may well mean that, in a dual core processor, one core has near-to-0 idle time for example.

 

 

And for example here is stated that more bandwidth than that is no problem: https://airvpn.org/topic/16636-download-capped-on-asuswrt-router/?do=findComment&comment=36909

There someone has 40-50% Speed from 100Mbit. That is a lot more bandwidth compared to what i can get with the same router.

 

But that also depends on other tasks of the CPU. It's not ascertained that your routers are having the exactly identical tasks.

 

Anyway, if you can get more than 20 Mbit/s from your router, let us know. You can quickly discern whether the bottleneck is in the router CPU or not by connecting your computer directly to the same VPN server (disable OpenVPN on the router) and comparing performance under similar conditions.

 

Kind regards

Share this post


Link to post

Hi

 

I have the same router (provided I upgraded Asus-Merlin firmware). I have 3 simultaneous clients at once (no tweaking, just vanilla ovpn configs from vpn providers: PIA, Air and blackVPN, all AES-256-CBC). Additionally I run lighthttpd on it. For every client I can max my ISP connection (minus some minor drop because of encryption: ~3-5%). My ISP pipe is 40 Mb/s. This is *not* the problem with router for sure. Never ever seen problem with processing power of this router.

 

Air happens to be crowdy in peak hours. Check Your connection when there are less than 8500 users online

 

Try Asus-Merlin. You should install it anyway.

Share this post


Link to post

all of you are wrong and need to do some research on what routers are capable of.  the AC87 should be able to do more than 50mbit/s.  my AC68 can do 50 and the AC87 has a faster processor.

 

to the OP, check out http://www.snbforums.com/forums/asuswrt-merlin.42/  if your'e not using merlin firmware yet, I recommend it.  You can also get help in there for any performance problems.

Share this post


Link to post

The router CPU is the bottleneck. I just did the following test at speedtest.net with Ancha server in NL :

 

Test using my ASUS router with VPN client, exact processor unknown : just over 5 Mbps download.

 

Test using Eddie client on Windows 7 machine with Intel i3-6320 @ 3.9 GHz : 97 Mbps download.

 

Hello,

 

on the other hand this is excessive. Check the OpenVPN sockets buffers sizes in the router (you can see them in OpenVPN logs). If they are smaller than about 260000 bytes, set them to 262144 bytes with directives:

 

sndbuf 262144

rcvbuf 262144

 

Kind regards

Share this post


Link to post

all of you are wrong and need to do some research on what routers are capable of.  the AC87 should be able to do more than 50mbit/s.  my AC68 can do 50 and the AC87 has a faster processor.

 

 

@karaznie as well

 

Hello,

 

what does this have to do with the issue? Your measurements do not imply that the original poster router has not reached the maximum processing power on the core running OpenVPN.

 

Look at the load of the CPU of the original poster in a dual core processor.

 

Kind regards

Share this post


Link to post

 

all of you are wrong and need to do some research on what routers are capable of.  the AC87 should be able to do more than 50mbit/s.  my AC68 can do 50 and the AC87 has a faster processor.

 

 

@karaznie as well

 

Hello,

 

what does this have to do with the issue? Your measurements do not imply that the original poster router has not reached the maximum processing power on the core running OpenVPN.

 

Look at the load of the CPU of the original poster in a dual core processor.

 

Kind regards

 

the default GUI of asus routers shows the usage of each core as a separate plot.  if the core running openvpn was only reaching 50% then it would make sense only 20mbit/s is achieved.

 

The OP using merlin firmware will help with some quirks.  if the OP doesn't want to change firmware, I suggest turning off hardware acceleration (in the LAN section) and using openvpn client 2 as client 1 may use the same core as the other kernel processes run on.

Share this post


Link to post

Hi everyone.

 

OP here.

 

thanks for the responses.

 

To clarify some things:

I'm on latest official Merlin FW.

VPN Client is on core 2.

5 GHz WLAN turned off.

no ipv6 clients.

no tinkering with policy based routing or stuff

I do get 20-22 Mbit/s on some seldom occasions. in that case the core with the vpnclient is at something around 50%.

Most of the time i only get something around 15 Mbit/s down. (speedof.me and/or downloading some linux iso image)

Upload is around 10 Mbit/s with full saturation of the vpnclient core.

 

all with only one client (wlan)

(lan makes no difference)

 

what i tried:

severs near my location and elsewhere

different ports and protocols

raising send and recievebuffers (openvpn[863]: Socket Buffers: R=[122880->245760] S=[122880->245760])

turn off/on hardware natacceleration

overclocking the router to 1200,800 (from stock 1000,800)

 

NOTHING made a difference.

 

As soon as i turn off the VPNClient i get full speed.

 

Kind regards.

Share this post


Link to post

 if the core running openvpn was only reaching 50% then it would make sense only 20mbit/s is achieved.

 

@Justin as well

 

That's exactly what we understood since the beginning. And Justin just confirmed that that's what actually happens. So far so good.

 

Now, it would be very interesting to understand how you achieve 40 Mbit/s of AES-256 encryption/decryption with the very same hardware. In addition to the precious suggestion below, could there be some particular process that's loading Justin's router CPU and not yours, perhaps?

 

The OP using merlin firmware will help with some quirks.  if the OP doesn't want to change firmware, I suggest turning off hardware acceleration (in the LAN section) and using openvpn client 2 as client 1 may use the same core as the other kernel processes run on.

 

Kind regards

Share this post


Link to post

Justin is using openvpn client 2, which on merlin firmware has affinity for the core that also does kernel work.  you see, merlin changes the code so that openvpn client 1 uses less used core because most people automatically use openvpn client 1.

 

Justin, if you have entware installed on a USB disk you can install htop and get a good view of tasks and CPU usage.  Or just look in the GUI at the CPU usage graph.  Both cores should be heavily used.  If not, switch which openvpn client you're using.

 

Also, I didn't hear from you about hardware acceleration.  There was some chatter on merlin forums about that actually slowing openvpn down.

Share this post


Link to post

Hi.

 

What Merlin did was to assign different cores to the different vpn clients.

client 1 -> core 0

client 2 -> core 1

client 3 -> core 0

.....

 

That is exactly what i see. If i use client1 the only working core is core 0.

On client2 both cores are working.

 

a few moments ago i was able to reach 32Mbit after about 15 seconds into the download on nl.vpn.airdns.org;80 UDP

with raised send/rcv buffers and overclocked to 1200,800 and deactivated nas acceleration

Still both cores aren't going higher than roughly 55% during downloads.

The upload speed was 10Mbit while the cpu core was around 45%

 

Looks like it is very important to switch off/on the router after doing these modifications.

The exact same settings gave me less than 15 Mbit/s right after a reboot initiated over the gui minutes ago.

 

Looks like overclocking is not necessary because there is enough horsepower left.

 

To me it looks like it's save to say it's still not the router which is limiting the bandwidth.

 

comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of  users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load?

 

Thanks in advance and kind regards,

 

Justin

Share this post


Link to post

Justin, sounds like you've worked out a lot of the trouble spots.  How much have you tried different locations to find the route that gives you the best performance?  Keep in mind that most of the NL servers are in the same datacenter.  So, they'll all give you about the same performance if the route to the datacenter is indeed the bottleneck.  My suggestion is to test each unique route (not each server).  Also, make sure you try different ports and protocols.

Share this post


Link to post

Hi anyone.

​I did some more testing and now think it's save to say that disabling hardware nat acceleration did the trick. Not sure about raising the buffersizes.

​But i now leave it this way.

​Thanks for all the tips.

​Can someone answer this question, please:

​comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of  users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load?

​Kind regards,

​Justin

Share this post


Link to post

Hi anyone.

​I did some more testing and now think it's save to say that disabling hardware nat acceleration did the trick. Not sure about raising the buffersizes.

​But i now leave it this way.

​Thanks for all the tips.

​Can someone answer this question, please:

​comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of  users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load?

​Kind regards,

​Justin

 

you'll be connected to the least used server as far as I know. as I tried to tell you, "speed" will be about the same unless a server is really loaded.  speed is much more affected by your route to the datacenter, not the server itself. 

Share this post


Link to post

Hi

 

One more comment on this topic. Today, by accident I just discovered that I mighgh be wrong saying I have no slowdown problems with AC87U. Indeed it may have some performance problems with VPN Client AND 2,4 radio. I have no idea why this is it, but while I test 2,4Ghz speed is significantly degraded up to at most 20/28Mbps. While connecting to 5Ghz radio everything seems to work fine. No problem with 40Gbps whatsoever. This is indeed strange behaviour. As for now workaround is to use 5Ghz WI-FI.

 

As a note. If somebody need stable speed through VPN on router level better choice is to invest into something what actually has support for AES acceleration, than even best home router out there. Just building pfSense appliance for this sole purpose based on excellent Intel Atom D2500ccd motherboard (or mitac PD12TI, which is essentially rebranded Intel board). Exactly the same as shown here: https://www.youtube.com/watch?v=f7aIaUhBUIM. If anybody is interested in performance I would show some results. 

 

regards

Artur

Share this post


Link to post

I seem to be able to clock 65Mbps out of my ISP and 63Mbps out of PIA.

 

I'm using an ASUS RT-AC5300 with Merlin FW (which should have no problem with AES, and the CPU cores aren't really burdened from the graph on the router).

 

I can take a client and feed it through PIA and get a very slight speed drop, about 2-3Mbps.

 

AirVPN however can't get me above 20Mbps, and is currently under 5Mbps.

 

I got a month subscription to test AirVPN vs PIA, and although you seem to unblock Netflix unlike PIA, that speed is unacceptable, and I don't think it's an overburdened exit node if your load graphs are accurate.

 

it's all about the routes to the server, not the servers (usually).  compare the route to the PIA server you use vs routes to Air servers. 

Share this post


Link to post

Hi

 

One more comment on this topic. Today, by accident I just discovered that I mighgh be wrong saying I have no slowdown problems with AC87U. Indeed it may have some performance problems with VPN Client AND 2,4 radio. I have no idea why this is it, but while I test 2,4Ghz speed is significantly degraded up to at most 20/28Mbps. While connecting to 5Ghz radio everything seems to work fine. No problem with 40Gbps whatsoever. This is indeed strange behaviour. As for now workaround is to use 5Ghz WI-FI.

 

As a note. If somebody need stable speed through VPN on router level better choice is to invest into something what actually has support for AES acceleration, than even best home router out there. Just building pfSense appliance for this sole purpose based on excellent Intel Atom D2500ccd motherboard (or mitac PD12TI, which is essentially rebranded Intel board). Exactly the same as shown here: https://www.youtube.com/watch?v=f7aIaUhBUIM. If anybody is interested in performance I would show some results. 

 

regards

Artur

 

I am interested in the openvpn performance of this.  I'm not handy with building "computers" so I've been interested in the hardware pfsense sells, specifically the sg-2220 which has the intel atom 2338 cpu. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...