Justin 1 Posted ... Hi there. After some research i spend a lot of money and bought an asus ac87u especially for using the vpn client. regarding to some tests elsewhere and posts here in the forum the router has enough power to do the en/decryption.I'm on a 50 MBit line and i have this speed without vpn. After connecting to airvpn the speeds drops to something around 10-20 MBit/s. This is when i connect to nl.vpn.airdns.org. Every other server in countrys around me (single servers or other country entry urls) gave me less than that. The server near my location are slower than the nl servers. I tried different protocols,ports and the real ips of the server to get dns out of the equation, to no avail)While downloading or during a speedtest the cpu never goes about 50% usage.To me it looks like the only thing that can be the reason for the slow speed must be the airvpn servers. Does anyone have some advice what i can do to get more bandwidth from the vpn? Thanks in advance. Justin Quote Share this post Link to post
Staff 10014 Posted ... Hello, you have reached the limit due to the processing power of your router CPU to encrypt/decrypt an AES-256 flow. Kind regards Quote Share this post Link to post
Justin 1 Posted ... Hi. Beg your pardon but as i said the router never goes about 50% CPU Usage.And for example here is stated that more bandwidth than that is no problem: https://airvpn.org/topic/16636-download-capped-on-asuswrt-router/?do=findComment&comment=36909There someone has 40-50% Speed from 100Mbit. That is a lot more bandwidth compared to what i can get with the same router. Don't get me wrong.I don't want to blame someone or be offensive in any way. I just want understand why to blame the router when there is a lot of horsepower left and others achieve twice the speed with the same router. I may not understand what's going on but i want to learn. Can someone explain please? Regards, Justin Quote Share this post Link to post
Staff 10014 Posted ... Hi. Beg your pardon but as i said the router never goes about 50% CPU Usage. OpenVPN does not scale (no multithreading etc.) on multicore processors. That 50% load may well mean that, in a dual core processor, one core has near-to-0 idle time for example. And for example here is stated that more bandwidth than that is no problem: https://airvpn.org/topic/16636-download-capped-on-asuswrt-router/?do=findComment&comment=36909There someone has 40-50% Speed from 100Mbit. That is a lot more bandwidth compared to what i can get with the same router. But that also depends on other tasks of the CPU. It's not ascertained that your routers are having the exactly identical tasks. Anyway, if you can get more than 20 Mbit/s from your router, let us know. You can quickly discern whether the bottleneck is in the router CPU or not by connecting your computer directly to the same VPN server (disable OpenVPN on the router) and comparing performance under similar conditions. Kind regards Quote Share this post Link to post
m2g2tem 15 Posted ... Hi I have the same router (provided I upgraded Asus-Merlin firmware). I have 3 simultaneous clients at once (no tweaking, just vanilla ovpn configs from vpn providers: PIA, Air and blackVPN, all AES-256-CBC). Additionally I run lighthttpd on it. For every client I can max my ISP connection (minus some minor drop because of encryption: ~3-5%). My ISP pipe is 40 Mb/s. This is *not* the problem with router for sure. Never ever seen problem with processing power of this router. Air happens to be crowdy in peak hours. Check Your connection when there are less than 8500 users online Try Asus-Merlin. You should install it anyway. Quote Share this post Link to post
go558a83nk 364 Posted ... all of you are wrong and need to do some research on what routers are capable of. the AC87 should be able to do more than 50mbit/s. my AC68 can do 50 and the AC87 has a faster processor. to the OP, check out http://www.snbforums.com/forums/asuswrt-merlin.42/ if your'e not using merlin firmware yet, I recommend it. You can also get help in there for any performance problems. Quote Share this post Link to post
Staff 10014 Posted ... The router CPU is the bottleneck. I just did the following test at speedtest.net with Ancha server in NL : Test using my ASUS router with VPN client, exact processor unknown : just over 5 Mbps download. Test using Eddie client on Windows 7 machine with Intel i3-6320 @ 3.9 GHz : 97 Mbps download. Hello, on the other hand this is excessive. Check the OpenVPN sockets buffers sizes in the router (you can see them in OpenVPN logs). If they are smaller than about 260000 bytes, set them to 262144 bytes with directives: sndbuf 262144rcvbuf 262144 Kind regards 1 knighthawk reacted to this Quote Share this post Link to post
Staff 10014 Posted ... all of you are wrong and need to do some research on what routers are capable of. the AC87 should be able to do more than 50mbit/s. my AC68 can do 50 and the AC87 has a faster processor. @karaznie as well Hello, what does this have to do with the issue? Your measurements do not imply that the original poster router has not reached the maximum processing power on the core running OpenVPN. Look at the load of the CPU of the original poster in a dual core processor. Kind regards Quote Share this post Link to post
go558a83nk 364 Posted ... all of you are wrong and need to do some research on what routers are capable of. the AC87 should be able to do more than 50mbit/s. my AC68 can do 50 and the AC87 has a faster processor. @karaznie as well Hello, what does this have to do with the issue? Your measurements do not imply that the original poster router has not reached the maximum processing power on the core running OpenVPN. Look at the load of the CPU of the original poster in a dual core processor. Kind regards the default GUI of asus routers shows the usage of each core as a separate plot. if the core running openvpn was only reaching 50% then it would make sense only 20mbit/s is achieved. The OP using merlin firmware will help with some quirks. if the OP doesn't want to change firmware, I suggest turning off hardware acceleration (in the LAN section) and using openvpn client 2 as client 1 may use the same core as the other kernel processes run on. Quote Share this post Link to post
Justin 1 Posted ... Hi everyone. OP here. thanks for the responses. To clarify some things:I'm on latest official Merlin FW.VPN Client is on core 2.5 GHz WLAN turned off.no ipv6 clients.no tinkering with policy based routing or stuffI do get 20-22 Mbit/s on some seldom occasions. in that case the core with the vpnclient is at something around 50%.Most of the time i only get something around 15 Mbit/s down. (speedof.me and/or downloading some linux iso image)Upload is around 10 Mbit/s with full saturation of the vpnclient core. all with only one client (wlan)(lan makes no difference) what i tried:severs near my location and elsewheredifferent ports and protocolsraising send and recievebuffers (openvpn[863]: Socket Buffers: R=[122880->245760] S=[122880->245760])turn off/on hardware nataccelerationoverclocking the router to 1200,800 (from stock 1000,800) NOTHING made a difference. As soon as i turn off the VPNClient i get full speed. Kind regards. Quote Share this post Link to post
Staff 10014 Posted ... if the core running openvpn was only reaching 50% then it would make sense only 20mbit/s is achieved. @Justin as well That's exactly what we understood since the beginning. And Justin just confirmed that that's what actually happens. So far so good. Now, it would be very interesting to understand how you achieve 40 Mbit/s of AES-256 encryption/decryption with the very same hardware. In addition to the precious suggestion below, could there be some particular process that's loading Justin's router CPU and not yours, perhaps? The OP using merlin firmware will help with some quirks. if the OP doesn't want to change firmware, I suggest turning off hardware acceleration (in the LAN section) and using openvpn client 2 as client 1 may use the same core as the other kernel processes run on. Kind regards Quote Share this post Link to post
go558a83nk 364 Posted ... Justin is using openvpn client 2, which on merlin firmware has affinity for the core that also does kernel work. you see, merlin changes the code so that openvpn client 1 uses less used core because most people automatically use openvpn client 1. Justin, if you have entware installed on a USB disk you can install htop and get a good view of tasks and CPU usage. Or just look in the GUI at the CPU usage graph. Both cores should be heavily used. If not, switch which openvpn client you're using. Also, I didn't hear from you about hardware acceleration. There was some chatter on merlin forums about that actually slowing openvpn down. Quote Share this post Link to post
Justin 1 Posted ... Hi. What Merlin did was to assign different cores to the different vpn clients.client 1 -> core 0client 2 -> core 1client 3 -> core 0..... That is exactly what i see. If i use client1 the only working core is core 0.On client2 both cores are working. a few moments ago i was able to reach 32Mbit after about 15 seconds into the download on nl.vpn.airdns.org;80 UDPwith raised send/rcv buffers and overclocked to 1200,800 and deactivated nas accelerationStill both cores aren't going higher than roughly 55% during downloads.The upload speed was 10Mbit while the cpu core was around 45% Looks like it is very important to switch off/on the router after doing these modifications.The exact same settings gave me less than 15 Mbit/s right after a reboot initiated over the gui minutes ago. Looks like overclocking is not necessary because there is enough horsepower left. To me it looks like it's save to say it's still not the router which is limiting the bandwidth. comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load? Thanks in advance and kind regards, Justin Quote Share this post Link to post
go558a83nk 364 Posted ... Justin, sounds like you've worked out a lot of the trouble spots. How much have you tried different locations to find the route that gives you the best performance? Keep in mind that most of the NL servers are in the same datacenter. So, they'll all give you about the same performance if the route to the datacenter is indeed the bottleneck. My suggestion is to test each unique route (not each server). Also, make sure you try different ports and protocols. Quote Share this post Link to post
Justin 1 Posted ... Hi anyone.I did some more testing and now think it's save to say that disabling hardware nat acceleration did the trick. Not sure about raising the buffersizes.But i now leave it this way.Thanks for all the tips.Can someone answer this question, please:comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load?Kind regards,Justin 1 knighthawk reacted to this Quote Share this post Link to post
go558a83nk 364 Posted ... Hi anyone.I did some more testing and now think it's save to say that disabling hardware nat acceleration did the trick. Not sure about raising the buffersizes.But i now leave it this way.Thanks for all the tips.Can someone answer this question, please:comprehension question: if the router connects to country level entrypoint will it be connected to the fastest server at that moment or to the server with the least number of users or what? And will there be some kind of loadbalancing i.e. switching to another server when under heavy load?Kind regards,Justin you'll be connected to the least used server as far as I know. as I tried to tell you, "speed" will be about the same unless a server is really loaded. speed is much more affected by your route to the datacenter, not the server itself. Quote Share this post Link to post
amair 6 Posted ... Intermittent throttling of vpn traffic by your ISP ? possible ? Quote Share this post Link to post
m2g2tem 15 Posted ... Hi One more comment on this topic. Today, by accident I just discovered that I mighgh be wrong saying I have no slowdown problems with AC87U. Indeed it may have some performance problems with VPN Client AND 2,4 radio. I have no idea why this is it, but while I test 2,4Ghz speed is significantly degraded up to at most 20/28Mbps. While connecting to 5Ghz radio everything seems to work fine. No problem with 40Gbps whatsoever. This is indeed strange behaviour. As for now workaround is to use 5Ghz WI-FI. As a note. If somebody need stable speed through VPN on router level better choice is to invest into something what actually has support for AES acceleration, than even best home router out there. Just building pfSense appliance for this sole purpose based on excellent Intel Atom D2500ccd motherboard (or mitac PD12TI, which is essentially rebranded Intel board). Exactly the same as shown here: https://www.youtube.com/watch?v=f7aIaUhBUIM. If anybody is interested in performance I would show some results. regardsArtur Quote Share this post Link to post
go558a83nk 364 Posted ... I seem to be able to clock 65Mbps out of my ISP and 63Mbps out of PIA. I'm using an ASUS RT-AC5300 with Merlin FW (which should have no problem with AES, and the CPU cores aren't really burdened from the graph on the router). I can take a client and feed it through PIA and get a very slight speed drop, about 2-3Mbps. AirVPN however can't get me above 20Mbps, and is currently under 5Mbps. I got a month subscription to test AirVPN vs PIA, and although you seem to unblock Netflix unlike PIA, that speed is unacceptable, and I don't think it's an overburdened exit node if your load graphs are accurate. it's all about the routes to the server, not the servers (usually). compare the route to the PIA server you use vs routes to Air servers. Quote Share this post Link to post
go558a83nk 364 Posted ... Hi One more comment on this topic. Today, by accident I just discovered that I mighgh be wrong saying I have no slowdown problems with AC87U. Indeed it may have some performance problems with VPN Client AND 2,4 radio. I have no idea why this is it, but while I test 2,4Ghz speed is significantly degraded up to at most 20/28Mbps. While connecting to 5Ghz radio everything seems to work fine. No problem with 40Gbps whatsoever. This is indeed strange behaviour. As for now workaround is to use 5Ghz WI-FI. As a note. If somebody need stable speed through VPN on router level better choice is to invest into something what actually has support for AES acceleration, than even best home router out there. Just building pfSense appliance for this sole purpose based on excellent Intel Atom D2500ccd motherboard (or mitac PD12TI, which is essentially rebranded Intel board). Exactly the same as shown here: https://www.youtube.com/watch?v=f7aIaUhBUIM. If anybody is interested in performance I would show some results. regardsArtur I am interested in the openvpn performance of this. I'm not handy with building "computers" so I've been interested in the hardware pfsense sells, specifically the sg-2220 which has the intel atom 2338 cpu. Quote Share this post Link to post