Jump to content
Not connected, Your IP: 54.226.226.30
johnsk

VPN by router considerably slower than using the AirVPN client

Recommended Posts

Hello all

 

I've just started using an ASUS AC87U router. I wanted my VPN extended to all devices in my network, and then I had hoped for a speed increase - because this is a recent router with a bit of processing muscle.

 

My best speed using the AirVPN client (Eddie) on Windows has always been in the neighbourhood of 4 MB/s which is about a third of my connection's potential speed.

 

Here's what has happened after installing the ASUS AC87U:

 

a) Best speed using the openvpn client in the router: 3-3.5 MB/s.

Speed using the AirVPN client (Eddie) and obviously the new router: up to 11 MB/S and generally above 7 MB/S.

 

Speed measurements are simply readouts from uTorrent. I've tested this extensively with many files over a couple of days. Same file and same server tested just after one another. I believe the results to be significant enough to look for an explanation.

 

While I am thrilled about the blazing speeds I suddenly achieve through Eddie, I had actually hoped the router openvpn connection would be this capable.Why do you think the speed difference is so big?

 

Regards

 

Share this post


Link to post

not sure why it's lower than with Eddie in your case.  That router should be able to do openvpn at 50mbit/s. 

 

that said, this is relatively common and I believe it depends on the routing to the server.

 

I have an Asus AC68, overclocked, and can hit 50mbit/s with AES-256-CBC encryption.  57mbits with AES-128-CBC.  It's heavily dependent on route and route conditions I guess.  I can connect to the same server that Eddie (in Linux Mint) gets 115mbit/s download with and my router can do only 30mbit/s.  I examine the openvpn settings and logs to make sure they're the same.  The only difference I can see is that the buffer in Mint is 512kB while in the router the max is 256kB.  Perhaps that's enough for the difference.  I can connect to another VPN provider with servers closer to home and max out the CPU of the router.  so....all I can say is play around with different servers, ports, and protocols.

 

You also might want to install Merlin Asus firmware.  He's got some nice extras in there for the openvpn client.

Share this post


Link to post

Try using OOKLA for your speed tests also try using AirVPN's speed test to verify your speeds calculated with uTorrent.

 

Did you go to Eddie's Preferences-Advanced-General and check the TCP and UDP buffers. (if not, please set to 512 kbs).???

Share this post


Link to post

Thanks for the suggestions - speeds do indeed go up and down a lot. I cannot always achieve the speeds i mentioned for Eddie.

 

The general picture is still that Eddie outperforms my router by quite a lot.

 

I'll try your suggestions and post the findings

Share this post


Link to post

Hello

 

I tested the connections with OOKLA this morning.

 

Router VPN connection on server Miram / NL : 20.35 Mbps DL

Eddie VPN connection from Windows on Miram / NL : 89.99 Mbps DL

 

Tests done within a few minutes of each other. I wonder what is 'stopping' the router. I'm using a secondary DNS from OpneNIC as recommended by AirVPN. https://airvpn.org/asuswrt/

 

I have also previously tried the Asuswrt/merlin firmware for the AC87U, but that didn't change speeds. I didn't like the OpenVPN section of that firmware, so I went back to the original Asus version.

Share this post


Link to post

Sigh...

 

Consumer Grade Routers are not good at encryption.  That's the problem.  Only ONE of the cores on the processor can be used for the encryption calculations.  That router does not have a floating point math co-processor, so it's wholly incapable of performing the calculations at the rate necessary for the heavy encryption.  Even though the AC87U is one of the "better" consumer grade routers (most can't get over 5-10mbps with heavy encryption), it's still horrible for doing what you are trying to do.

 

People love to throw out that theoretical "that router should be capable of 50mbps", which may be true in the ideal world where there are no other variables or conditions, but when you throw in all of the other variables, it's highly unlikely that you would ever max out that router.  The only people who I have seen do that are people who route multiple connections to different cores.  So you have core 1 calculating 20mbps and core 2 calculating 20mbps.  I'm not sure if that particular router can do that, but some people have figured stuff out like that.

Share this post


Link to post

Thanks Khariz - A very plausible explanation. I guess my purchase wasn't that informed. Luckily the router has other clear advantages on my home network - wifi multimedia streaming is much better than what I had before.

 

Also, I can live with having router VPN for general surfing and streaming purposes, and kicking in Eddie if the main task is downloading.

 

Still it's a bit disappointing - but now other potential buyers can find this information here.

 

Sigh...

 

Consumer Grade Routers are not good at encryption.  That's the problem.  Only ONE of the cores on the processor can be used for the encryption calculations.  That router does not have a floating point math co-processor, so it's wholly incapable of performing the calculations at the rate necessary for the heavy encryption.  Even though the AC87U is one of the "better" consumer grade routers (most can't get over 5-10mbps with heavy encryption), it's still horrible for doing what you are trying to do.

 

People love to throw out that theoretical "that router should be capable of 50mbps", which may be true in the ideal world where there are no other variables or conditions, but when you throw in all of the other variables, it's highly unlikely that you would ever max out that router.  The only people who I have seen do that are people who route multiple connections to different cores.  So you have core 1 calculating 20mbps and core 2 calculating 20mbps.  I'm not sure if that particular router can do that, but some people have figured stuff out like that.

Share this post


Link to post

Khariz, openvpn is not multi threaded.  There's no such thing as mapping different connections to different cores.

 

re-read my post above re speeds and nearby servers.  If the CPU isn't maxing then there is some other reason for the slower speeds.  Only real networking experts may know the answer.

Share this post


Link to post

Hi

I just wanted to say something about this , I use since few weeks a new router from asus , ac88u with Merlin and I have a vdsl 50.000 and I download with 5,9 mb/s without vpn (airvpn) I get the same .....

Share this post


Link to post

Hi

I just wanted to say something about this , I use since few weeks a new router from asus , ac88u with Merlin and I have a vdsl 50.000 and I download with 5,9 mb/s without vpn (airvpn) I get the same .....

 

is the server you're connecting to very near to you?

Share this post


Link to post

Thanks Khariz - A very plausible explanation. I guess my purchase wasn't that informed. Luckily the router has other clear advantages on my home network - wifi multimedia streaming is much better than what I had before.

 

Also, I can live with having router VPN for general surfing and streaming purposes, and kicking in Eddie if the main task is downloading.

 

Still it's a bit disappointing - but now other potential buyers can find this information here.

 

 

Hi,

I do understand your dissapointment but I don't agree with the fact that you were mis-informed.

 

There is a certain level of little "homework", or due-dilligence, a subscriber must make before purchasing

a service, be it a VPN, a car, or anything else in life.

 

If my country have a speed limit of 60Mp/h, this would make no sense for me to buy a car that can boost

up to 150Mp/h, and the car manufacturer doesn't have to know what is your local conditions before you

purchase it. This might be not the perfect example, but this was the first thing I could think of.

 

Now, your case is very rare, in a certain proportion...

See, the people that put OpenVPN on a router are usually people who have a very "moderate" ISP line,

let's say something below 30Mbit, and they are totally OK with a router capping 25-30Mbit with AirVPN.

 

Since you state that your connection is 100Mbit, you are in a certain class that is called "power users".

These users either run OpenVPN on their workstation (with a good x64 CPU capable of AES-NI), or on

a special box that does this task for them. Now here we have our special pfSense fan club that anyone

is welcome to join. This will get you (inevitably) to the "Top 10 speed" chart of the main statistics capping

an average speed of 80-150Mbit as long as your ISP can provide it.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Hey johnsk, I have the same router as you (Asus AC87U) and I can tell you that indeed the speed drops when using the router. My ISP provides me with 30mbps speed and using OOKLA speedtest without AirVPN I get around 25-30mbps on nearest Jakarta server (I live in Indonesia).

 

These are my finding of thinkering with AirVPN.

 

First on windows 7 I used OpenVPN and check the speedtest, I get 20-25mbps on Singapore server (Singapore Antares AirVPN server).

 

Then I tried it on the router (Asuswrt-merlin v.380.57), OpenVPN on Antares server and speedtest it, the best I could get was 8mbps, usually it's around 4mbps.

 

Then I have a debian server box connected via OpenVPN as well and connect it. SSH and speedtest it I got 20-30mbps.

 

So based on my tests I figured that the router doesn't work well with VPN yet, I wasnt sure if it's just me until you posted. All my connections are wired connections.

 

I haven't tested the latest Asuswrt-Merlin v.380.58 yet, here is the changelog with OpenVPN stuff. Will try it and see if OpenVPN speeds get better.

- NEW: Added setting to configure OpenVPN's auth digest algo.
- NEW: Added setting to configure OpenVPN's logging verbosity.
       Note that this setting is global to all clients/servers.
- CHANGED: Updated OpenVPN to 2.3.10
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
           and you enable policy-based routing, then those policies
           will also determine which DNS to use (the tunnel's or
           the ISP's).  This is based on DNSFilter's technology.
           You no longer need to use DNSFilter to control
           the DNS used by your OpenVPN clients.
- CHANGED: Made OpenVPN traffic bypass CTF, which resolves
           some throughput issues with it
- FIXED: Wrong status shown for VPN Client 3
- FIXED: OpenVPN clients were run on the wrong CPU cores.
         Now, odd instances correctly run on the second core.
- FIXED: Having multiple OpenVPN clients configured with
         multiple "Accept DNS configuration" modes would
         only apply the last client's setting.  Now, we
         apply the most restrictive setting of all
         configured clients.

Share this post


Link to post

 

Hi

I just wanted to say something about this , I use since few weeks a new router from asus , ac88u with Merlin and I have a vdsl 50.000 and I download with 5,9 mb/s without vpn (airvpn) I get the same .....

 

is the server you're connecting to very near to you?

 

 

yes usually I try to log in a server near me ,,,,,,

I have been testing few routers in the last few months and I can say that at moment the best is the Asus ac88u with the Asuswrt-merlin v.380.57, it has a lots of power and I do not see any different when I am with the vpn on or I have it off ....

Share this post


Link to post

Hello Zhang - thanks for your very pedagocical lecture about due diligence in life. I said my purchase wasn't that well informed which in my poor english just means that I hadn't sought information about this aspect of using a router with VPN. Not that it was somebody else's duty to inform me.

 

That being said - of course I fell for the marketing hype about 'Dual Core 1 Ghz' processing power. How was I to inquire whether or not the router was up for the particular task, the details of which (encryption etc.) I am not very familiar with in the first place. You can't research without knowing which questions to ask.

 

 

 

 

 

Thanks Khariz - A very plausible explanation. I guess my purchase wasn't that informed. Luckily the router has other clear advantages on my home network - wifi multimedia streaming is much better than what I had before.

 

Also, I can live with having router VPN for general surfing and streaming purposes, and kicking in Eddie if the main task is downloading.

 

Still it's a bit disappointing - but now other potential buyers can find this information here.

 

 

Hi,

I do understand your dissapointment but I don't agree with the fact that you were mis-informed.

 

There is a certain level of little "homework", or due-dilligence, a subscriber must make before purchasing

a service, be it a VPN, a car, or anything else in life.

 

If my country have a speed limit of 60Mp/h, this would make no sense for me to buy a car that can boost

up to 150Mp/h, and the car manufacturer doesn't have to know what is your local conditions before you

purchase it. This might be not the perfect example, but this was the first thing I could think of.

 

Now, your case is very rare, in a certain proportion...

See, the people that put OpenVPN on a router are usually people who have a very "moderate" ISP line,

let's say something below 30Mbit, and they are totally OK with a router capping 25-30Mbit with AirVPN.

 

Since you state that your connection is 100Mbit, you are in a certain class that is called "power users".

These users either run OpenVPN on their workstation (with a good x64 CPU capable of AES-NI), or on

a special box that does this task for them. Now here we have our special pfSense fan club that anyone

is welcome to join. This will get you (inevitably) to the "Top 10 speed" chart of the main statistics capping

an average speed of 80-150Mbit as long as your ISP can provide it.

Share this post


Link to post

Hello Sevenz - I am glad we're in comparable situations, and that you've had something of a similar experience. What I don't understand exactly is, if you can get 25-30 mbps on your line without VPN, and I can get 20-25 mbps with VPN on the same hardware, then why can't you get 20-25 mbps with VPN on the router, as the hardware should be capable?

 

There are probably other factors complicating this. Thanks for your post.

 

 

Hey johnsk, I have the same router as you (Asus AC87U) and I can tell you that indeed the speed drops when using the router. My ISP provides me with 30mbps speed and using OOKLA speedtest without AirVPN I get around 25-30mbps on nearest Jakarta server (I live in Indonesia).

 

These are my finding of thinkering with AirVPN.

 

First on windows 7 I used OpenVPN and check the speedtest, I get 20-25mbps on Singapore server (Singapore Antares AirVPN server).

 

Then I tried it on the router (Asuswrt-merlin v.380.57), OpenVPN on Antares server and speedtest it, the best I could get was 8mbps, usually it's around 4mbps.

 

Then I have a debian server box connected via OpenVPN as well and connect it. SSH and speedtest it I got 20-30mbps.

 

So based on my tests I figured that the router doesn't work well with VPN yet, I wasnt sure if it's just me until you posted. All my connections are wired connections.

 

I haven't tested the latest Asuswrt-Merlin v.380.58 yet, here is the changelog with OpenVPN stuff. Will try it and see if OpenVPN speeds get better.

- NEW: Added setting to configure OpenVPN's auth digest algo.
- NEW: Added setting to configure OpenVPN's logging verbosity.
       Note that this setting is global to all clients/servers.
- CHANGED: Updated OpenVPN to 2.3.10
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
           and you enable policy-based routing, then those policies
           will also determine which DNS to use (the tunnel's or
           the ISP's).  This is based on DNSFilter's technology.
           You no longer need to use DNSFilter to control
           the DNS used by your OpenVPN clients.
- CHANGED: Made OpenVPN traffic bypass CTF, which resolves
           some throughput issues with it
- FIXED: Wrong status shown for VPN Client 3
- FIXED: OpenVPN clients were run on the wrong CPU cores.
         Now, odd instances correctly run on the second core.
- FIXED: Having multiple OpenVPN clients configured with
         multiple "Accept DNS configuration" modes would
         only apply the last client's setting.  Now, we
         apply the most restrictive setting of all
         configured clients.

Share this post


Link to post

Hello

 

The RT-AC88U that you have is listed with a dual core 1.4Ghz processor and my RT-AC87U has a dual core 1Ghz processor.

 

On the other hand, when I do the speedtest with router VPN at OOKLA, my router's core 1 is at 40-50% and the other one is idle. That points me to something mentioned by go558a83nk

above -

 

>>If the CPU isn't maxing then there is some other reason for the slower speeds.  Only real networking experts may know the answer.

 

I'll keep on experimenting and see if I find another explanation as I go along.

 

 

 

 


Hi

I just wanted to say something about this , I use since few weeks a new router from asus , ac88u with Merlin and I have a vdsl 50.000 and I download with 5,9 mb/s without vpn (airvpn) I get the same .....

is the server you're connecting to very near to you?

 

yes usually I try to log in a server near me ,,,,,,

I have been testing few routers in the last few months and I can say that at moment the best is the Asus ac88u with the Asuswrt-merlin v.380.57, it has a lots of power and I do not see any different when I am with the vpn on or I have it off ....

Share this post


Link to post

 

Hello

 

The RT-AC88U that you have is listed with a dual core 1.4Ghz processor and my RT-AC87U has a dual core 1Ghz processor.

 

On the other hand, when I do the speedtest with router VPN at OOKLA, my router's core 1 is at 40-50% and the other one is idle. That points me to something mentioned by go558a83nk

above -

 

>>If the CPU isn't maxing then there is some other reason for the slower speeds.  Only real networking experts may know the answer.

 

I'll keep on experimenting and see if I find another explanation as I go along.

 

 

 

 

Hi

I just wanted to say something about this , I use since few weeks a new router from asus , ac88u with Merlin and I have a vdsl 50.000 and I download with 5,9 mb/s without vpn (airvpn) I get the same .....

is the server you're connecting to very near to you?

 

yes usually I try to log in a server near me ,,,,,,

I have been testing few routers in the last few months and I can say that at moment the best is the Asus ac88u with the Asuswrt-merlin v.380.57, it has a lots of power and I do not see any different when I am with the vpn on or I have it off ....

 

I done a speed test and core 1 is at 40-50% the same as you , so or a dual core 1.4Ghz processor or a dual core 1Ghz processor doesnt make not that much different .... because I get the same as the ac87u ...

Share this post


Link to post

Hello

 

The RT-AC88U that you have is listed with a dual core 1.4Ghz processor and my RT-AC87U has a dual core 1Ghz processor.

 

On the other hand, when I do the speedtest with router VPN at OOKLA, my router's core 1 is at 40-50% and the other one is idle. That points me to something mentioned by go558a83nk

above -

 

>>If the CPU isn't maxing then there is some other reason for the slower speeds.  Only real networking experts may know the answer.

 

I'll keep on experimenting and see if I find another explanation as I go along. 

 

Hey johnsk, I tried upgrading the asuswrt-merlin to v.380.58.

 

My current finding now is this.

 

Win 7 without vpn to Antares on OOKLA: 27-30mbps down/up speed.

Win 7 with openVPN to Antares: 27-29mbps down/up speed.

Win 7 with Asuswrt to Antares: 20mbps down 28-30mbps up speed.

Linux box with Asuswrt to Antares: ~20mbps down 28-30mbps up speed. (There are times connection timed out)

 

I see better speed with the firmware update. But who knows what can be the problem. I`ll test around more

Share this post


Link to post

I have this exact same router. I will tell you that there is no way you're going to get above 30 mbps and an average will likely be about 25 mbps or so. The router's CPU just can't handle the constant stream of encrypt/decrypt at any higher a speed. I tried everything I could to max this baby out using Air (e.g. overclocking, buffer tweaks). Using just my ISP, I easily get my 100 mbps downstream, but once the encryption starts, that's a wrap. Honestly, it's not a defect, it's just the nature of the beast. Using my pfSense box as a router and that expensive router as an AP, I get almost my full 100 mbps downstream through Air, but that's because the router is just relaying the packets, rather than handling the encrypt/decrypt.

 

I know how disappointing it is to spend that much and find out it still can't do everything you want it to.

Share this post


Link to post

Thanks for your contribution - this thread could only be useful to people who want to use VPM by router. Your numbers are very close to what i get with router VPN.

 

I still wonder why the router processor does not max out when doing a speed test. Observing the speed and acceleration when testing is markedly typical to this: the speed shoots up like a rocket and then stops like it hit a virtual concrete block. It then continues stably at a speed almost precise to decimals: 22.23 for instance. It could indeed indicate a hardware limitation as you and others have suggested.

 

I am of course disappointed the device can't handle VPN at faster rates, but the attainable speed is fine for streaming TV over Wifi from for instance the British Broadcasting Corporation. The price is having to switch router VPN on and off for certain tasks. Allow me to mention I'm very happy with the router for other reasons - the WIFI streaming agility is much better than what I had.

 

I have this exact same router. I will tell you that there is no way you're going to get above 30 mbps and an average will likely be about 25 mbps or so. The router's CPU just can't handle the constant stream of encrypt/decrypt at any higher a speed. I tried everything I could to max this baby out using Air (e.g. overclocking, buffer tweaks). Using just my ISP, I easily get my 100 mbps downstream, but once the encryption starts, that's a wrap. Honestly, it's not a defect, it's just the nature of the beast. Using my pfSense box as a router and that expensive router as an AP, I get almost my full 100 mbps downstream through Air, but that's because the router is just relaying the packets, rather than handling the encrypt/decrypt.

 

I know how disappointing it is to spend that much and find out it still can't do everything you want it to.

Share this post


Link to post

just an info

from today there is a new update for the Merlin 380.58_0

and I can say that works much better now

before with the old version I had .....my router's core 1 is at 40-50% now I cannot get max 30% .....

Share this post


Link to post

Unfortunately, no amount of firmware updates is going to compensate the processor's inability to manage the encryption/decryption streams at such a high rate. Even going from a 3ghz Intel Core 2 Duo setup running pfSense to an Intel Atom 2 ghz (which is designed for server applications and encryption/decryption) I have noticed a huge difference in overall stability. It all boils down to the instructions inside the processor and how they handle the encryption. It is still a great consumer grade router and w/o the encryption issue, it easily maxes out my ISP bandwidth and my 802.11AC clients stream data beautifully.

Share this post


Link to post

Yep, I have to agree with @SumRndmDude because the encryption/decryption will take time to process, it's better than before though. Still I`m happy with the router itself because of its capabilities. In the end I used my linuxbox with openvpn for downloading and such. And manually connect on windows when I needed with openvpn

Share this post


Link to post

Really wish people would stop pinning the issue to the Routers CPU and ability to processing the encrypted data. It generally has nothing to do with that, unless your using a router built 10 years ago. All modern routers are capable of running a VPN connection properly.

I found the issue to actually be the QoS settings on my router. The router applies the max UPLOAD speed to the VPN connection in both directions. So if you have QoS switched on and you have say a upload speed of 5Mbps then the VPN connection is automatically restricted to a max of 5Mbps - and yo would get a DL speed of about 4.5Mbps (taking into account the end to end overhead).

Here is video demonstrating the issue. Maybe it is a similar issue for you, so maybe check your settings and see if it helps.

Cheers

Share this post


Link to post

Really wish people would stop pinning the issue to the Routers CPU and ability to processing the encrypted data. It generally has nothing to do with that, unless your using a router built 10 years ago. All modern routers are capable of running a VPN connection properly.

 

Undoubtedly QoS can play an important role in shaping your VPN traffic and your suggestion is precious, but you're wrong about the CPU: even the latest generation routers for consumers mount ARM CPUs which are not able (on a single core, because OpenVPN runs only in one core) to beat 50 Mbit/s of AES-256 encryption/decryption in the best case scenario (in real life usage the performance is usually worse due to the other tasks the CPU must perform and distribute the load amongst).

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...