Hardware Acceleration is Here for Routers Using OpenVPN
One of the most popular privacy uses for a VPN is setting up the service on a VPN router. The router protects the entire network behind it by routing all of the devices through your preferred VPN service by default.
There’s a few big advantages to using a VPN router:
-For network users, the VPN is “on” by default, and after the router is set up you do not need to install a client or sign in to the VPN services on your individual devices.
-Mobile devices are not handling the encryption and decryption of the VPN, increasing battery life for connected devices.
-Guests on the network are automatically protected.
-Devices that do not support VPNs natively (like gaming consoles and smart tvs) can connect and the use the VPN network.
There’s two primary disadvantages to using a VPN router:
-Setting up a VPN router can be complicated. (There is a guide to setup this router at the bottom of this article.)
-Speed. The hardware in consumer level routers is generally cheap, low-end chips made by a handful of manufacturers around the world. This means that the router’s processor itself can significantly hamper a VPN connection because it cannot process the encryption and decryption fast enough, and will slow down the connection for all devices down to the speed that the router can process the data.
Until now!
Broadcom, one of the companies that engineers and manufactures CPUs for consumer-level routers, has designed a new CPU that has hardware acceleration for cryptography. This is a feature that has been in Intel and AMD processors for years, but it is the first low-end networking CPU to hit the market en-masse with this feature.
Hardware acceleration is an enormous performance increase for processors that are doing crypto, because instead of performing these functions in software, the processor itself has all of the functions hard-coded into it, allowing an order of magnitude more performance.
This article focuses on a VPN router that likely has hardware acceleration enabled (the Asus RT-AC86U 2018), and tests various configurations to make sure that the feature is working.
(Note: There are multiple versions of the RT-AC86U and if you’re buying a router for this purpose, only the newer versions of the router have the new CPU with hardware acceleration. The best way to find the version of the RT-AC86U that has the feature is to make sure that the one you are looking to buy has the “AC2900” feature.)
Why I Looked Into the RT-AC86U
I noticed in some documentation for new Broadcom chips that they had moved to a different ARM CPU design, called the Cortex A53. What Broadcom does is take this ARM CPU, and pair it with other processors designed for networking to create a “System on a Chip” (also known as a SoC). You’ll notice that two new Broadcom CPUs are using the A53.
What is interesting is that while Broadcom primarily moved to this chip to support future 5G wireless systems, they appear to have also opted to add optional hardware acceleration support for cryptography, because it is built into the Cortex A53 and B53 chips that they’ve selected.
So what devices are using these Broadcom processors?
Asus RT-AC68U Extreme
Asus RT-AC86U (AC2900 version)
Asus GT-AC5300
Asus GT-AX11000
Asus RT-AX95U
Asus RT-AX88U
Arris SurfBoard W31
D-Link DIR-X6060
(leave a comment with a reference if you know of any other routers that use these specific Broadcom chips)
For the purposes of this research I have selected the RT-AC86U (AC2600 version) so that I could test the stock Asus firmware, and the popular Asus Merlin project’s firmware, and to see if hardware acceleration was indeed working for both of these router operating systems. Asus has had strong support for OpenVPN built into their routers for quite some time, and the ease-of-use of the stock AsusWRT is a nice-to-have feature. It was around $190 on Amazon at the time of this writing. It isn’t cheap, but it isn’t a bleeding edge $400 VPN router either.
Testing OpenVPN on Private Internet Access:
So while Asus has done an okay job of implementing support for OpenVPN so that it works, they have not done enough to make the process easy, nor have they done a great job of keeping OpenVPN itself up to date. After creating a custom config file for the hardware accelerated settings, you can see in the system logs that the router is using OpenVPN version 2.3.2 which is ancient as well as vulnerable to a mess of nasty bugs.
This means that hardware acceleration, our hallmark feature that we want to make OpenVPN fast, does not work with the stock Asus firmware.
This leaves us with the custom Merlin firmware for support.
Merlin for the Asus RT-AC86U can be found here: https://sourceforge.net/projects/asuswrt-merlin/files/RT-AC86U/
And some simple tips for flashing to Merlin are here: https://github.com/RMerl/asuswrt-merlin/wiki/Installation
I then went ahead and set up the router on Merlin to connect to Private Internet Access using AES-256-GCM (which is hardware accelerated). The instructions to set up PIA for hardware acceleration are the at the bottom of this article.
We can see that hardware acceleration is working from the speeds alone, as these speeds would not be attainable by the CPU in the router if it wasn’t working. 75-80Mbps is what we would expect from ARM A53 @ 1.8GHz.
but I also checked CPU utilization on the router while performing a speed test to determine if speeds were being limited by the CPU or by my network.
Success! We have a VPN router that doesn’t sacrifice speed! The CPU utilization during the speed test shows us that the speed is not limited by the processor in the router.
The final verdict: Hardware acceleration is present and working, but not supported by AsusWRT (yet). You have to install Merlin on your VPN router to get it working.
Setting up Private Internet Access on the Asus RT-AC86U with Merlin and Hardware Acceleration Enabled
Be sure to use your own PIA username and password, and to set the log verbosity to your preference (lower logs less, higher logs more, it was set to the maximum in this example because I was debug testing the setup).
Also, for selecting the location, you’ll want to use this table:
https://www.privateinternetaccess.com/pages/network/
From there, you click on the country and then copy and paste the URL of the location that you wish to use from the next page.
Final Step: You must also import the ca.rsa.4096.crt and crl.rsa.4096.pem into the “keys and certificates” by clicking the edit button in the image above and matching these settings. You get the text for the cert and key from the files that you downloaded by opening the files in Wordpad (Windows), Textedit (OSX) or vim (Linux) and copy-pasting the text into the appropriate field as shown below.
Other than those minor changes, you can exactly match the graphic above and it should work with your router!
(Double disclaimer – this setup will not run fast if you do not have one of the Asus routers from the list in this article. It will work, but it won’t be fast without hardware acceleration.)
