OpenVPN Router Speeds
Since the last thread by this name ceased to exist due to trolls, this one is the replacement. I wish I remembered half the content of that thread. But it will get here in time.
At the moment, the two best routers on the market are the Asus RT-AC68U and the Netgear Nighthawk AC1900.
Each of these is capable of exceeding 50 megabits per second.
At the moment, the two best routers on the market are the Asus RT-AC68U and the Netgear Nighthawk AC1900.
Each of these is capable of exceeding 50 megabits per second.
Comments
And since most people only use bytes for anything, that was the measure I used. This means that if the Asus RT-AC68U is a dual core 800 Mhz CPU and about as fast per Mhz it would be capable of 2080 KiloBytes per second. (Or * 8 for bits, meaning around 16 megabits per second. And since I said that this and the Netgear Nighthawk AC1900 are each capable of more than 50 megabits per second, they are evidently much more capable than the mathematics suggest.)
In the previous thread about this, I amended my estimate to account for this, but I only have the aged relic of a router as a gauge. And it is clearly vastly inferior compared to newer top of the line routers.
So please help me fix this thread up with more up to date examples of your speeds, and what speed you get without the VPN running too so we can know what to expect. Thank you in advance.
This is what I based my incorrect mathematics on. As I explained above, the newer routers are more than three times as fast per Mhz.
200 Mhz Broadcom CPU on a Linksys WRT54GL manages ~2080 Kilobits per second, but a 800 Mhz dual core CPU on a Asus RT-AC68U manages well past 50 megabits per second, instead of the 16,640 kilobits per second that it would manage if it were not right at three times as potent at the same speeds.
Anyway, here is the image.
Note that I am quite interested in any help people can provide for all of us to have a better understanding of what speeds to expect, what routers are better, and any experiences.
Please share liberally. Thank you each in advance.
http://www.ubnt.com/edgemax#edge-router-lite
http://www.ubnt.com/downloads/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
does openvpn take advantage of multi core cpu yet?
There are already routers available that can handle 50 megabits per second with encryption. See my first post in this thread for two examples.
I will be posting screenshots of my own router as an example, since most examples I see online use incorrect settings or are made by competing services. (I will not steal their guide. I will just make my own.)
First of all, you need to login to your router that is flashed with Tomato. Some settings will be different from mine, and some features will be absent. That should not matter.
Then click on VPN Tunneling on the left, then it opens up and you should click OpenVPN Client.
Now select Client 1 and "Basic" from the right side, and etup the details similar to what I have here, and you will have to put in your username and password in the obvious fields.
For the "Server Address", you can use any of the hostnames in this link:
https://www.privateinternetaccess.com/pages/network/
Next up, click "Advanced" and setup things like I have in this image, and just for ease, here are the lines to add to "Custom Configuration".
persist-key
persist-tun
tls-client
comp-lzo
verb 1
Finally, click "Keys" and there is only one single field to mess with. Under "Certificate Authority" add the following including the dashes and the begin certificate and end certificate stuff. Here is an exact quote.
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
Now everything is done except saving by scrolling down below where my screenshots cut off and clicking save. And since you will be using it all the time, you will want the checkbox on the "Basic" tab called "Start with WAN" checked. That makes it startup every time the router starts.
*Edit* Here are the configuration files that the Certificate Authority part came from.
https://www.privateinternetaccess.com/openvpn/openvpn.zip
And it is only fair to give proper credit where it is due. @johnfromnowhere is a user here who also has a Linksys WRT54GL router like mine. He helped my get out from under the rock I was hiding under and risk bricking my router by flashing it to Shibby. I was a flashing coward, and he did everything but hold my hand and tell me it will be okay until I finally pulled my head out of my ass and flashed the router. Thank you @Johnfromnowhere. I still owe you for this.
*Edit* Oh, I should at least thank you for sharing. I do greatly appreciate hearing about the new router options we have. Thank you.
*Edit* Here are a few more things to consider. From this link, I get the following quote.
"Given the confusion that the mentions of OpenWrt support in Linksys
press releases have caused, we would like to clarify the state of
WRT1900AC support in OpenWrt and the ongoing collaboration with Linksys.
Members
of the OpenWrt team have been in contact with Linksys for a while,
discussing collaboration on device support in OpenWrt.
There had been
no technical collaboration on device support until Belkin engineers
posted a few incomplete patches in early April. These patches are
currently being cleaned up, as they do not meet our quality standards.
The
most important part that is still missing is a usable driver for the
Marvell 802.11ac wireless chipset. Belkin is working on fixing this, but
they have not given us an estimation on when such a driver will be
provided.
The default firmware for this device seems to be using a
proprietary driver provided by Marvell, which uses non-standard APIs
for configuration. We don't know if Marvell will open source this
driver, or will work on an alternative Linux driver. We believe that
both approaches require a considerable amount of effort and time.
Because
of these issues, we would currently recommend against purchasing this
device until we have the missing pieces of software to make it
functional with OpenWrt.
The Linksys press release claims that the
device is "OpenWrt ready" and "Open Source ready". Given how much is
still missing, and that not even the GPL code for this device was posted
to the Linksys GPL code center, we consider these claims to be
premature and unfortunately misleading.
Regards,
The OpenWrt Team"
And here are some links that clarify more.
https://forum.openwrt.org/viewtopic.php?id=50173
https://lists.openwrt.org/pipermail/openwrt-devel/2014-January/023354.html
*Edit* And one more... http://www.dd-wrt.com/site/content/dd-wrt-linksys-wrt-1900ac
Linksys should have made sure all the drivers were available before throwing around terms like "Open Source Ready" and such. Marvell will likely never release the drivers for the hardware, and that makes it all but impossible to make firmware.
Netgear can easily be overclocked to 1200MHz (Several people are running it at 1400). The only thing that the wrt-1900 has that others don't is the esata port.
Please do correct me if the Netgear or Asus models have fans.This would be the first I heard of such.
http://www.ubnt.com/edgemax#edge-router-pro
http://www.streakwave.com/Itemdesc.asp?ic=ERPRO-8A
They are currently $370 USD each. But wow. Compared to what we jokingly call "consumer" routers, these things are like Godzilla compared to a Gecko.
https://www.privateinternetaccess.com/forum/index.php?p=/discussion/comment/15828#Comment_15828
That aside, can you tell us a bit about the speeds you could achieve with OpenVPN on that device? I like the open OS approach, and would consider exchanging my self-built device for one of these if the performance is comparable.
I looked at those after I saw Omni recommend them (can't find the thread now!). While it's a nice piece of kit for what it is - and the price - I'm afraid to buy it in my country in Europe comes closer to $500 than $100.
As I said on the other thread I currently run IPFire (a fork of IPCop) on an old PC. With the release of AMD's rather lovely Jaguar AM1 SoC architecture however, I think I'll be building a nice new microATX rig in a router-style case and perhaps migrating to pfSense or similar.
The Jaguar AM1 APUs are around $25 and the same for the boards, while putting out very decent power. The 1.3GHz quad core (the cheapest of the bunch) only consumes 25W and yet has a decent 2MB L2 cache and bags of processing power for its size. It also supports hardware accelerated AES decryption on-chip and has built in 4k graphics output!
Even a bargain basement setup of that order, with the smallest and cheapest available RAM (2GB DDR3 single channel) and a cheap 32GB SSD, would amply cope with 1Gbps traffic and many simultaneous connections. You also get the advantage of making a nice sleek box to hide away in the corner, and on-board wifi with a GUI based routing/firewall distro.
What's not to like? Way better than any crapware consumer box you could buy for twice the price, with a free inbuilt backdoor!
But the reason I say that is that I am still using an ancient relic of the distant past. My Linksys WRT54GL. This thing must be a decade old or more.
https://www.privateinternetaccess.com/forum/index.php?p=/discussion/2845/openvpn-router-speeds#Item_4
Or was it this one?
https://www.privateinternetaccess.com/forum/index.php?p=/discussion/comment/15828#Comment_15828
But yeah, a real PC always beats a purpose specific device. If these new systems are really going to be that cheap, even the EdgeMax routers would be a ripoff. I will have to look into that.
I absolutely loved my old WRT54GL, which used to run various incarnations and derivatives of Tomato firmware. I was rather upset when I had to sell her, after upgrading to 100Mbps internet when the '54GL could only cope with around 50Mbps throughput. First world problems, and all that haha.
If you search through your favoured engine for terms along the lines of 'AMD A1 Jaguar Kabini SoC' you'll find various interesting articles and reviews etc. For a high spec router/firewall and home server they're ideal and super low powered for what you get out of them.
So apparently, the EdgeRouters are powered mostly by the utter confusion of the users who thought they knew what they were doing. (That is my explanation. I am sticking to it.)
*Edit* Naming you so you get the alert that you were mentioned in a comment here. I hope it still works in an edit. @nezzz
Still, could you perhaps tell us something about the transfer speeds you're getting? I really want to know
http://community.ubnt.com/t5/EdgeMAX/Performance-as-an-OpenVPN-client/m-p/821540#U821540
And another. Sounds like the EdgeRouters are quite underpowered for encryption. Hardly surprising considering I have LED lightbulbs that use far more power than some of the EdgeRouter models.
http://community.ubnt.com/t5/EdgeMAX/OpenVPN-performance-optimization/m-p/817842#U817842
And there are plenty more threads like these.
The problem is that in every single case I know of, OpenVPN is single threaded, so the number of cores is useless until that is fixed. And there is absolutely nothing in the manual for the RouterOS about setting cores (Singular or plural) to OpenVPN tasks.
http://wiki.mikrotik.com/wiki/Manual:TOC
http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
http://wiki.mikrotik.com/wiki/OpenVPN_Configuration_Step_by_Step