100Mbit speed limit OpenVPN client?

ries188 · February 8, 2020, 6:34pm

Hi,

I'm running 19.07.1 on a Linksys WRT3200ACM.
I had a vpn client installed with the previous WRT version but recently I switched to a different vpn provider.

With both provider I notice that my download speed is limited to 100Mbit. With a 250Mbit connection to my ISP that is less than half.

I did some tests and when I stop the vpn service on the router, I get my max download speed matching with the 250Mbit connection.
I installed the vpn app from my vpn provider on an iphone, tablet and Win10 desktop pc and did a speedtest (@ speedtest.net). Mobile devices are connected via 5Ghz WiFi and desktop via 1Gbit utp.
With all devices I get a download speed that is only a tiny bit slower than without vpn.

But as soon as I start the OpenVPN service on the router and do the same speedtest, download speed is at or around 100Mbit.

So why is OpenVPN on the router limited to that speed?
I've search and read several websites, tried various settings with buffer size, mtu size, additional lines in the vpn .conf file but all without any result.

With the vpn service active on the router, I downloaded a large file (several GB) and monitored the load via 'top' command.
CPU load is far from maxed out so it's not that the router cannot handle this.

Mem: 199988K used, 311976K free, 1452K shrd, 3160K buff, 18356K cached
CPU: 20% usr 6% sys 0% nic 65% idle 0% io 0% irq 6% sirq
Load average: 0.20 0.06 0.02 3/78 28015
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
27719 1 root R 3792 1% 31% /usr/sbin/openvpn --syslog

From what I understood from the documents on the vpn providers website, is that the Windows client also is based on OpenVPN and without doing any tweaks, the speeds are good.

I read a comment in a different topic about the new option "OVPN configuration file upload" but when I do that, things looks exactly the same as with manual installation following the description from my provider.

So does OpenVPN has a 100Mbt limit or does that only apply together with OpenWRT?

psherman · February 8, 2020, 6:38pm

OpenVPN requires quite a bit of processing power, so it simply won't be able to provide high bandwidth VPN connections on a consumer grade router. Your PC has a much more powerful and sophisticated CPU when compared against your router, which is why you get much better performance when running OpenVPN on the PC.

To be clear, this is not an OpenWrt limitation, it is the hardware capabilities. Similarly, the Ubiquiti EdgeRouter and Unifi Security Gateway devices can also run OpenVPN, but they also have relatively slow bandwidth capabilities over the VPN tunnel due to the SoC limitations.

You might try Wireguard, which is much lighter weight and much faster on standard consumer router type hardware.

diizzy · February 8, 2020, 6:44pm

Not sure if softether is better in that regard, might be worth a look.

Andy2244 · February 9, 2020, 12:41am

If the provider supports wireguard, some very rare VPN providers support softetherVPN own protocol, which is also faster than openVPN.

Yet its strange that the CPU usage is not maxed, if openVPN is really limited by encryption speed? So either the cpu values are not correct or something else limits the speed.

dlakelan · February 9, 2020, 12:50am

isn't that a dual core device and OpenVPN is single threaded... so I think one full core would show as 50% idle... so it's close... but the limit might well be on the other end with the provider not allowing more than 100Mbps

Andy2244 · February 9, 2020, 12:59am

Yes, but its a 88F6820 arm at 1.9GHz.... yet op noted the other devices tested got more than 100Mbit and i think this cpu should handle more than 100mbit.
Maybe try install and check via Htop, i find the per cpu bars easier to read.

lucenera · February 9, 2020, 1:01am

Of course the VPN provider can limit the bandwidth, because they themselves has a limited width. Example ExpressVPN limits the band to 50Mb/s on a router, AzireVPN, over 500 Mb. My advice is to avoid using VPN if not for business purposes (corporate VPN) or to show a different country of origin. But for security and privacy no one can demonstrate its effectiveness, being a closed product (you don't really know the servers from which the data passes, who and how it really manages it, etc). For further information please contact me in private.

Andy2244 · February 9, 2020, 1:06am

Just found this, so yeah 100Mbit seems correct. So you either need to switch to a faster VPN protocol or use a even more powerfully router, probably only x86 is available right now for those openVPN speeds.

dlakelan · February 9, 2020, 1:07am

actually the OP never said that, he said that with other devices the speed was not much reduced from it's initial value but never said what the initial value was.

it does seem likely that the limit is on the other end though

ries188 · February 9, 2020, 12:01pm

Hi all,

Thanks for replying and thinking along.
My current vpn provider is NordVPN and they claim on their website not to apply a speed or bandwidth limit:

"NordVPN does not apply any speed or bandwidth limits to its users. However, please note that usually, you will receive a little bit lower speeds with VPN comparing to the speeds without VPN."

As for the speedtest, I made some screenhots:

Speedtest from Win10 pc without any vpn active:

Speedtest from Win10 pc with Windows vpn app enabled, slightly slower which is normal:

Speedtest from Win10 pc but with vpn active on router, a lot slower:

I installed htop on the router, vpn was active on router and did a download via Newsleecher from Win10 pc.
Downloadspeed is in line with the speedtest.
newsleecher_speed_vpn_router

Load on the cpu. Yes, one core is near 65% but not maxed out.

Load on the cpu while doing a speedtest; load is higher than with previous download:
htop_load_speedtest_pc_with_vpn_router

As for the topic "VPN Performance on Marvell CPU" mentioned by Andy2244, I must admit I missed that one.
With that latest comment in that topic combined with the htop output, it looks to be a cpu bottleneck afterall (even though cpu is not at 100%)?

Andy2244 · February 9, 2020, 2:09pm

Yes also confuses me a bit, bit seems that way, as many other users did also run into this problem.
Yet, NordVPN actually has wireguard support, so i would try this, since its the VPN protocol of the future

see: https://nordvpn.com/blog/nordlynx-protocol-wireguard/
Here is a "easy" setup guide for openwrt: Solved: nordvpn OpenWrt wireguard client

They also offer pptp, so if you are just after hiding your ip, this should also be faster.

PS: You might need to search or ask there support for a vanilla wireguard linux client settings/setup, since it seems they have written there own wireguard client... wtf.

egc · February 9, 2020, 4:38pm

Problem with OpenVPN is the constant switching between user and kernel space and it is not multi threaded, so it is not the encryption which is the culprit.

WireGuard is entirely in kernel space and is multithreaded (being in kernel space has a security risk)

If you are a high level government target I would stick to openVPN otherwise WireGuard is the way to go.

My R7800 does about 90 Mb/s with Open VPN and about 250 Mb/s with Wireguard.

The R7800 is running at 1,7 GHz but has dual A15 Arm cores (actually Krait cores which are A15 equivalent) I think your CPU's are A9's with lower IPC (not sure about that could be Anapurna Labs A15?)

Jamesbe12 · February 9, 2020, 10:48pm

Expressvpn.. 50? Not really.
I can have sometimes on some servers.. I obtain 70-75

lucenera · February 9, 2020, 10:54pm

It is also declared by the same company. 50 Mb / s if used on router. Once I also tried the custom firmware of ExpressVPN on WRT3200ACM, always the same result. At the time I had a maximum speed in download of 200 Mb without VPN, but at most I reached 50 Mb. I strongly advise against the use of VPNs, because they severely limit the general performance of the connection (not only in speed), and extremely undermine privacy. At most they don't add anything. They are convenient only for business or private purposes on personal VPNs and not provided by third parties. It is more demonstrable that I have just said rather than all the advertisements of the various VPN providers. All that glitters is not gold.

dlakelan · February 9, 2020, 11:00pm

Legit uses of Commercial VPN services are for geo-locating to somewhere else, or forcing an alternative route if your ISP is goofy (can reduce ping times). Also for getting around restrictive firewalls (campuses, governments, etc).

lucenera · February 9, 2020, 11:10pm

If my ISP is goofy, I do little, 99% of the VPN IP addresses are now in blacklists all over the world. Maybe to change geolocation is fine, but I would not say in legitimate use, if it makes me use unauthorized services and catalogs in my country. In addition they give a false sense of protection from prying eyes when the provider itself is certainly a prying eye in the communication between me and the already encrypted https site. Perhaps it is useful in countries with dictatorship or under conflict. But I would not entrust my life to a multinational company.

Jamesbe12 · February 9, 2020, 11:27pm

Maybe with their firmware. But I use their service with dd wrt and openwrt and I can have higher speed

lucenera · February 9, 2020, 11:36pm

I am very happy for you

Jamesbe12 · February 10, 2020, 12:15am

The wireguard will be really nice. Nice speed

Jamesbe12 · February 10, 2020, 5:01am

I tested tonight not the fastest linksys, the wrt1900.. with express vpn, pretty far server.. I'm in canada and test France server. I got 52 mbps and expvpn website says about 40.