Extremely slow internet speeds with OpenVPN

Hello everyone, I am a newbie trying my hands on OpenWRT with my Etisalat provided DLink DIR 853 A3 router.
Background: I wanted to use ProtonVPN on my router and therefore had flashed it to OpenWRT 21.02.0-rc2 and then upgraded to openwrt-23.05.0-rc3-ramips-mt7621-dlink_dir-853-a3-squashfs-sysupgrade.
Now after setting up a network with the same, I am getting good speed as provided by ISP, 240-250 Mbps.

Current situation: I have set up Proton VPN (OpenVPN) on the same and now I am getting very slow internet speed around 15Mbps. I have contacted Proton and they say that "The downside to OpenVPN is that in its current architecture, it is not scalable. It runs as a monolithic process and cannot run multi-threaded.

This means that if you have a beefy processor with 8 cores and each of the core has 8 threads, OpenVPN will use only a single thread in one of the available cores.

Regarding routers - they do not have powerful CPUs, thus encrypting and decrypting OpenVPN traffic is a real challenge for them. For that reason, the speed can drop by a large amount"

Can anyone guide me if this is true and has anyone have any similar experience on this?

Thanks in advance.

Yes, OpenVPN is single-threaded, so in essence (without going into technical details) it's correct. You could always try WireGuard instead (which ProtonVPN supports) which is way faster than OpenVPN, unless there's a specific reason you want to use OpenVPN.

Run htop in cli, to see the CPU load, in real time.

Thanks. Any specific guide which I can follow? Looks like there isn't any from Proton themselves

If they support OpenVPN DCO, it will be performing a lot better, however AFAIK there is no VPN provider doing this at the moment.

I haven't set it up myself but https://www.ivpn.net/setup/router/openwrt-wireguard/ looks decent. https://support.surfshark.com/hc/en-us/articles/7091559595666-How-to-set-up-WireGuard-on-OpenWRT-router has also been linked in the forum previously. Note that the Surfshark guide seems to be done against 22.03 (indicated by the existence of the luci-app-wireguard which has since been removed as a separate package) so you may need to adapt some things if following that.

Hey, Thanks @dannil , I have setup with Wireguard as well but the speed improvement does not get better with this even. Can I assume that this is because of the router is incapable of handling higher speeds? If yes, can you guide me to a better and a cheaper one which can handle 250Mbps+.. Thanks in advance.

Weird, I would've thought you should get at least better performance compared to OpenVPN, which makes me believe there's something else going on. Your DIR-853 A3 has almost the same internals as ZyXEL WSM20 (MT7621AT vs MT7621DAT, both with 2C/4T, 128MB flash and 256 MB RAM) and that manages close to 100 Mbit/s according to A Wireguard comparison DB - #56 by Hirogen. Have you enabled hardware flow offloading? If not, try that, and as @frollic suggested, run htop on your router to see the CPU load in real time when using your VPN. I would also advise you to try to run the WireGuard benchmark test from the link above to see if you're on par with for example WSM20.

If you're looking for a new router anyway (if you want 250+ Mbit/s as that won't ever be achievable with MT7621DAT), look in the table in the first post in the link above and get one within your budget/availability depending on country.

There might be something wrong in your setup as usually WireGuard is three times faster than OpenVPN.
For your router I would think a WG speed of over 50 Mb/s should be possible.

As a quick fix you can try to lower MTU on the WG interface, by default it is 1420 but try 1280 or even lower.
Enabling irqbalance and Offload are also things you should do.
Otherwise you can share your config for us to review:

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

I have tried to reduce the MTU of the WG interface to 1280 but that did not help as such.
I have run the commands mentioned and below are the results:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.127",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-853 A3",
        "board_name": "dlink,dir-853-a3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0-rc3",
                "revision": "r23389-5deed175a5",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8f:22e1:48ac::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'testing'
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'
        option mtu '1280'

config wireguard_wg
        option description 'wg.conf'
        option public_key 'testing'
        option endpoint_host 'someip'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'


root@OpenWrt:~# ^C

root@OpenWrt:~# ^C

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@OpenWrt:~# wg show
interface: wg
  public key: testing
  private key: (hidden)
  listening port: 43631

peer: xiqimcfhHwfzC3gfbYzsgP7cNTM=
  endpoint: 146.7.142.82:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 50 seconds ago
  transfer: 21.03 MiB received, 4.86 MiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~#

I do not see any obvious mistakes in your setup.

Some things you can try is to reduce MTU even further but note that the largest MTU (max 1420) which works is the fastest.

Maybe try another VPN server (endpoint) by requestion a new config file in another place from your VPN provider.

Thanks but it did not solve the problem. Can you suggest a router which has capability of running Wireguard and that too in the similar speed from the ISP (around 25Mbps download)? and yes, it must be cheap enough.

I'd at least update to stable.

If you can I would get a separate device to run the VPN