Fastest VPN type

Hi everyone,

I thought I would consult the vast knowledge of networking here regarding VPNs.

I set up a self-hosted OpenVPN on a Vultr server in the UK and connected to it from my OpenWRT router here in Dubai.

My normal ISP speeds are 400Mbs however on the VPN I am getting a max of about 4-6Mbs. From reading a few articles, OpenVPN might not be the best choice here.

When I connect to my company VPN which is a Cisco ASA, I get speeds well over 100Mbs so I know it's not an internal bottleneck.

What other types of VPN should I look at self-hosting, anything else I should look at?

1 Like
2 Likes

OpenVPN is fantastic for x86 because encryption is AES and all x86 processors have AES-NI instructions for accelerated AES encryption/decryption.

But this doesn't works well on routers (nor MIPS, nor ARM) because most of them doesn't have any kind of AES accelerated instructions and calculation must be make in traditional way.

Here are results on mine Orange Pi Zero:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      14920.27k    21232.36k    23777.62k    24525.82k    24505.00k    24750.76k

and on mine Mac Mini (i5) without AES-NI:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      70608.31k    78483.52k    81458.18k    82948.78k    83408.21k

But with AES-NI on Linux here are results:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc     574265.70k   961263.87k  1026235.39k  1041454.08k  1041072.13k  1044665.69k

But this is in case when CPU become an bottleneck. Alternative is when network is bottleneck with huge packet loss.

Can you run some test and get results from "top" command on OpenWrt?

Wireguard is going to be much faster

1 Like

I wouldn't call OpenVPN 'fantastic for x86', it's just slightly less bad/ slow on x86 than on most other platforms.

4 Likes

Basically just OpenVPN, Wireguard and Softether (v5.x).

Thats mostly true if we assume no hardware acceleration enabled, yet some embedded platforms get this working for openvpn + openssl, which would outperform any other none accelerated VPN service.

The issue is that the ssl lib needs support for it, but also the VPN service needs those specific compile switches enabled.
So its a puzzle of having it working on the hardware platform and correctly compiled into the SSL lib and the VPN binaries.

PS: Softether's own VPN protocol competes with Wireguard, but you need to check VPN client availability on your platforms.

Even with hardware acceleration enabled, in many cases. You need very good hardware encryption accelerators (i.e. things that are deployed in businness firewall appliances) to get anywhere near Wireguard performance with OpenVPN.

A lot of consumer embedded devices have relatively weak crypto processors that barely go faster than doing it in software on the CPU (so the only benefit is that the CPU is not loaded if you use them, but it does not go "faster")

Their "own VPN protocol" is just a form of SSL-VPN, piping ethernet over a SSL tunnel between two static end points.
All businness firewalls have offered that for ages. The main drawback is that the protocol itself is very dumb so it requires all management communication to be done by the client/server over something else before establishing the tunnel, so it's very easy to "proprietarize" it by just changing the management communications.
That said SoftetherVPN is mostly a management system, it supports many different protocols, also WIreguard afaik.

Thanks to everyone who recommended WireGaurd. I am now getting 150Mbs over the VPN :slight_smile: