I installed OpenVPN on my TP-Link TD8970V1 That have a 500 MHz CPU and 64 MB of RAM and 8 MB of Flash RAM.
Yesterday I noticed that when I establishing a OpenVPN connection on my router, it'll become so much slower on WAN connection speed. So I try and test a little more and find out, if I use the same ovpn server on my PC or Phone, it doesn't impact on speed at all. But when I try it through my router, speed will become slower by 50%. for exp: my adsl rate is 25 Mbps and after establish OpenVPN connection Using OpenWRT, It will drop out to 15 or 10 Mbps! But using OpenVPN Clinet on PC, I Still have 25 Mbps.
In my though it because of encryption and CPU load of OpenVPN Proccess. I check it on luci Process tab and I noticed It uses 30 to 55 % of CPU. What do you think about this?
And, what can I do?
That's typical for running OpenVPN on a single core MIPS. PCs and phones have a lot more CPU power.
It's pretty well established that wireguard performs much better than OpenVPN, so if you can switch to wireguard you may be able to continue to use this hardware. On the other hand, you could upgrade this hardware to something with a substantial amount of CPU cycles, the WRT32X is a good example, and relatively cheap on Amazon refurbished (in the US). The Espressobin also has quite a bit of power.
Running LuCI can chew up a significant amount of CPU, especially with a single-core, 500 MHz, MIPS SoC. Not accessing LuCI should give you some improvement.
Even getting 10 mbps with OpenVPN on that CPU is surprisingly good. Wireguard is better, but I would be surprised if you get much more than 30 mbps, as single-core, 775 MHz, MIPS SoCs are advertised as being able to supply 68 mbps with Wireguard, and you've got "baseline" load to contend with on a single-core device, not just the VPN load.
I think Jeff is more or less right here, but your rate is 25Mbps, so as I say, it may be marginally possible to continue to use your hardware with wireguard at full speed... Or go with something substantially more powerful like a 1.5GHz processor, and with at least 2 if not 4 cores.
Just a tiny correction, given that the TDW8970 doesn't have FXS ports, both 500 MHz lantiq mips 24Kc cores should be available, but lantiq isn't the fastest SOC in the world, it's already struggling to keep up as modem+router with VDSL 100/40 (only possible with flow-offloading enabled), before adding other CPU intense tasks (like VPN). So these performance issues with VPN are to be expected, the only way to get around these would be to relegate the TDW8970 to mere modem duties (bridge mode, that is possible with OpenWrt) and to use a significantly faster (ideally ARM based) router behind it, taking care of PPPoE, NAT, routing, firewall, WLAN APs, etc. - for a VDSL link ipq40xx would already be fully sufficient (if your demands, especially in regards to VPN are higher, ipq806x or low-end mvebu would also be attractive options).
As pointed out by others, you won't get more than 10 mbps openvpn speeds out of the Lantiq based device. Encryption is all done in software which is why the openvpn performance is terrible and maxes out at 10mbps.
fwiw, the TD8970v1 uses same SoC as Home Hub 5A
link to openvpn client on HH5A
I seem to recall the SoCs in routers such as WRT1200AC and RT-AC86u have hardware based crypto engines which support 256 bit encryption. Someone will correct me if I'm wrong.
I've got Armor Z2 1.7 GHz dual-core and it doesn't impact on OVPN speed at all: I've got only 10 Mbps at 200 Mbps channel. The OVPN speed issue is in the implementation of the OVPN on the OpenWrt, and not in the hardware.
tcp / udp?
if your not running over udp you should be..... ( see https://hamy.io/post/0003/optimizing-openvpn-throughput/ )
if possible ( unlikely) +fast-io -compress
I uses UDP protocol of ovpn from nord vpn company. I don't know what you say, I'm not a pro user but as I said before, It's fine when I try with same ovpn server in my PC or Phone.
I think @vanyaindigo is right. It's all about implementation of ovpn in OpenWrt kernel.
But find an interesting point: when I try it at 25 Mbps dsl, I got only 15 Mbps. But in a 5 Mbps dsl I reach the max of the bandwidth. So it doesn't have any problem below the 10 Mbps speed .
It's the one example of nord vpn ovpn file:
client dev tun proto udp remote [IP Address] 1194 resolv-retry infinite remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no remote-cert-tls server auth-user-pass auth.txt block-outside-dns verb 3 pull fast-io cipher AES-256-CBC auth SHA512 <ca></ca> key-direction 1 <tls-auth></tls-auth>
You can also search here, but it doesn't help me https://serverfault.com/questions/686286/very-low-tcp-openvpn-throughput-100mbit-port-low-cpu-utilization
It's cant help me, too. because I can't access the server to change the configuration of server side!
This is interesting. If you connect your VPN and speed test on the VPN while running
top -d 1 on the router it would be interesting to see the results.
well, ive never seen one of those options in the nord configs i've looked at; outside-dns maybe ok just never seen it.
client dev tun proto udp comp-lzo no explicit-exit-notify 3 verb 3 pull fast-io cipher AES-256-CBC auth SHA512
suggest you get some fresh ones;
Having said what I said about using UDP, it will not hurt to try a tcp connection for comparison. Some isps throttle UDP.... and some connections drop too many packets....
At the end of the day tho', the other guys advice above prevails....
If your PC is on all the time... it's relatively simple to pass the VPN via it.... to take that stress from the router....
Or new router..... and turning that into ap only will benefit your network.... as has been suggested.
What part of your router being really old and slow do you not understand?
The encrypting of the data takes a lot of processing power, when OpenVPN (which is not part of the kernel!) is run on a slow router it will only be able to do a few Mbps (due to said encryption).
When it is run on a much faster PC or Phone (and the router only routing the data) it will naturally be able to do a much faster bitrate.