How to configure two VPNs gateways to internet?

Due to the reasons explained here i have configured a ProtonVPN network to access internet from my openWRT home router.

Now all traffic to internet is routed through the proton VPN using wireguard.

But a small problem arises: the speed reached this way is about 300 Mbps (very good for a VPN) but my ISP line reaches 600 Mbps.

I would like to be able to access internet full speed.

proton VPN lets me configure more than one device connected to it.

So I thought of creating two VPN interfaces: protonVPN1 and protonVPN2 each one connected to tow different servers with their own IPs.

The idea is to redirect traffic from internal LAN to both, interfaces.
The easy way would be to add bot, protonVPN1 and protonVPN2 interfaces to the protonVPN firewall zone and redirect traffic from lan zone to protonVPN zone instead of WAN.

But I am not sure it that would work, if traffice will be distributed by the firewall among both interfaces and whether that can cause problems in internet navitation (as I will navigate from tow differente IPs).

Any idea of how to get this done?

are you sure you're not maxing out your router ?

No, my router when the VPN is not active reaches 600Mbps and more, I have tested it without and with VPN.

The VPN from proton seems to be one of the quickest, reaches 300 Mbps, no more than that.

Thank you for the link on PBR.

But implementing PBR to redirect traffic based in traffic contents (Ips in internal lan, destination port, destination address...) will turn my net management too complicated.

It seems that there is an alternative: multi wan balancing that seems to be appropiate but I don't know it it can be applied to vpn interfaces...

if you think VPN doesn't come with any kind of CPU penalty, you're wrong.

1 Like

Thank you, but I am not saying it comes with no penalty.

But my router (belkin RT3200 rebranded from linksys EA8450) is supposed to support 1 Gbps connections and my connection is just 600 Mbps, so the router has power enough to support that traffice and probably to provide more than 300 Mbps in a wireguard VPN that is not so heavy in proccessing as others.

The limit of 300 Mbps is in proton servers (I have read about speeds reached in several VPN providers and proton is one on the quickest, but limited to 300 Mbps).

If I use tow VPNs and traffic balancing, probably I won't get 600 Mbps, but I expect to get quite more than 300.

The easiest way seems to use traffic balancing using mwan3 based in IP, thus traffice from different devices will be distributed among the two interfaces, one of them will bie using vpn1 and the other vpn2, but each device won't get more than 300 Mbps.

That is not the ideal case, but will lbe good enough.

But I am not sure how to achieve it.

that's the port speed, not necessarily the routing speed.

no dude, it doesn't, at 300 you're maxing it out - A Wireguard comparison DB.

indeed, with openvpn it would have been slower.

get beefier hw, if you want faster VPN.

1 Like

As I have said, my internet connection is 600 Mbps.
Using speedtest.com I have measured 680 Mbps upload speed from my computer connected to that router behind the ISP router.

Other people with 1 Gbps internet access has reported more than 900 Mbps with it.

So the router is able to provide far beyond 300 Mbps.

This is the test result using proton VPN

This one is with no VPN (not the quickest report I have got from the ISP):

the speed diff between VPN and non-VPN tests is the VPN CPU penalty, assuming the VPN terminates at the router.
anyway, have fun ...

1 Like

Thanks again, I am not sure if I am understanding you well.

Do you mean that the 300Mbps I am experiencing are not due to the limit int the protonVPN server but the maximum speed my router can get when using wireguard?

I that case using tow VPN won't help at all.

I will have to change the strategy and share the load among devices.

I have another router in other part of the house that is just acting as a switch and as wifi access point, may be it could provide VPN to access internet in that part of the house and share the load among both.

correct.

it's easy to check by installing htop and running it (via ssh), to check the CPU load while doing a speedtest from a client.

another test is to install the VPN client on the computer, and running it from there, while having the tunnel down on the router, to check if it'd surpass the 300+Mbps limit using more powerful hw.

1 Like

OK, I will do the latest test idea you say, so I will be able to determine the limit of the protonvpn speed.

I case it provides something near to 600 Mbps, the easiest way to solve it will be to upgrade the router and use somethink x86 based.

technically, Proton might have a speed limit too, but with your current router you won't be able to work around it using two tunnels.

2 Likes

You are right. I wouln't have thought that proton could provide such a quicke speed, I have read in some places online (vpn comparisons) that protonvpn provided 300 Mbps and other 180 or 300 at most.
But it seems that the tests were not well done, as proton provides much more than that.

With the vpn disabled in the router and enabled in my pc this is the result

Quite an impressive test. ProtonVPN provides the connection at the maximum speed (at least till 600Mbps) with just a bit of speed loss due to the protocol overhead itself.

So the solution would be to upgrate my router in the future and put it instead of my other fritzbox router.

Thank you a lot for your help and insisting in clarifying my error.

get a RPi4 and put it behind the main router, they should be quite cheap, since RPi5 is out.
the RPi4 does 900 Mbps over WG.
or make it the main router (by getting an USB3 gigabit ethernet adapter), and make the RT3200 an AP.

1 Like

rPi4 would be enough?
But I would need a wifi6 ap and a swich too to substitute my router that is AP an switch.

May you point me to some article that explains the needed devices.

I won't like to have 4 devices with their needs of power sources to get internet acess: the router from ISP, the rpi4 as router, a gigabit switch (I have several devices connected to the router) and a wifi AP...

Other solution would be to add the rpi4 as router and let the belkin just as switch and AP similar to the fritzbox, that would be just another device...

this was my suggestion :slight_smile:

if WG speed of 700Mbps is good enough for you, get a T-56 from wifilinks in NL, they're 50€ + S&H, it'd substitute the RT + Pi, and provide faster wifi in one box.

I will seek for that.

700 will be enough for quite a while and 50€ is not too much, it will provide good access for quite a while and reduce the number of gadgets over my desk.

The belkin will replace the fritzbox and fritzbox will be used at my work to replace an old linksys.

Do yo mean this one?
Zyxel T56 Modem Wifi 6 AX6000 Nieuw – wifilinks.nl

that's the one.
you'll need to email them and ask about the cost of shipping to ES.

1 Like

Do they have another similar one that would provide 1Gbps or near it wireguard access?

I won't need that speed right now, but if it is not too expensive, perhaps better to buy now something more capable just in case I need it in the future.

you won't find any "plastic box" router able to deliver more than that, today, next step is SBC or x86.

1 Like