i am trying to configure my router to connect to a third party vpn by using L2TP.
I successfully configured the OpenVPN client but the performance is not so great.
(using the archer c7 v2 i get max. 12 Mbit with AES-256-CBC)
The packages xl2tpd and ipsec-tools are installed.
But when i try to setup the network interface i cannot submit a psk.
What am i doing wrong?
Just 12 Mbit/s? I know that the QCA9558 SoC in the Archer C7 v2 does not have any crypto-offload and the single-core 720 MHz MIPS32 CPU is weak (not that dual or quad-core cpu would do much, as OpenVPN is single-threaded). Can you tell me, what "throughput" you are looking for? As I don't think l2tp would help much, unless you got for a weaker cipher.
As much as possible. I have a 100Mbit connection which should by enough to get at least 50Mbit and more while using the VPN. (on a decent CPU)
I think l2tp is executed in the kernel which should result in more throughput because openvpn loses performance by switching between user- and kernelspace.
I cannot change the cipher to a lower length (at least 256 bits). The VPN provider selects AES-256-GCM by default which slows the connection to 8Mbit.
Sadly, it doesn't look like 50 MBit/s+ is possible with this router.
"l2tp" is actually just a tunnel protocol, you'll need to deal with IPsec first. See:
Sadly, I haven't seen any LuCI-App in the repository, that could help you with setting up the strongswan/racoon daemon. In theory, racoon (ipsec-tools) does have some uci integration.
So you could configure it through /etc/config/racoon without having to deal with a custom config file. However, the openwrt wiki states that strongswan is recommended. https://wiki.openwrt.org/doc/howto/vpn.overview#strongswan_recommended
And from what I can glimpse, the tutorials cover mostly the server setup. So you'll need to look elsewhere for a IPsec/L2TP client setup:
And piece the information together to get a working setup. Once the IPsec
transport/tunnel is working, you should be able to just connect with the existing L2TP config.
Do you know if this is also the default aead mode for the IPSec/L2TP setting? Because racoon/setkey utility doesn't have support for AES-GCM (but AES-256-CBC + HMAC(SHA256)).
If that's the case, you should look at strongswan directly.