Is there some type of vpn accelerator I can use with LEDE

Hi all, I finally got my linksys EA4500 set up today. Everything works and is going well. But the router can only give me about 20mbps download speeds with the vpn enabled on a 120 mbps line. Now I knew it would be slower going into this, but now I’m curious if there’s anything I can do to increase my speeds without getting a new router. I came across this while searching online.

Is there anything out there like that that I can use with LEDE? Thanks

If I understand it correctly, you are getting only 20Mbps when using a VPN because the CPU in the router just cannot go faster. That VPN Accelerator you linked is a piece of hardware, so I guess your only options are to buy a new router, or to buy a separate gadget...

1 Like

...and that "VPN Accelerator" doesn't seem to be anything else than a bog standard x86 system (a Gigabyte Brix GB-BXBT-1900 or less likely GB-BXBT-2807, to be exact).

If you go the x86 route, which is a pretty sensible choice if you're looking for high WAN throughputs or fast VPN connections, it would make more sense to pick a device that is capable to replace your main router (possibly degrading it to a mere AP, as finding small/ low power x86 devices that can accept two wlan cards isn't easy or cheap) completely - a device with (at least) 2 ethernet cards. There are plenty pretty decent devices supporting this (with LEDE), which are probably significantly cheaper than the product you mentioned.

Could you name a few, so I can do some research? Sorry, but I don’t really know much about this stuff. Also what did you mean by degrading to a mere access point? Thanks

The first one has 4 Intel NICs which is great, the second one is much cheaper but has dual Realtek NICs instead, still very good for a 120Mbit connection. If you were near gigabit the Intel NICs would perform better. The second one is barebones, so you need RAM and SSD

There are many others as well. Some of the gigabyte brix devices have dual NICs

You can take your wifi router and just turn it into a wifi access point that does no routing at all. This is what I've done with mine, as I use an x86 PC for my router.

1 Like

I haven't done any tests personally, but switching from OpenVPN to Wireguard or IPSec should give your better speeds as they load CPU less.

You can use your existing router's switch to send VLANs in and out of a single port X86 box. Two ports simplifies the hookup to use as a main router but it is possible with one if you have a VLAN-aware device to break out multiple networks from one port.

There are some no-name Z8350 based boxes for less than $120 (with soldered in 2 GB RAM and 32 GB flash, not expandable) that look like good performance for the dollar, but it's not an AES-NI chip.

Since you didn’t mention the type of VPN you are using or the cipher that you use, you could have a look at using the latest Marvell-CESA crypto drivers. There was some developed on those to include extra ciphers and DMA support to enhance performance.

The driver should be available for Lede/OpenWRT and may give you some benefit. And I say “may” cause it really depends on ciphers used and average packet length to see any performance difference. It will cost nothing to try.

@dlakelan what about this one with the j1800 and 2 gigs of ram?

https://www.aliexpress.com/item/XCY-Mini-Pc-Windows-10-celeron-3205U-J1800-N2810-Industrail-Computer-Quad-core-J1900-2-41GHz/32839896346.html?ws_ab_test=searchweb0_0,searchweb201602_1_10152_10151_10065_10344_10068_10130_10342_10547_10343_10340_10548_10341_10084_10083_10618_10630_10139_10307_5711211_10313_10059_5722311_10534_100031_10629_10103_10626_10625_10624_10623_10622_10621_10620_10142,searchweb201603_25,ppcSwitch_2&algo_expid=d4edc4f9-25b3-44f2-ac21-516c94f0fe4a-9&algo_pvid=d4edc4f9-25b3-44f2-ac21-516c94f0fe4a&priceBeautifyAB=0

I know it doesn't have aes ni, but I'm just curious what you think the bottle neck would be running openvpn through it?

Also is the best way to use this to install pfsense on it and then set my LEDE router as an access point?
Thanks

without AES-NI you'll get maybe 50 or 70 Mbit/s maybe 100, with AES-NI you would probably get 250 Mbps or more through OpenVPN

I haven't actually used the XCY boxes, but they look attractive provided you don't need the AES-NI

I wouldn't install pfsense as it will soon REQUIRE AES-NI so you'll be orphaned. I'd look at either LEDE for x86 or a regular Debian / Centos / Arch or similar install. I use Debian + Firehol for firewall.

I think the time has come to put small x86 boxes as your router and use APs for wifi rather than a wifi router all in one device. Even the high end consumer routers will have circles run around them by a box like the XCY

@dlakelan
Also I found an old desktop for sale used I thought I might try with pfsense and the LEDE router as an access point. It has

AMD Athlon 5000+ Dual Core 2.6 Ghz,4 Gb ram

Any idea what the bottleneck would be in that? Thanks

The biggest bottleneck with that one will be power consumption, when a j1900 may do with 6-8 watts idle, an old desktop (of Athlon 5000+ vintage) will have an idle power draw of at least 70 watts (depending on graphics card and PSU easily up to 130 watts, continuously).

That will consume a LOT of power comparatively. In a few months to a year you'll have bought the XCY box in electricity cost.

No idea how well it will perform but I don't think it'll have AES-NI. I would go with a low powered device, you'll have it on all day long.

@dlakelan @slh Ok well I guess I should go with aes ni if I want to get my max speeds. I've been looking and have seen a few. Most are more than I want to spend, but it's doable if I have too. I did just come across this one and it says it has hardware acceleration.

Some of the reviews claim that people who were getting 130mbps are now getting 900mbps after turning on the hardware acceleration. That was without a vpn, but another review said it does support openvpn and maybe this hardware acceleration would help, but I'm not sure. What do you guys think? Thanks

The acceleration they're talking about accelerates routing, if you don't use any queue management, and does nothing for crypto as far as I know.

One thing to think about, if you get an AES-NI enabled small x86 box you will never replace it in the next 10 years, because it will route a gigabit and do multi hundred megabits over OpenVPN and so it's a much longer term investment than an all in one consumer box with wifi.

@dlakelan

What about this one? It looks a lot like the one you posted a link to on amazon only quite a bit cheaper.

ttps://m.aliexpress.com/item/32825684280.html?spm=a2g0n.wishlist.0.0.3363b752xUhrNV

Also while I was looking on Ali express I saw a qotom box that was similar that said it’s wifi would not work with pfsense unless the router was set up as an access point. Do you know why that would be and how to make sure I don’t run into that problem when selecting a box? Thanks

Take a look at the PCEngines boxes. I'm happy with the build quality and the low power consumption both. They run FreeBSD and Debian/Ubuntu very well here for me. On the order of $150-175 with a case, power supply, and mSATA drive.

CPU: AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache.

apu2c4 = 3 i210AT LAN / AMD GX-412TC CPU / 4 GB DRAM

https://www.pcengines.ch/apu2c4.htm

Thanks @jeff I just looked that up and found this thread on reddit:

It seems like it would work well with Linux or maybe LEDE, but from what it says in that post for whatever reason with pfsense it brings the speed way down when using it with open vpn. I should tell you I was only able to set up my EA4500 with LEDE and PIA because someone on another thread here wrote me a guide. I wouldn’t know where to begin with Linux. Once years ago I downloaded Linux mint just to tinker with it, but it was a lot to take in and I’ve never really gone back.

@Greg -- GUI-driven appliances can be easier to use, as long as what you want out of them is exactly what you need. One concern that I would have with any Internet-attached device, especially one that provides security, is the level of vendor support. If you aren't getting prompt and regular updates, you'll quickly fall behind and have a slew of unknown security flaws or loss of functionality (for example, deprecation of all SSL and TLS prior to v1.2).

Linux has had its ups and downs as far as non-expert usability goes. I've never tried Linux Mint, so I can't comment on it. Ubuntu used to be my Linux of choice, but recent releases have gotten "too friendly" to the point where I'm fighting the OS to get it to do what I want it to do (network management and systemd in particular). FreeBSD is still my OS of choice for services as it does what I tell it, rather than what it thinks I want.

Given that you need "just" a VPN running, you might want to fire up a VM (VirtualBox, for example) and see if either FreeBSD or Debian can get you where you want without too much pain.

Isn't Z8350 AES-NI capable?