I'm looking for a router to basically use as hardware for an OpenVPN client. I just got an Archer A7, installed and configured OpenWrt 21.02.1 and OpenVPN client for it. Everything's working fine, but the internet speed is terribly slow when the client is enabled (5-10mbps going through a VPN server that shows around 100mbps with the OpenVPN client running on the computer). I believe the bottleneck is the processor, as the CPU usage of openvpn process hangs at around 90% while running speedtest.
Would anybody be able to recommend a relatively inexpensive router with good OpenWRT support and a CPU faster than the one in the Archer 7 (I believe it's Qualcomm Atheros 750MHz)? A forum topic to check out would also be really helpful (sorry, I wasn't able to find one for this particular issue).
Also, if you think the problem may be somewhere else, please advice.
If you do not need wifi or can use your current router as wifi only, then wrt3200acm or Wrt32x should deliver nice throughout. Also GL-MV1000 has a fast cpu.
no, rpi4 has subpar openvpn performance as it's lacking crypto extensions - but I would recommend it for wireguard - if OP is willing to switch protocols.
for about 150mbps openvpn you can try Orange pi Zero Plus with H5 chip (<30$ with shipping)
if you need/want more you can go for Nanopi R4s (~82$ + shipping)
of course there is also the x86 option like SW301DA (>20$ + shipping on ebay) that will get you in the same ~150mbps area see https://teklager.se/en/knowledge-base/apu2-vpn-performance/
It is not cpu power you need to focus on. You want to look for crypto engines usually found in “vpn routers”.
Wrt3200acm is a beast but on a good day I got maybe 16Mbit/s and when I bought ER4 it really doesn’t limit speed that much and the speed is mostly based on the OpenVPN client wifi speed. But usually the OpenVPN seems to hits the roof at around 35-40Mbit/s with ER4.
It is the same with a ordinary PC and encrypted hard drives. If you run it with a CPU without crypto accelerator it takes ages (literally) to boot and if you run it with a intel i7 cpu with crypto acceleration you don't notice the encryption at all.
Cool, thanks for the suggestion. How's its wifi? I imagine it will be problematic to connect from another room without adding some external wifi adapter to it?
I can, but it will be a bit of a pain. First, I run my own OpenVPN server bundled with PiHole from a docker image. If I switch to wireguard I'll have to either loose PiHole or create my own image. Second, installing wireguard client in OpenWrt is a bit more involved. All for the benefit of about 20-30% CPU power savings (correct me if I'm wrong on the numbers).
I can download at 2.5 MBps with router CPU at about 10 % using a WRT3200ACM through an OpenVPN tunnel. It can obviously do way more but I have a VDSL connection at 23 down 3 up at best. The router works using software and hardware flow offloading but I guess it does not help OpenVPN a lot. What may help a little is that my VPN provider supports ECC.
Might not be what you're looking for but I'm running FreeBSD 13-STABLE (I guess some Linux distro works just as good) on my RockPro64 because I wanted to integrate PiHole functionality (https://0xerr0r.github.io/blocky/ --> https://www.freshports.org/dns/blocky/) and a bunch of other things which works really well in a relatively small package.=)
If you use the router as a server and connect a client from internet and surf through the router (that is duplex data transmission for the router WAN interface!) then you can’t go faster than the routers uplink which is 3Mbit/s in your case.
The data flow from VPNserver/router to the VPN client is uplink data.
Yes, I know that, thank you. But I think Timm mentioned he wanted to use a router as a VPN Client (as I do) and just wanted to reassure him that the router's CPU was probably not a problem when being limited to 16 mbps (or a little more than 20 in my case).
The CPU looks slow; but it's dual-core, supports hardware offloading, can pull a Gbit with normal traffic, and is rated for up to ~400Mbit IPsec (which has more overhead than Wireguard). They make beefier ones too.