OpenVPN x86 performance slightly underwhelming

I have upgraded from Archer C2 v2 to x86 LEDE router, partly in order to improve VPN throughput.
I am running openvpn-openssl 2.4.4-4 on UDP on router and latest 2.4.6 64-bit OpenVPN client on Windows W7 i7 laptop. Both router and laptop have x86 CPU's that support AES NI. I am running AES-256-GCM chiper. Router runs on LEDE Reboot 17.01.4 r3560-79f57e422d.

For fun, I have tried to benchmark VPN by connecting laptop to 1Gbit LAN and established VPN tunnel "from inside" by using OpenVPN client option "float". Then I tried copying some files from NAS.

While transfer speed jumped from approx 17Mbit (on Archer C7) to 56Mbit on x86, I kind of expected more. Both router and Laptop CPU's where nowhere near pegged. Router runs dual core Atom and openvpn process was consuming around 15% of CPU cycles (looking through "top"). Laptop CPU was also nowhere near max...running roughly the same CPU load.

Is this all that can be expected? I somehow expected that CPU is the bottleneck here but I suppose there is more that is involved?

Best regards,

Benchmark the VPN tunnel through iperf3. You may simple be seeing storage bottlenecks.

Naah, I am able to peg Gbit Ethernet when copying from NAS directly (120 Mbytes/sek). It is speedy NAS to SSD copy, so ethernet is really the bottleneck.
I will try to connect my laptop to WAN side and re-test, as using LAN would generate twice the traffic (but it should still be enough for at least 400Mbit.)

If you control both sides of the VPN tunnel I would really consider switching to Wireguard. It's way faster and much easier to configure (I have used both OpenVPN and Wireguard in the past myself. I stuck with Wireguard).

This or slightly more complicated using Softether:

I use Softether in its own protocol version configuration, with 2 tcp connections (up/down) and works way better than openVPN, but than requires the softether client.
Softether can also provide a ipsec/openVPN client compatible server configuration, which is advertised as being faster than the native implementations.

Thanks for all the hints about other options. Unfortunately, neither Softether or Wireguard have iOS clients available. Being able to use VPN on iPhone and iPad is crucial for me.

I have now tested by plugging router WAN interface and laptop into Gbit switch and pretending that laptop is out on Internet. Thus the shortest path.

Behaviour is rather weird. It seems that new OpenVPN client is not using AES-NI but server is.
Basically, speed will start low (2Mbit), slowly climb to 70Mbit, then jump to 150Mbit then back to 70Mbit and so forth. So It will be climbing in steps until it reaches what happens to be 100% CPU for single thread and then go back. In my case, it topped out around 150Mbit then started oscillating back-and-forth between 150 and 75Mbit.

150Mbit rcorresponds roughly with 25% CPU on my laptop (four core i7 of older kind).

Info in this forum indicates that OpenVPN client lost 75% of performance and stopped using AES-NI acceleration in version 2.4:

70-150Mbit is kinda OK for me as I only have 100/100Mbit fibre but it is little underwhelming. I will try to find older OpenVPN Windows client and test again. (Old clients had option for enabling AES-NI).

I redid the tests with TUN connection and this time I was able to peg (single threaded?) OpenVPN process to 50% on my LEDE x86 router. This roughly corresponds to ~120Mbit using AES-256-GCM chiper.
At the same time, OpenVPN client had ~17% CPU load.

So there you go. x86 + LEDE + OpenVPN is single threaded and max speed depends on CPU. But it is in 100Mbit-ballpark for two core Atom with AES-NI and 256 bit chiper.

Hmmm, might want to look into what TLS engine you're using and how it was compiled. OpenSSL from 1.0.1 should "natively" support AES-NI, if properly compiled. See, for example: which additionally links to

You can try running the Softether server in openVPN mode and than use any normal openVPN client. For Wireguard is a third party client, with experimental macOS support, if you want to give it a try.


after upgrading to OpenWrt 18.06.1, upgrading to latest openvpn (2.4.5-4.2) and tweaking the buffers in server config, I am able to reach ~12.5 MB/sec throughput for real-world file-copy via VPN (using 256-bit AES CMP). This will peg the openvpn single-thread process on OpenWRT x86 router to 100% (Intel(R) Celeron(R) CPU N3050 @ 1.60GHz)

In iperf3 currency, this corresponds to roughly 140Mbit/sec in best conditions (both client, router and server on same Gbit Ethernet).

Plenty enough for home use, perfect match for 100/100 fibre.

FYI Wireguard released an ios client quite recently