Router Recommendation

Both MT7621, which means they will not route a gigabit full-duplex until the latest patches make it into a release --- though you can get them now if you're willing to run a custom or nightly build, and then they'll do it with ease: almost no CPU usage whatsoever even with PPPoE and NAT.

OpenVPN throughput will not knock your socks off. On the order of 30mbps. A lot of us prefer to let the edge device be the edge device: I personally never terminate a VPN connection on the router itself, it does take a bit of routing-fu to make that work for some scenarios.

1 Like

Hey man, thanks for the detailed info. Is there a reason why OpenVpn performance is rather low on devices under 200$? It can't just be due to slow CPU speed with all the advancements of OVPN. A handheld calc can do AES-256 encryption these days.

I mean usually I can get 85% of full speed connecting via OpenVpn from my desktop.

Of course I understand that there will always be some speed loss using OpenVpn on a router with Wrt, but I truly did not expect the numbers I'm hearing ranging from 17Mbps - 45 Mbps. Apparently you have to drop serious cash to get halfway decent VPN performance. I know I said speed wasn't really an issue, but I thought that 300 - 450Mbps wouldnt be a problem even with these low end devices tbh.

The simple answer is that consumer routers usually have very lightweight CPUs. They get their networking and basic routing throughput thanks to specialized ASICs which are cheap to produce once the development costs are recouped.

If you really need always-on high-bandwidth VPN capability your best solution is to A) spring for a router that has hardware encryption support, or B) to not bother terminating your VPN on the router at all, and terminate it on a desktop/laptop (a common and effective solution for telecommuters), or on any capable system or NAS, and have a little fun playing with static routes to get other systems to use it.

1 Like

Thanks again man, great advice.

Yeah, I broadened my search and acceptable OpenVPN performance really starts at around 400$ devices.

I have decided to repurpose an old system of mine into a router. It has an i3 @ 3.5GHZ and and mini itx board. Should be around 25 - 50 Watts. Only one native NIC but I will get a pci NIC card. It will run either pfsense or OpenWrt, not sure yet. I did some calculations and this should hold up with 500 - 600$ enterprise routers in terms of AES-256 encryption and OpenVPN. It should pretty much outperform any commercial router setup with ease.
I'll do Double NAT via the ISP modem's LAN, but its fine and performance shouldnt take much of a hit I hope. Wifi is not that important right now so the ISP modem can continue to handle it, but I might get a wifi card later on as well.

Hopefully you can do even better in real life than 25-50 watts. I have a mini-ITX board running an old Sandy Bridge Core i5 (rescued from an old iMac upgrade, from way back in the day when iMac CPUs were socketed and you could upgrade them).... it's my file server and runs all kinds of network appliances as LXC containers, and pulls about 16 watts most of the time.

Edit: while double NAT's not the worst thing in the world, it's usually avoidable. Your modem should hopefully have a transparent bridging mode, which essentially passes ethernet frames unmodified to whatever you connect to it.

In practice you can stack a router behind another router without double NAT: the "inner" router (i.e. the one not facing the WAN) does not necessarily need to do NAT or masquerading. Describing why and how takes some verbiage but I'll expand on it if you think it's relevant.

1 Like

Yeah 50 Watts is probably a bit high, I will run the OS from RAM and use ssh so no extra monitor. I hope I can get it around 20 Watts, that would be perfect. Sure, bridged mode is also possible, but that would force me to run wifi off the new router. Thats the only weakness of this setup, because the cost of an appropriate wifi card will kinda defeat the purpose of this budget solution.

Maybe the ISP modem allows for the routing method to set up Openwrt, I'll check. If it doesnt I will test if there is any additional latency with double NAT.

The i3 should be able to handle 250 - 350 mbps with OVPN. It has the AES encryption feature. Thats the bare minimum, but okay.

I have already familiarized myself with OpenWrt and find it much more user friendly and practical than pfsense. Also this community is hard to beat, you guys are awesome here.

Last problem is to create a live build of OpenWrt that I can boot with the toram kernel parameter. I already found something on this though, gonna try it now.

1 Like