Speed issues with TPLink Archer A7 AC1750 v5

Hi everyone! I got this router 3 days ago to improve my VPN speeds but having a hard time achieving that. My ISP provides me with 100mbps down 20mbps up and I do get them fully on their modem. I have Surfshark VPN at the moment and 3 days ago I had it running on through L2TP on a TPLink WR940N achieving somewhat variable speeds between 25 and 50mbps after tweaks on the original firmware.

I installed the latest OpenWRT firmware for my new router which is connected through ethernet to my modem and from the start I get only 65mbps. Then I configured OpenVPN following this guide:


and the speed dropped to 13-14mbps. After that I enabled SQM QoS with the following values:

At Basic Settings tab:
Download speed (kbit/s) 0
Upload speed (kbit/s) 19980
At Queue Descipline tab:
Queuing disciplines: cake
Queue setup script: piece_of_cake.qos
At Link Layer Adaptation tab:
Which link layer to account for: Ethernet with Overhead
Per Packet Overhead (byte): 34

And the speed dropped to 8-9mbps. These speeds apply equally to my wired and wireless connections. I've been trying to improve this on my own by a lot of research here and on Google and with the help of the Surfshark support team with no avail. So far I've dropped the MTU of the WAN and LAN separately but it worsened, so I set them back to 1500. I've used three different UDP servers and they all give me the same speed. I've changed to TCP and got slower. I've set Cloudflare, Google and Surfshark DNS servers on the router (WAN) and on my Mac and Cloudflare works best with no leaks, but still same speeds. I've ran the TOP command while testing on Ookla Speedtest and CPU usage doesn't go above 5%. I have very little coding knowledge but after many searches, errors and factory restores, I've managed to set this router and make all this changes with support of the GUI when possible. I hope someone can shed a light on this. Thank you!

Big fat chance the speed drop is caused by encryption. Modern VPN apps like Wireguard (TLS), OpenVPN (TLS) and StrongSwan (IPsec + IKEv2) encrypts the tunnel. L2TP does not use any form of tunnel encryption. OpenVPN is especially more resource intensive compared to Wireguard or StrongSwan, making it more susceptible to a lower throughput on resources limited devices like routers.You should get better results using StrongSwan or Wireguard for a VPN server running on a router. If you need to run OpenVPN, using a router with hardware cryptographic acceleration would definitely improve performance, or run a dedicated OpenVPN server.

As for the speed drop from 100mps to 65mbps with no VPN, that's weird. OpenWRT should have no problem with the AR71xx target in terms of throughput via wired ethernet. How did you measure this? Was the client connected via WLAN? WLAN speeds are not with Atheros 9xxx based hardware and OpenWRT.

1 Like

The Archer A7 is a 750 MHz single-core mips 74Kc CPU, which isn't fast at all - especially for VPN uses (and the single CPU core also needs to service LAN/ WLAN interrupts, PPPoE, etc. at the same time), your results roughly are within the expected margins (for all intents and purposes, Archer C7 and A7 are identical in terms of performance).

While wireguard (or IPsec/ strongswan) will provide better speeds than OpenVPN, your router is way to weak to achieve anything close to 100 MBit/s over VPN.

1 Like

Thanks vuhuy. I've checked with Surfshark and Wireguard will be implemented soon, so I'll definitely try that. Since L2TP doesn't have tunnel encryption, is it a better option for me? How would they compare in this case?

The test was with Ookla's Speedtest and on a wired connection. I should add there are Netgear Powerline adaptors in between with great signal according to their LEDs (green).

Thanks slh. How could I push my results towards the other end of what could be expected? Any adjustments you suggest?

I'll try Wireguard as soon as it's implemented with Surfshark. I understand the limitations of my hardware so I'd be very happy to achieve solid 25mbps or whatever is the max I can take out of this router. I only use this as a VPN router for my Apple TV, so 25mbps allows smooth 4k streaming (allegedly) and would cover my needs.

Hmmm depends on your use-case. It doesn't have end-to-end encryption so it isn't secure at all. If security and preventing others from snooping your internet traffic is the reason why you use a VPN, then l2tp is NOT recommended. But performance would definitely improve. I only can't say how much.

1 Like

I've been looking for a guide to set up L2TP but can't find anything clear (for me at least). Does this work to set up a connection to Surfshark servers?

https://openwrt.org/docs/guide-user/services/vpn/ipsec/openswan/openswanxl2tpvpn

While I work this out, mind me asking a way to disconnect from Surfshark servers but keeping my internet connection active? I've tried to disable and stop the instance but both cut my internet access, only deleting the instance allows me this.

Pff that's a rough path. I'm 100% sure it's possible, but up-to-date information is lacking because of the state of L2TP. If I remember correctly, setting L2TP connections was just as easy as setting the right protocol on your WAN interface with older versions of OpenWRT..

If you got some experience and some spare time and patience you could try it. I'm always happy to give you directions if you can supply the right information if you're running into problems.

Please note, be sure to look for client manuals instead of manuals in where you set up a server (the guide you mentioned is for setting up a server). Xl2tpd is the keyword to get you started. And last, I checked the Surfshark website. To only mention L2TP, and not L2TP/IPsec. That IPsec part is where OpenSwan plays a role (now deprecated for StrongSwan).

Bonus: You might want to look at IKEv2 with IPsec first (StrongSwan), setting up a client is quite "easy". Well easier then going down the L2TP rabbit hole. No guarantees tho. It should definitely perform better compared to OpenVPN on embedded hardware - but L2TP should be still king (not talking about security hehe).

1 Like

I see, no wonder I can't find anything. Also, can't see any L2TP protocol on my WAN interface. Unfortunately I have 0 experience so I don't think it's a good idea to try. I even got confused with what you said, but if you could help me with that last question on how to disconnect from OpenVPN without losing internet connection (and without having to delete the instance!) that would help me a lot to be able to "switch" to my regular internet connection when I need speed without geounlocking.

I found this which portrays my same problem on the same hardware yet no solution I think.

Would you be able to provide some routers that have "cryptographic acceleration"? It's hard to find them browsing online.

Also you meant "OpenVPN client" not "OpenVPN server", correct? Because we connect to a VPN service, we don't create a local server (that would only encrypt the local traffic, not the WAN traffic).

Thanks!

See https://openwrt.org/tag/crypto?do=showtag&tag=crypto
For further hardware questions please open a new topic in the hardware section of the forum.