TP-Link Archer MR200 - VPN performance


I`m planning to setup site to site VPN connection (Open VPN) between my TP-Link Archer MR200 (On LTE network) and my Pfsense server at home.

What performance can I expect to get these on these TP device?

With a 580-MHz, MIPS SoC you’re probably looking at 6-12 Mbps OpenVPN doing nothing else.

1 Like

Indeed, the MT7620 isn't exactly fast and the design of OpenVPN doesn't help.

When you saying TP-link Device, witch specific device are you talking about then?

Thank you, will I get some more performance by change to IPsec or something?
Reduce encryption?

Is there something I can do to increase the performance?

The first priority is not the security, but the site to site functionality.

Wireguard helps "quite a bit", IPSec should help although the main issue is the SoC which is super slow. You'll be much better off with any kind of ARM device and a USB attached modem or ethernet bridge.

1 Like

WireGuard might get you 20-25 Mbps on a 580-MHz, MIPS-based SoC.

Bottom line is that low-end SoCs don't have enough CPU power to handle the encryption at moderate rates, even with the newer encryption ciphers like ChaCha20.

If you're comfortable with the security provided by WireGuard, and many are, I would use that instead of OpenVPN.

Split routing is possible in many ways. Most modern VPNs "push" routes to the client. For WireGuard, the "allowed IPs" are confusing, but provide that functionality. For the client, the "allowed IPs" are the target IPs (destinations) that go over the tunnel. I found the following helpful in trying to wrap my head around WireGuard configuration

Thank you for the information,

Can it be a option to only send traffic between the sites on the VPN and rest direct on internet?
So when I want o access thing on the other site the traffic goes throue the VPN and if not direct out...
Then the speed will not be reduced for traffic who not goes between the sites?

It shall not be a problem to configure these?

I will get the hardware later these week....

Yes, you either use the VPN configuration or manually configured static routes to route the subnets of interest, and the rest goes via default (or other) route.

I have got a new idea… overclocking the CPU just some…

I found these video:

Is these the way of doing it, how much can I go up?
How high can I go and what can I do if the router will not boot up, use memory reset button?
What about memory, can I increase the hz there also?

Perfect world will be if I can get 40mbit on the VPN....

You'll be able to cook eggs on your router long before you get even close to that.

It's not a bug, it's a feature! :slight_smile:

Hehe what hz do I need for IPsec in that range?

Maybe 30mbit can be doable with 700mhz?

It’s the crypto that drives the load. WireGuard uses one of the lowest computational cost ciphers generally available.

If you stick with MIPS, you’ll need a 775 MHz clock, based on the testing of GL.iNet, who I believe is honest about their results. Realize that if you run anything other essential router services (LuCI is not "essential") or other CPU tasks (such as handling an LTE modem), you won't get the "unloaded" performance on a single-core SoC.

The TP-Link MR200 just isn't powerful enough for more than basic routing. Moving to a multi-core, ARM-based device, or using "something else" for your VPN would be reasonable approaches. Perhaps a single-board computer, like a current Raspberry Pi (crypto speed unknown by me), might be a cost- and power-effective approach.

Hehe, install a fan?

Thank you for the information.

I need some more hardware to take the vpn and wireless part of it, and leave the tp router to only handling LTE, agree.

What option do I have for hardware for hoisting vpn and wireless, same unit?

Where are you located? Unit availability and pricing are very different by regional market.

What is your budget? Do you have power or size constraints?

Norway, but location shall not be aproblem, just purchase and get it shipped.

I will try to get everything inside low voltage cabinet I have.

Two options:

  1. Vpn with 50mbit
  2. Vpn with 100mbit

Can be a good choice?

Right now I only have LTE, but LTE+ coming soon.

I’t just on my cabin so not top secret traffic :slight_smile:
So I’ planing to use VPN to home and direct out on internet for rest of the traffic.

Budget lowest as posible, but try to get almost out of the internet speed...

Do you have access to a WireGuard VGPN endpoint, or are able to configure one on a VPS yourself (~US$5/mo)?

Based on GL.iNet numbers, so at least self-consistent

  • ipq40xx (717 MHz) -- 192 Mbps WireGuard -- 25 Mbps OpenVPN
  • ath79 (775 MHZ) -- 68 Mbps WireGuard -- 17 Mbps OpenVPN

As you can see, the load of OpenVPN at even moderate rates exceeds what a MIPS-based router can handle.

To get 50-100 Mbps over OpenVPN, you're likely looking at an x86_64/AMD64 solution, with a separate all-in-one as an AP.

Based on that, I'd recommend an ipq40xx-based unit, or one of the faster SoC families, such as ipq80xx, mvebu, or x86_64/AMD64. I don't have experience with the mvebu wireless, but I find the wireless performance of the ipq4019-based EA8300 to be noticeably better than that of the ath79-based Archer C7v2 units I've replaced. Recently someone here posted that Amazon UK had EA6350 dirt cheap (£34).

Ignore the title, but this post has some good starting points: