VPN router/server: new router or new mini server

I already have a BT home hub 5 and it is a very good and cheap modem/router. However, its CPU is too low for openVPN and even if for wireguard.
I'm thinking to build a VPN router with a raspberry pi 3-4 or something equivalent with a budget 80-100 $. Another option is to buy a new modem/router with a strong CPU as netgear R7800 150-180 $. I would like to achieve as maximum 100 M bit/s in both directions.
In your opinion, what is the best solution?

Can you use WireGuard to get to 100 Mbps, or do you need OpenVPN at 100 Mbps?

I prefer openVPN since only some providers have VPN (mullvad, azireVPN). Do you think that BT home hub 5 is able to achieve 100 Mbit/s with wireguard?

Measured on a TP-Link TD-W8980, which uses the same SoC as the BT Home Hub 5A:
IPsec (AES128, SHA1) achieves ~25Mbit/s using the SoC's crypto hardware, and half of that with software crypto. Network latency will suffer when throughput approaches the limit.
Wireguard is also kernel-based like IPsec, its performance should be in the same range, but I have not tried it.

I'm was on same situation few months ago and i got one Orange Pi Zero for VPN.

Now OPiZ have few VPNs and they're working great.

At least from what I have tested, 100 Mbps with reasonable latency over OpenVPN puts you into the x86_64 with AES-NI class of devices.

I haven't tested the Lantiq SoC, but I would imagine that there'd be a lot of complaints if it couldn't route/NAT 100 Mbps. mps' post confirms that it can't come close to 100 Mbps for OpenVPN and suggests that it may not hit 100 Mbps for WireGuard. Since it seems you've got routing/NAT and wireless, something to do the VPN. This assumes your device can route 2x = 200 Mbps, as packets will come in from LAN, out to VPN engine, back from VPN engine, then out Internet.

The Raspberry Pi devices are marginal for Ethernet bandwidth due to some design choices made prior to the "4" series, but should be sufficient for these speeds. I have not tested their OpenVPN speed, so can't comment if they are sufficient.

ARMv8 has support for AES extensions and so raspberry pi 4, odroid n2 and rockpro64 should be very fast.
I will follow this solution together with pi hole, DNS over HTTPS and VPN server.
Thank you at all for the replies.

1 Like

I just saw that GL.iNet is releasing a new, Marvell-based router. Their benchmarking of OpenVPN and WireGuard seem to be honest1 in my experience.

Marvell Armada 88F3720, Dual-Core ARM Cortex-A53 @1.0GHz

  • Max. 97 Mbps OpenVPN downstream "client" (with a reasonable note that upstream "server" is slower)
  • Max. 280 Mbps WireGuard

1 For the QCA9563, @775MHz SoC, they give 17 Mbps for OpenVPN and 68 Mbps for WireGuard. My tests, under different conditions, showed 15-20 Mbps and 75-80 Mbps, respectively.

1 Like

Just a heads up there are two more commercial providers not mentioned above which support wireguard: ivpn.net and wirevpn.net. The latter also supports IPv6.

1 Like

OMG! If they can pack the same CPU as in my WRT3200 into the AR750-sized box without any thermal issues, that would be amazing! I'm sure the price will be well north of $100 (probably closer to $200), but that's some serious power in the road use-capable enclosure.
Nevermind that, no WiFi.

Well, they are both closed source and you have to trust them. Moreover, both mullvad and azireVPN support IPv6.

I don't think they have the crypto extensions enabled on the rpi4. The cheapest way is to buy an h5 based orange pi (zero plus, PC2 etc). There are benchmarks somewhere on the armbian forum

Use that in addition to your regular router

Unfortunately, raspberry pi 4 cannot use AES crypto extension of ARMv8. While odroid n2 and RockPro64 have them. Take a look at these benchmarks.

About the Cortex-A53 processor Cryptography Extension

The Cortex-A53 processor Cryptography Extension supports the ARMv8 Cryptography
Extensions. The Cryptography Extensions add new A64, A32, and T32 instructions to
Advanced SIMD that accelerate Advanced Encryption Standard (AES) encryption and
decryption, and the Secure Hash Algorithm (SHA) functions SHA-1, SHA-224, and SHA-256.
The optional Cryptography Extension is not included in the base product. ARM supplies the
Cryptography Extension only under an additional licence to the Cortex-A53 processor and
Advanced SIMD and Floating-point support licences.


But RPi doesn't have that...

Raspberry pi 4 has broadcom BCM2711 SoC with four ARM cortex A72. Since crypto extensions are optional, the foundantion decided to do not add them. Maybe raspberry pi 5 :frowning:

Maybe using firmware they can be enabled?

I'm just curious!

I think so since that they are included into SoC, but firmware blocked. It is better to buy odroid n2 or rockpro64 instead trying to hack the firmware.

If you can, i would recommend openwrt on x86-64 with aes-ni. It might be a little pricier upfront. I have a wrt1900acs v1 with Davidc502 build. It could do around 90Mbps openvpn with a good server. 450Mbps with ipv4 over ipv6 MAP-e no vpn. Now it is behind a x86 box acting as an AP. Using ethernet, I have seen openvpn speed of 400Mbps and 200 over wifi.

1 Like

According to this the nanopi neo2 can do 100Mbit openvpn using aes-128-gcm, other H5 devices should be very similar