VPNs on E8450 giving very slow downloads but fast uploads

refuse_karma153 · July 29, 2023, 5:45am

Basically the title, I feel like I've tried everything at this point, and I'm wondering if anyone has any other ideas.

Here is my setup:

Router: Linksys E8450 (UBI, ARMv8 r4, mt7622)
OpenWrt: 22.03.5 r20134-5f15225c1e
VPN: ProtonVPN Plus (tried with normal and secure core configs, with OpenVPN and WireGuard)
ISP: Virgin Media (UK)

My speeds without VPN are about 300mbps down and 25mbps up. With VPN on my router, I'm getting about 5mbps down and 20mbps up.

When connected to Wi-Fi, without VPN running on my router, I have tried using the VPN configs (as opposed to the ProtonVPN apps) on my phone and laptop. The speeds I was getting were about 250mbps down and 20mbps up.

I have used this guide to set up WireGuard on my router: https://www.ivpn.net/setup/router/openwrt-wireguard, and this guide to setup OpenVPN: https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

Things I've tried:

Installing irqbalance (everything below I have tried before and after installing it)
Installing and configuring SQM on WAN and WireGuard interfaces by themselves and both at once, setting speeds to 200mbps, 100mbps, and 50mbps down
Enabling packet steering
Setting MTU on WireGuard, WAN, and LAN interfaces by themselves and all at once to 1000, 1300, 1400, 1412, 1500.
Enabling software & hardware offloading

When running fast.com or speedtest.net, the idle doesn't drop below 80% according to top and vmstat.

The weirdest thing is that I have had speeds of about 250mbps down once or twice, but they only lasted for a few seconds or only for 1 speedtest. Afterwards, they went back down to ~5mbps with upload not changing without me changing any settings.

Has anyone got any suggestions on what I can do to get speeds similar to what I was getting on my phone and laptop? Like I said, I feel like I've tried everything at this point, so I'm willing to try anything I haven't.

Thanks in advance!

Here is my configuration in case that helps:

network
config interface 'ch_uk'
option proto 'wireguard'
option private_key 'x'
list addresses '10.2.0.2/32'
option mtu '1412'
list dns '10.2.0.1'
option delegate '0'

config wireguard_ch_uk
option description 'proton'
option public_key '7tEhXa2x1eKGbPevwzPjo5u5HLshPxwkofSII9y0v2c='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '185.159.157.229'
option endpoint_port '51820'
option persistent_keepalive '25'

firewall
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option input 'DROP'
option forward 'DROP'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'ch_uk'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'ch_uk'
option masq '1'
option mtu_fix '1'

egc · July 29, 2023, 10:25am

If you want the fastest speed then do not bother with OpenVPN, WireGuard is much faster.

I do not have your router but the MT7622 is not the most powerful SOC but I would expect it to do well over 100 Mb/s running WireGuard.
On the WireGuard setup there is not much you can do speed wise.
The Max MTU is usually 1420 (1412 (for PPPoE) and should be the fastest. If you have IPv4 only then the Max MTU is 1440/1432.
Lowering MTU is sometimes necessary to get a better connection but you have already done that.

My Netgear R7800 does well over 200 Mb/s (Dual core A15 1725 MHz)
(measured Wired with iperf3 and the router doing nothing else) but that has a faster SOC than yours (but no hardware offload as I am not using the NSS build).
Even my old Netgear R7000 (Dual core A9, 1 GHz) running DDWRT (not supported by OpenWRT) runs well over 100 Mb/s

I hope someone chimes in with your router to see what is possible speed wise with your router

Note that your phone and laptop have much more powerful SOC's

frank92735 · July 29, 2023, 11:01am

firewall>software + hardware offload enabled.

I got an E8450 and it will do 500Mbps with a commercial VPN on wireguard.

I don't use SQM, QOS or cake on my 1000/50 connection but you probably will want to with a 20Mbps upload (that's the bottle neck that needs enhanced traffic management - depending on the amount of users). But QOS or cake may not be compatible with software + hardware offloading. Test it and find out?

refuse_karma153 · July 29, 2023, 5:27pm

Thanks for chipping in.

Without SQM, I have tried with and without software offloading.

I don't get the option for hardware offloading. My device is actually a Belkin, but on the wiki it said to use the E8450 firmware since they're basically the same thing. Could that be the reason I'm not getting that option?

Edit: I'm just silly, didn't realise you need to enable software offloading to see hardware offloading. Anyway, I'm getting same speeds with software and hardware offloading enabled.

refuse_karma153 · July 29, 2023, 5:38pm

I have added my configs to the OP in case that helps.

frank92735 · July 29, 2023, 11:12pm

Sysupgrade to RC1 or 2. Also could just be the VPN. Try a different wg server. Factory reset helps if you have made lots of changes - start from a clean slate.

refuse_karma153 · July 30, 2023, 2:53am

Thanks, I have done a sysupgrade to rc2 and wiping all the settings. I'm getting the same behaviour.

I was able to somewhat capture what I'm experiencing in a single speed test:

As you can see, I have the (very occasional) spikes to the kind of speeds I would expect from running a VPN on my network. Most of the time, however, download seems to be limited to ~10mbps.

The spike in the screenshot was up to 80mbps, with the long flats being around 10mbps.

alphamatic · July 30, 2023, 10:55am

Probably the router you have doesn't have more processing capability. The task is quite heavy, to do vpn at 300Mbps WAN and SQM. If you don't have a bufferbloat, I think you don't need to run SQM.

You can try upgrade your router with X86 based system, Intel or (mini) pc processor probably fine.

But, before you buy another hardware. You can try install OpenWRT X86 64bit on a USB flash, run it on your laptop (or any other unused laptop if you have one). Config your lan on laptop to connect as WAN interface (connect it to your LAN modem) and you can also use your laptop WIFI as AP. To connect to another router, you can use a USB 3.0 to Gigabit LAN converter as downstream to your local network (to your main wifi router).

Once you set it up, config your VPN and SQM, then check the speedtest again. After the test is done, then you have your option.

Another option is just leave the main router as it is, you may need to setup VPN on every client.

Old discussion here