While encryption does affect speed, it's not the primary speed blocker. Test it yourself by turning off encryption.
What does affect speed is interfacing with the kernel through the TUN/TAP interface as far as I can tell. IPsec is magnitudes faster, and I reckon Wireguard is as well although I haven't tested it.
root@syno1:/# openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 7155616 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 64 size blocks: 2144111 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 576481 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 145743 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 18331 aes-256-cbc's in 3.00s
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 38419.41k 45741.03k 49193.05k 49746.94k 50055.85k
humbly suggest "speedtester" script/url et.al. benchmarks devices and optionally submits ( via json? ) and plots dynamically serverside ....
new device hits marked and shazam.... pudding proof!.... too many variables to advise on chipset alone..... crappy heatsink etc. etc.
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 270951 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 261191 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 228262 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 153599 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 33611 aes-256-cbc's in 3.00s
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 1445.07k 5572.07k 19478.36k 52428.46k 91780.44k
i got recently a internet upgrade to 100/40mbit from my isp and because of that, i thought it was time to upgrade my old tp-link wdr3600 (ar71xx) to a zyxel nbg6617 (ipq40xx), because of the better sqm performance (atleast thats what i expected).
now the graph shows both are on the same level when it comes to sqm performance? is this realy true or do i maybe understand somerthing wrong.
I'm thinking of taking this to the next level by adding performance indicator numbers to the dataentries, in order to be able to filter the devices easily according the user's criterias.
If your were to chose 3..5 performance indicators which should help the user search for a device suitable for his needs, which indicators would that be?
The TL-WDR3600 can still cope with 100/40 MBit/s, but not much more (I'd say 120-150 MBit/s at most; it does regularly hit 0% idle intermittently under load - without SQM), the ipq40xx SOCs have more headroom (especially as it has multiple cores, with one serving the IRQs of ethernet, another taking care of WLAN, the third doing PPPoE, the fourth SQM, etc.).
My espressobin will do about 400Mbps routing and SQM, I can't see turning on OpenVPN and off SQM and suddenly it's twice as fast. Encryption and moving packets to and from userspace are easily going to be more demanding than SQM.
My j1900 will route and SQM about 900Mbps, but that site above suggests 80-100Mbps OpenVPN
Feel free to create similar graphics in the inbox for other performance indicators, which allow the user to get a first rough direction on which target to select for his requirements