WR3000S and openvpn

Installing and Using OpenWrt
1

speedtesting WS3000S openvpn maxes at 70 Mbps with wifi off.

-> Any settings or tweaks to help improve the speed?

It does get pretty warm under normal browsing use.

-> Any settings or tweaks to help decrease temperature?

Since I'll never use wifi, useful to take out antenna's?

2

70MB/s equals 560Mbps subscription. Just cash out towards the provider?
Please post the link to your result via https://www.waveform.com/tools/bufferbloat

3

No such router supported here...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
4

err, no, 70 Mbps. ISP is 150 Mbps connection.

https://www.waveform.com/tools/bufferbloat?test-id=4be49da2-9829-4e44-8be2-e682b6a4cadc

Interesting. speedtest.net gets 70 Mbps, waveform gets 107 Mbps.

5

Router CPU performance allows much more than this. So it'll be able to easily reach ISP max bandwidth of 150 Mbps. Issue is clearly related to ISP performance.

Unless you specically needs OpenVPN, have a try to Wireguard which has better global performance.

6

Specifically openvpn.

1 Like
7 
ubus call system board
{
	"kernel": "6.6.110",
	"hostname": "EDIT",
	"system": "ARMv8 Processor rev 4",
	"model": "Cudy WR3000S v1",
	"board_name": "cudy,wr3000s-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.4",
		"revision": "EDIT",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.4 EDIT",
		"builddate": "EDIT"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr 'EDIT'
	option netmask '255.255.255.0'
	list dns 'EDIT'
	option delegate '0'
	option classlessroute '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns 'EDIT'
	option delegate '0'
	option classlessroute '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'EDIT'
	option proto 'none'
	option device 'tun0'
	list dns 'EDIT'
	option delegate '0'
	option classlessroute '0'

config device
	option name 'tun0'
	option ipv6 '0'
	
cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '1'
	
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option strictorder '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option 'EDIT'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'
	
cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	option family 'ipv4'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'EDIT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'EDIT'
	option family 'ipv4'

config forwarding
	option dest 'EDIT'
	option src 'lan'
8

Run htop via ssh while using OpenVPN, check CPU load.

9 
htop
-ash: htop: not found
10

opkg update; okpg install htop

11

Please post this info in full and refrain from posting AI enhanced files here. Nothing private whether you use own build or downloaded all from openwrt.

which openvpn is installed

opkg list-installed | grep -e openvpn -e dco
12 
opkg list-installed | grep -e openvpn -e dco
luci-app-openvpn - 25.313.53093~ae2aec8
openvpn-openssl - 2.6.14-r2

No AI involved in my posts. You said to edit, so I did :zany_face:

ubus call system board
{
	"kernel": "6.6.110",
	"hostname": "EDIT",
	"system": "ARMv8 Processor rev 4",
	"model": "Cudy WR3000S v1",
	"board_name": "cudy,wr3000s-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.4",
		"revision": "r28959-29397011cc",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.4 r28959-29397011cc",
		"builddate": "1760891865"
	}
}
1 Like
13

while running bufferfloat test

Screenshot 2025-11-15 at 1.11.01 PM

rebooted router, and while doing a download averaging 7.5 MB/s

Screenshot 2025-11-15 at 1.23.29 PM

14

Are you sure you're not throttled by the other end ?

1 Like
15

Install openvpn accelerator kmod

kmod-ovpn-dco-v2

it will use builtin security accelerator and do the network processing in kernel not between kernel and userspace. cpu usage should become insignificant.

16

You never know. 150 Mbps connection. Put WR1300 stock cudy firmware, no openvpn, on wifi to test without openvpn WR3000S. So it does do 150 Mbps.

https://www.waveform.com/tools/bufferbloat?test-id=bd03db04-7bf9-4a56-9d0d-3acbf33da23e

The result of WR3000S wired and openvpn in htop on a download averaging 8MB/s

Screenshot 2025-11-15 at 4.12.29 PM

and also https://www.waveform.com/tools/bufferbloat?test-id=5d8134e2-dc30-4f2b-be32-bf0989f5c878

Seems installing kmod-ovpn-dco-v2 didn’t change the performance of WR3000S?

17

So the distinction is OpenVPN?
You have to re-connect openvpn connection like via reboot to actually use DCO, and look at the logs if it works.

18

I think I found it? A search online for DCO and TCP gives several results claiming currently DCO does not work with TCP due to missing functionality for the TCP protocol in the DCO openvpn driver? DCO under UDP should work just fine?

19

This is a lot more nuanced. The OpenVPN server needs to support DCO, and you need to specify DCO in your config file. It's not as easy as just adding a package.

1 Like
20

Try removing the kmod-crypto-hw-safexcel package. This is a cryptographic accelerator, but in practice it's usually slower than just using the CPU.