[SOLVED] ASUS Router vs VPN something???

svalbaard

Honorable
Aug 30, 2013
89
3
10,665
Hi, I currently have an ASUS AC88 router fronting my SOHO network. It has been a great router so far and I have very few complaints about it. As I use this for work as well as home use, I have the VPN client functionality configured and enabled most of the time, and this is configured to talk to my VPN provider. It's not not hugely great at processing this additional workload, but then again it's not overly awful considering it's just a home router. The advantage also is that all IP connected devices on my network benefit from having their traffic encrypted, and this aids personal privacy.

Thing is, I'm still pretty sure I can do better as I still feel I'm losing a bit too much internet speed overall due to the VPN encryption / decryption overhead. With the VPN client disabled I reliably get more or less the 100mbps I pay for; with the VPN client enabled it varies between 5 - 40mbps depending on local network contention or throttling (I guess).

I was therefore just asking if anyone could identify or recommend a separate network appliance or device that could take the whole VPN client encryption / decryption workload away from the router with my thinking being that a dedicated device (or something??) would execute the VPN workload better than an all-in-one such as the AC88. Or, perhaps possibly a professional grade all-in-one router that has VPN client functionality. My guess is that any separate device would need to sit in front of the router

Just to clarify, I'm not looking for a VPN server device, nor do I want to install VPN client configuration on each individual device on my network.

Many thanks in advance.
 
Solution
That is not uncommon openvpn uses massive amounts of cpu to do vpn. You can get some increase in speed if you switch to ipsec instead but it is much harder to setup, some vpn providers do not support it and it is hard to get through a second nat router.

At first I was going to say just load the merlin firmware on it and go. But I lucky did a quick search and found out asus sells 2 boxes called "88" ac88 and ax88. The ax unit uses a different cpu that support a hardware assisted openvpn.

The key here is the broadcom cpu with numbers BCM49xxx. If you search this link you will find a list of routers that use this line of cpu.
https://wikidevi.com/wiki/Broadcom

I have only used the asus ones and at first you needed to...
That is not uncommon openvpn uses massive amounts of cpu to do vpn. You can get some increase in speed if you switch to ipsec instead but it is much harder to setup, some vpn providers do not support it and it is hard to get through a second nat router.

At first I was going to say just load the merlin firmware on it and go. But I lucky did a quick search and found out asus sells 2 boxes called "88" ac88 and ax88. The ax unit uses a different cpu that support a hardware assisted openvpn.

The key here is the broadcom cpu with numbers BCM49xxx. If you search this link you will find a list of routers that use this line of cpu.
https://wikidevi.com/wiki/Broadcom

I have only used the asus ones and at first you needed to load merlin firmware on them. I think asus has put the hardware vpn assist in the factory firmware images at this time but I don't know I always load merlin.

This should allow you to run your vpn at full 100mbps speeds. It still caps out at around 250mbps people say. My vpn provider bottlenecks me before I get anywhere close to that.
 
Solution

svalbaard

Honorable
Aug 30, 2013
89
3
10,665
That is not uncommon openvpn uses massive amounts of cpu to do vpn. You can get some increase in speed if you switch to ipsec instead but it is much harder to setup, some vpn providers do not support it and it is hard to get through a second nat router.

At first I was going to say just load the merlin firmware on it and go. But I lucky did a quick search and found out asus sells 2 boxes called "88" ac88 and ax88. The ax unit uses a different cpu that support a hardware assisted openvpn.

The key here is the broadcom cpu with numbers BCM49xxx. If you search this link you will find a list of routers that use this line of cpu.
https://wikidevi.com/wiki/Broadcom

I have only used the asus ones and at first you needed to load merlin firmware on them. I think asus has put the hardware vpn assist in the factory firmware images at this time but I don't know I always load merlin.

This should allow you to run your vpn at full 100mbps speeds. It still caps out at around 250mbps people say. My vpn provider bottlenecks me before I get anywhere close to that.

Can you point out somewhere where it mentions the OpenVPN hardware assistance. I can't find anything anywhere about that for the ax88. Thanks.
 
You would think asus would make a big deal about this but it is hard to find. The feature is called aes-ni. It is a special encryption instruction set in the processor. This is actually fairly new the routers using this chipset only started coming on the market about a year ago.

Although there are lists of routers that use this chipset they add to it fairly often which is why I linked the wifidevi page. You can just click though and get every router that uses each chipset.

The ones I know from asus people commonly use are the 68u-extreme, the 86u-2900, gt-ac5300

The AX88 is kinda different not sure why it does support this but not many people use it.
 
  • Like
Reactions: svalbaard
If you spend $300-600 you can build a pfsense router. It's not to bad to configure site-to-site or user auth + user cert which gives you user management. It even has an export tool for windows clients. This is a great feature. openvpn AES GCM 256b with AES NI should hit 100Mbs with a high clock xeon e3 or i5. backed up with AES CBC 256b SHA512 probably won't hit 100Mbs, but any clients with no AES-NI will need this.

128b can hit 100Mbs with GCM on lower end stuff. Like a J4105.
 
Just to expand on this a bit, the normal certificate and public/private key encryption OpenVPN does is way too slow for anything resembling normal network traffic. So what it does instead is use that to securely exchange a randomly generated AES key with the VPN server. Network traffic is then encrypted using the AES key. Which is why hardware acceleration for AES helps.

Make sure OpenVPN is configured to actually use AES. Older installations defaulted to blowfish, which has been compromised and is no longer used.
 
Sep 4, 2019
1
0
10
Just to put the word out there, I have installed NordVPN on an Asus RT-AC5300 router and my internet speed was approx. 20Mbps. Without the VPN I get 800-900Mbps on a good day. I pay for 1Gbps from my cable company. I bought this router because NordVPN states that it's one of the best. Very disappointed and looking for ways to speed it up.
 
I really wish the router manufactures would stop being so stupid. rt-5300 and gt-5300 use different cpu. You need the newer one to support the hardware vpn assist.

So far the only chipset that appears to have the hardware vpn assist is broadcom 49xxx. These chips are a full 2 years old so maybe there are more this tends to be hard information to find.
 
Just to put the word out there, I have installed NordVPN on an Asus RT-AC5300 router and my internet speed was approx. 20Mbps. Without the VPN I get 800-900Mbps on a good day. I pay for 1Gbps from my cable company. I bought this router because NordVPN states that it's one of the best. Very disappointed and looking for ways to speed it up.

You won't be able to hit 1Gbs with openvpn. If they support wireguard you could try that. If you used a very high single thread cpu you might be able to get 600+ Mbs using 128b AES GCN on openvpn. the i3 9100 has a good passmark.

This is assuming that Nord will actually match your speed and I doubt they will.
 

svalbaard

Honorable
Aug 30, 2013
89
3
10,665
So just to update this from my OP. I ended up purchasing the Asus AX88 and selling the older AC88. Flashed to Merlin, I am now regularly getting between 80 - 109MBps via my 100MBps line with the VPN service enabled, so it looks as though the aes-ni really does make a difference.

Thanks.
 
So just to update this from my OP. I ended up purchasing the Asus AX88 and selling the older AC88. Flashed to Merlin, I am now regularly getting between 80 - 109MBps via my 100MBps line with the VPN service enabled, so it looks as though the aes-ni really does make a difference.

Thanks.
You should make sure to test that your traffic is going to the vpn. If you're using a third party paid vpn I don't believe any support speeds over 110Mbs. Openvpn on a $1000 intel cpu doesn't hit 1Gbs.