ExpressVPN with Voxel's firmware performance issue

25 posts / 0 new
Last post
benoflondon
benoflondon's picture
ExpressVPN with Voxel's firmware performance issue

Hello,

I installed Voxel's latest firmware (V 1.0.2.54SF) on my router Netgear R7800, I chose this one over DD-WRT because I read on this forum that it would keep the best performance on the router.

Then I subscribed to ExpressVPN and followed this guide on myopenrouter.com to install the openVPN client, except I didn't install entware.

But I get a terrible performance, here are the speedtest results I get (I reproduced the experience several times):

- VPN turned off:  speedtest on router's webGUI    ~220Mb download / ~12Mb upload

                             speedtest on web browser         ~220Mb download / ~12Mb upload

(so all good here, same perf on webGUI and browser)

- VPN turned on at laptop level: speedtest on web browser gives ~150Mb/10Mb -> very good perf for a VPN

- VPN turned on at router level (and of course off on the laptop):

                             speedtest on router's webGUI doesn't work (is it to be expected?)

                             speedtest on web browser         ~40Mb/8Mb

and the download speed even fell at 20Mb after I changed the script /etc/openvpn/ovpnclient-up.sh as indicated in the tutorial to have 2 IPs bypassing the VPN.

 

Any idea?

Thanks

benoflondon
benoflondon's picture
Edit:

Edit:

forget about last remark, download speed back to 40Mb/8Mb

owencool
owencool's picture
That’s strange, running my

That’s strange, running my vpn in my router is faster than using my laptop.

what other script did u use? Try post ur config here.

benoflondon
benoflondon's picture
I didn't use any other script

I didn't use any other script, just the 2 that were in the tutorial.

/etc/openvpn/ovpnclient-up.sh for bypassing the tunnel
#!/bin/sh
/sbin/ledcontrol -n wan -c green -s on

# Don't forget to reserve the list of IPs for exclusion devices on the DHCP server
# Edit the following IP list to bypass the VPN. Seperate individual IP's using a single space between them.
NO_VPN_LST="10.0.0.4 10.0.0.5 10.0.0.13 10.0.0.15"
WAN_GWAY=`nvram get wan_gateway`
for excludeip in $NO_VPN_LST; do
   /usr/sbin/ip rule add from $excludeip table 200
done
/usr/sbin/ip route add table 200 default via $WAN_GWAY dev brwan
/usr/sbin/ip route flush cache
exit 0
 

and the monitoring script /usr/bin/vpncmon.sh which is of no importance here since the crontab has indeed a problem and always removes the line I add

 

I didn't do anything else, no port forwarding, no modification to the firewall...

owencool
owencool's picture
Since u use the script given

Since u use the script given by XunilinuX means that our situation are different. Here u use DHCP to connect to ur modem, meanwhile I use bridge to connect to my modem through pppoe

I will tell u step by step how do I setup my voxel until the vpn part

- after installing voxel, immediately setup entware and make swap file for my router

- make file /etc/dnscrypt-proxy.conf (“adguard” doesnt work, I use “cisco” (opendns) instead.

- installing openvpn-openssl package and cron package (number of user said there’s problem with built in crontab)

extra : since u have problem setting up crontab, i will mention how do I setup mine:

Use this command “crontab -e”

Press “i” in the keyboard to edit and enter ur crontab entry

Press “esc” to get out from edit mode and type “:wq” to save and exit

after this u should have this kind of output “Installing new crontab”

reboot

- put my .ovpn and auth file in the /etc/openvpn/config/client

- Setting my bypass openvpn script using kamoj script (for bridge through pppoe only)

- reboot

- done

https://www.myopenrouter.com/forum/openvpn-client-setup-guide-using-voxels-firmware-nighthawk-x4s-r7800

benoflondon
benoflondon's picture
Thanks Owen,

Thanks Owen,

I replaced the bypass script with kamoj one, it didn't change anything on performance

I installed entware (on ext3 filesystem as ext4 didn't work...), crontab is now working but download speed didn't improve (it even deteriorated when I installed openvpn-openssl package so I removed it), only good surprise was to see that speedtest on webGUI is working again

 

owencool
owencool's picture
Maybe we should see at other

Maybe we should see at other things too like your vpn config (.ovpn file). Try to tweak your ovpn to optimize the vpn performance. 

Variable that very common affecting the speeds are the ciphers.

try to reduce ciphers keysize to increase speed.

benoflondon
benoflondon's picture
Hi,

Hi,

I tried to tweak my settings for a while but nothing changes...

I am now experimenting DD-WRT with only a slight improvement.

Here is my config:

dev tun
fast-io
persist-key
persist-tun
nobind
remote uk-berkshire-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass expressvpn.auth

 

benoflondon
benoflondon's picture
I'm back on Voxel's firmware,

I'm back on Voxel's firmware, I find it easier to manage than DD-WRT.

I chose to reconfigure everything from scratch (no backup file) just to make sure the problem wasn't coming from something I did.

But I'm just stuck with the poor downlad speed.

Should I try Voxel's DumaOS?

Voxel
Voxel's picture
Should I try Voxel's DumaOS?

Should I try Voxel's DumaOS?

 

There is no "Voxel's DumaOS" version. There is DumaOS version for XR500 made by NG and there is an illegal port of XR500 version to R7800 made by XVortex. I am Voxel. Not XVortex.

Your VPN config: try to remove these lines:

mssfix 1450

sndbuf 524288

rcvbuf 524288

 

They are set (different) in client startup script.

Voxel.

 
 

benoflondon
benoflondon's picture
I am Voxel. Not XVortex.

I am Voxel. Not XVortex.

Sorry about that, I got confused :)

I'll try your suggestions tonight and I'll let you know. Just for my curiosity, where can I find the startup script?

Voxel
Voxel's picture
Script is /etc/init.d/openvpn

Script is /etc/init.d/openvpn-client. 
 

OPT_ARGS="--fast-io --nice -20 --auth-nocache --sndbuf 786432 --rcvbuf 786432 --tun-mtu 1500 --mssfix 1460 --txqueuelen 1000"

 

And BTW you should check /var/log/openvpn-client.log when playing with this.

 

Start/stop openvpn client manually from telnet/ssh (for debugging):

/etc/init.d/openvpn-client start
/etc/init.d/openvpn-client stop
Voxel.

benoflondon
benoflondon's picture
So I removed the 3 suggested

So I removed the 3 suggested lines but there is no impact on the download speed (still around 40Mb)

here is my start up sequence:

Wed Aug 22 17:58:43 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Wed Aug 22 17:58:43 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Aug 22 17:58:43 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Wed Aug 22 17:58:43 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Wed Aug 22 17:58:43 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Aug 22 17:58:43 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug 22 17:58:43 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug 22 17:58:43 2018 nice -20 succeeded
Wed Aug 22 17:58:43 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]85.203.22.83:1195
Wed Aug 22 17:58:43 2018 Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Wed Aug 22 17:58:43 2018 UDP link local: (not bound)
Wed Aug 22 17:58:43 2018 UDP link remote: [AF_INET]85.203.22.83:1195
Wed Aug 22 17:58:43 2018 TLS: Initial packet from [AF_INET]85.203.22.83:1195, sid=1463f1db 551e914f
Wed Aug 22 17:58:43 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Wed Aug 22 17:58:43 2018 VERIFY OK: nsCertType=SERVER
Wed Aug 22 17:58:43 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2782-0a, emailAddress=support@expressvpn.com
Wed Aug 22 17:58:43 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2782-0a, emailAddress=support@expressvpn.com
Wed Aug 22 17:58:43 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug 22 17:58:43 2018 [Server-2782-0a] Peer Connection Initiated with [AF_INET]85.203.22.83:1195
Wed Aug 22 17:58:44 2018 SENT CONTROL [Server-2782-0a]: 'PUSH_REQUEST' (status=1)
Wed Aug 22 17:58:45 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.117.0.1,route 10.117.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.117.6.38 10.117.6.37'
Wed Aug 22 17:58:45 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 22 17:58:45 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 22 17:58:45 2018 OPTIONS IMPORT: route options modified
Wed Aug 22 17:58:45 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Aug 22 17:58:45 2018 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Aug 22 17:58:45 2018 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug 22 17:58:45 2018 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Aug 22 17:58:45 2018 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug 22 17:58:45 2018 TUN/TAP device tun0 opened
Wed Aug 22 17:58:45 2018 TUN/TAP TX queue length set to 1000
Wed Aug 22 17:58:45 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Aug 22 17:58:45 2018 /sbin/ifconfig tun0 10.117.6.38 pointopoint 10.117.6.37 mtu 1500
Wed Aug 22 17:58:45 2018 /etc/openvpn/ovpnclient-up.sh tun0 1500 1606 10.117.6.38 10.117.6.37 init
Wed Aug 22 17:58:48 2018 /sbin/route add -net 85.203.22.83 netmask 255.255.255.255 gw 82.11.147.1
Wed Aug 22 17:58:48 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.117.6.37
Wed Aug 22 17:58:48 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.117.6.37
Wed Aug 22 17:58:48 2018 /sbin/route add -net 10.117.0.1 netmask 255.255.255.255 gw 10.117.6.37
Wed Aug 22 17:58:48 2018 Initialization Sequence Completed

 

And here is the stop sequence:

Wed Aug 22 18:07:27 2018 event_wait : Interrupted system call (code=4)
Wed Aug 22 18:07:27 2018 /sbin/route del -net 10.117.0.1 netmask 255.255.255.255
Wed Aug 22 18:07:27 2018 /sbin/route del -net 85.203.22.83 netmask 255.255.255.255
Wed Aug 22 18:07:27 2018 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Wed Aug 22 18:07:27 2018 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Wed Aug 22 18:07:27 2018 Closing TUN/TAP interface
Wed Aug 22 18:07:27 2018 /sbin/ifconfig tun0 0.0.0.0
Wed Aug 22 18:07:27 GMT 2018 Voxel: Error: openvpn-client stop: process was not killed properly 2, try a new kill!
Wed Aug 22 18:07:27 2018 /etc/openvpn/ovpnclient-down.sh tun0 1500 1606 10.117.6.38 10.117.6.37 init
Wed Aug 22 18:07:27 2018 SIGTERM[hard,] received, process exiting
Wed Aug 22 18:07:27 GMT 2018 Voxel: OpenVPNclient stop run: ip route del:
default via 82.11.147.1 dev brwan
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
82.11.147.0/24 dev brwan  proto kernel  scope link  src 82.11.147.171
239.0.0.0/8 dev br0  scope link

 

 

Voxel
Voxel's picture
Well, log is OK.

Well, log is OK.

But how do you test the speed? From your client or from router's GUI? Also make sure that QoS is off.

Check also the speed from telnet console by command:
 

/bin/ookla --configurl=http://www.speedtest.net/api/embed/trial/config.php

Voxel.

Voxel
Voxel's picture
And BTW AFAIK ExpressVPN for

And BTW AFAIK ExpressVPN for UK has different nodes:
 

UK - Berkshire
UK - Berkshire - 2
UK - Docklands
UK - East London
UK - Kent
UK - London
Did you try all of them? The same speed?

Voxel.

benoflondon
benoflondon's picture
It's about the same on all of

It's about the same on all of them. I usually tested on my ookla website from my laptop, so that I could also compare with the
performance running expressvpn on my laptop i/o the router.

QoS is off

right now on my laptop's browser:

No VPN       UL 12 / DL 220

express vpn app on laptop      UL 10 / DL 84

expressvpn on router               UL 10 / DL 40

command line test on router is same speed: vpn off -> UL 12 / DL 220   //   vpn on -> UL 10 / DL 43

 

Voxel
Voxel's picture
Sorry. I have no ideas. I

Sorry. I have no ideas. I have 60/60Mbps and with OpenVPN client I have 54/48. Your results are strange. I'd suggest to try other nodes anyway.

 

Voxel.

davidm71
davidm71's picture
Ben,

Ben,

On Voxels firmware you didn't have to install Entware to turn on VPN Client?? I just signed up with NordVpn and using the app on my PC along with iphone/ipad. What confuses me though on Voxels VPN Client page there are instructions that state you have to install an OpenVpn App on your devices. I thought you didn't need to use an app for that as the Router is doing all the work instead? 

Also I have an X4S R7800 as well and will be happy to compare notes regarding download speeds before and after. Wonder if you were testing directly of off your wifi or direct ethernet connection with one or more devices?

 

Thanks

benoflondon
benoflondon's picture
Hello David,

Hello David,

no you don't need to install Entware on your router. OpenVPN client is already installed, all you need to do is copy your .ovpn and password files into /etc/openvpn/config/client/ and start the service (/etc/init.d/openvpn-client start). Use Entware only if you want to install additional packages (such cron or vim).

To use your VPN service you can either install their app on your device, in which case only that device is protected, or (exclusive or) you can configure the client on your router so that all devices connected to that router are protected.

In my case I was testing on my laptop connected via wifi. I have huge differences wether I use expressvpn app on my laptop (download speed around 100Mb) or run vpn client on the router (40Mb DL). What surprises me is that some other users are reporting download speeds close to 100Mb when running the client on their R7800. I guess that's because of the high level of encryption used by expressvpn, the router might have some difficulties to keep up the speed.

Voxel
Voxel's picture
In my case I was testing on

In my case I was testing on my laptop connected via wifi.
 

Please check with cable connection router<->laptop. There are some changes with Wi-Fi affinity when OpenVPN client is started on the router.

Voxel.

davidm71
davidm71's picture
Hello Ben,

Hello Ben,

 

The Voxel vpn client guide says crontab is essential. Your saying I don't need it?

So far I have enabled SSH access and ready to take it to the next level.

 

Thanks

davidm71
davidm71's picture
Also where do you get

Also where do you get password files from?

davidm71
davidm71's picture
Ben,
kamoj
kamoj's picture
Too reach 112+ Mbps with

Too reach 112+ Mbps with Voxel OpenVPN Client I do some extra affinity and hw settings.
It might effect eg usb disk speed though, so i have not released this code.
Duymart to Netgear R7800 bug at startup, you should make a manual stop and then start of the client.

davidm71
davidm71's picture
Kamoj,

Kamoj,

 

Please share these settings. Someone else on Smallnetbuilder: 

https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-59sf.48579/#post-428036

 

is getting 50mb/s which in my opinion is ridiculously slow.

 

Thanks