mostly openvpn download performance between 10 and 20 Mbps but sometimes 50 Mbps ... why?!!!

2 posts / 0 new
Last post
SimonHF
SimonHF's picture
mostly openvpn download performance between 10 and 20 Mbps but sometimes 50 Mbps ... why?!!!

Hello!

I recently bought a new Netgear R8500 and flashed DD-WRT [1] onto it using the instructions here [2]. I set it up to be an always on VPN to my service provider here [3] who I've been successfully using for years with my old Netgear R7000 and DD-WRT. The reason for upgrading is to get better WiFi reception for complaining teenagers and young adults in the house hold :-)

After setting it all up then everything worked as expected and WiFi reception was great over 3 levels in my 4,200 sq ft house. Except for the VPN throughput when with the download test [4]. Typically it seems to vary from 10 to 20 Mbps which is on the slow side. My ISP is Telus and I have 50 Mbps down and 10 Mbps up.

I also added in an iptables 'kill switch' which ensures that there is no internet connectivity in the case that the VPN fails for some reason. It was in testing the perfermance with and without the iptables rules (rebooting the device) that I noticed extended period when the speed reported by speedtest [4] was 40 to 50 Mbps consistently for half a dozen test runs in a row!

I found this confusing because after reading up on what limits the throughput then the consensus seems to be that the CPUs can only handle a certain load of encryption. So if the CPU on the R8500 can only handle 20 Mbps ... how come I sometimes get 50 Mbps? Doesn't make sense, or?

So I tried to run top at the same time as the test and Murphy's Law kicked in and it went back to 10 Mbps again consistently... But top showed me that during the 10 Mbps then the max CPU usage is 11%. This suggests to me that CPU power for encryption is not the bottleneck with the VPN.

Has anybody else been in this situation? And can anybody else help me to debug why performance is mostly 10 to 20 Mbps but sometimes 50 Mbps?

I asked the provider TorGuard about this and they ran a test on the box I connect to and it said 816 Mbps, i.e. the box has very good connectivity to the internet... so does that mean it's a protocol issue, or a DD WRT issue, or an openvpn config issue, or a TorGuard server issue, or a combination?

Looking forward to suggestions.

Thanks,
Simon

[1] https://www.myopenrouter.com/download/dd-wrt-kong-mod-netgear-r8500-2018...
[2] https://www.myopenrouter.com/article/how-flash-your-netgear-router-dd-wr...
[3] https://torguard.net/
[4] http://www.speedtest.net/

SimonHF
SimonHF's picture
Okay, I finally figured it
Okay, I finally figured it out I'm now enjoying constant 40 Mbps download rates via openvpn and TorGuard with my Telus 50 Mbps ISP connection via the Netgear R8500 with DD WRT.
 
At 40 Mbps download then the top command via ssh says the CPU has about 30% idle... suggesting the router is edging towards the max. So the 72% CPU used is a combination of 30% usr, 22% sys, and 16% sirq.
 
So which openvpn change made it go faster? Counter intuitively I change the protocol to TCP and port to 443. Most people say use UDP because it's faster. I believe when TorGuard kindly set up my router they configured it for UDP and port 443. And that was later changed to UDP and port 80 which was faster but still too slow.
 
So what's up here? Obviously my provider, Telus, is throttling certain ports and protocols. However, one port and protocol combination which is difficult to throttle is TCP via port 443. Why? Because it would slow down regular HTTPS websites. Plus they cannot inspect the traffic because it's encrypted. And it's too much work to decide based upon the destination IP.
 
So there you have it: TCP via 443 is definitely causing the router to use more CPU but it avoids the throttling from Telus. It's like taking 1 step back and 3 steps forward.
 
Why do people always say the CPU isn't powerful enough for openvpn on a router? I think this is because it has been taken out of context. Sure if the router does 1000 Mbps without openvpn and only 200 Mbps with openvpn then the CPU is critical. But if the router is doing 10 or 20 Mbps with only 12% CPU usage then obviously something else is causing the problem... like throttling?
 
I hope this message helps somebody else!