OpenVPN, WireGuard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which of these VPN protocols would you use? Therein lies my problem. For my current use case, I need to find a way to improve the performance and throughput of OpenVPN.
Maybe you are following my Linux Home Lab builds. One of the most important decisions when building your home lab is selecting the proper router/firewall for your network. In my case, after several hours of research, online comparisons, reading reviews and watching Youtube videos, I went with EdgeRouter 10x (ER-10x). Note: This article contains my affiliate links, however, I In college Link to hardware and services I’ve paid for and tested myself.
Well, last week, I thought it doesn’t support WireGuard, at least not officially, as I discovered recently (my next task). It’s not a knock on the ER-10x, of course; It’s a Remarkably Capable Router Multiple business-class features And, most importantly rock-solid stability.
That said, my VPN service provider of choice is ovpn.com, They have multiple locations, have excellent performance, and offer dedicated IPs with open ports at $3/month. On routers, they support wireguard either OpenVPN,
EdgeRouter is built on 10x Debian Linux, It makes working with it a pleasure because a lot of the functionality sounds familiar. Over the past year, I’ve spent more time in the command-line and less time using the GUI.
Setting up OpenVPN is one of those command-line-only features. However, after downloading .ovpn file and setting it up on the router, I soon hit a crippling OpenVPN limitation. CPU! The ER-10x has 880 MHz CPU cores, which is high in most cases. However, in this case, the performance of OpenVPN is not very efficient as the throughput largely depends on the core speed of the CPU.
In my first speed test, the download speed was around 15 Mbps download and 12 Mbps upload. I needed a solid 20 Mbps down for the IoT devices connected to the VLAN using that VPN connection.
I currently have my basic setup at home: dual WAN with backup 4G LTE ISP auto-failover, VLANs for isolated guest WiFi networks, and both wired and wireless for IoT devices. For now, I’ll run with what I have; It works!
OpenVPN performance improvement
Screenshot from my Manjaro i3 SSH session with the OpenVPN router configured.
Note: I have already verified Results when I initially set everything up a week ago iperf. My Ubuntu Server on High LAN Throughput with, Since the hardware/CPU limits on the router are so low, the ISP tests were very representative of those tests. If you are using OpenVPN in a hardware-restricted setup, Try the following configuration. I’ll try to take the time and revisit this article with some re-done iperf test results. If you have time you can share your test results in the comments section below or by email using the “contact” link.
My ISP download speed is just over 100 Mbps. Which, in this part of the world, is as good as it gets for less than $200 per month. That said, even before this OpenVPN setup, IoT devices on my home network were limited to a maximum download of 20 Mbps. i am using a edge switch To limit the bandwidth of a wired connection and unifi controller Via Unifi APS To limit the wireless bandwidth. These network restrictions ensure that one or more devices do not affect the bandwidth.
My plan? Improve OpenVPN performance as much as possible and get at least 20 Mbps download speed, as you can see from above before vs after Internet speed test. (Since I disabled bandwidth restrictions on OpenVPN VLANs).
After optimizing OpenVPN’s performance, the maximum up/down speed is about the same as the previous limit. Let us see how you can get 15 Mbps to 20 Mbps internet download speed on 880 MHz CPU core router.
OpenVPN Server Locations
whether you are using NordVPN (awesome 24/7 customer support), OVPN (the best dedicated IP VPN in my opinion), or any other VPN service, the first step should be to choose the VPN servers that are closest to you. In my case, its servers which are located in South Miami. Not much to elaborate on here… Closer is generally faster. Still, you should test the locations for yourself as not all servers perform equally. Some are under more load than others. Thankfully, OVPN shows load levels for VPN server locations.
If CPU is not the bottleneck, feel free to enable compression. On EdgeRouter, compression will use up CPU resources leading to high CPU usage. You can disable it with:
comp-lzo no ;deprecated - remove or use 'compress' without an algorithm
Or recommended for OpenVPN version 2.4+:
compress is equivalent to an algorithm without
comp-lzo no Which disables compression but enables packets to be prepared for compression.
Use UDP for better OpenVPN performance.
With OpenVPN, in most cases and especially for my use case, UDP is faster than TCP, TCP packets are heavy, adding overhead. TCP also numbers packets in a sequence whereas UDP does not. UDP uses very few headers making it less resource-intensive. Here is the configuration line:
choosing the right cipher
By default, OpenVPN uses blowfish, a 128-bit cipher. When it comes to the level of security, you have to decide between better encryption vs faster throughput with respect to CPU load. Again, especially with this 880 MHz CPU. If there is no CPU bottleneck, I would recommend using
AES-256-GCM, In my case, I am using
AES-128-CBC Because it resulted in faster OpenVPN throughput.
disable cipher negotiation
you can set
ncp-disable (Disable “Negotiable Crypto Parameters”). This disables cipher negotiation entirely and uses what you specify instead
cipher Options discussed earlier. As of OpenVPN 2.4, this is now deprecated. read also OpenVPN Cipher Talks (Quick Reference),
Optimize Tune /TAP/UDP I/O Writes
fast-io Avoid calls to poll/epoll/select before the write operation to optimize TUN/TAP/UDP I/O writes.
“The purpose of such a call will generally be to block until the device or socket is ready to accept writes. Such blocking is unnecessary on some platforms that use write blocking on UDP sockets or TUN/TAP devices.” In such cases, one can optimize the event loop by improving, avoiding poll/epoll/select calls CPU efficiency from 5% to 10%, This option can only be used on non-Windows systems, when
proto udp specified, and when
shaper not specified.” , Source,
set send/receive buffers
You can set the UDP socket to send and receive buffer size. On OpenVPN 2.3.9+, it defaults to the operating system’s default (usually 64K).
add to customer Configuration (bytes):
sndbuf 512000 rcvbuf 512000
or, if you have access, set buffers in Server layout:
sndbuf 512000 rcvbuf 512000 push "sndbuf 512000" push "rcvbuf 512000"
Read more about fine-tuning these buffers Here, These make a noticeable difference when tuned correctly.
Adjust client MTU to match OpenVPN server
You can use the following command to grep the connection log for ‘MTU’ mismatch. Use warnings about size mismatches to adjust
tun-mtu if necessary. My router defaults to 1500, which is also OpenVPN’s default, so there’s no need to mess with it. See more Warning about the adjustment
tun-mtu and make sure read about
sudo cat /path/to/openvpn.log | grep WARNING
which will display a warning like this:
WARNING: 'link-mtu' is used inconsistently, local="link-mtu 1500", remote="link-mtu 3000"
Set the length of the dispatch queue
Set TX queue length on the TUN/TAP interface. This is the default for the system OS, which is 1000 in my case.
Default ovpn.com configuration (previously)
client dev tun remote-cert-tls server cipher aes-256-cbc pull nobind reneg-sec 0 resolv-retry infinite verb 3 persist-key persist-tun remote-random proto udp mute-replay-warnings comp-lzo route-delay 10
My improved OpenVPN performance config file. (Later)
client dev tun remote-cert-tls server compress proto udp cipher aes-128-cbc ncp-disable fast-io sndbuf 512000 rcvbuf 512000 txqueuelen 2000 pull nobind reneg-sec 0 resolv-retry infinite verb 3 persist-key persist-tun remote-random mute-replay-warnings route-delay 10
OpenVPN Performance – Conclusion
Often, even more so in a work environment than at home, we are bound to use technology, tools, software, and other tools that we don’t usually support. In these cases, we are still tasked with making things work, finding solutions, and fixing things. Using OpenVPN on an EdgeGouter feels like a lot right now.
my next article should be Top Five Home and Small Business Routers, What do you think? I’ll still include EdgeRouter 12, but off the top of my head there are at least three others I’m looking forward to. For one, I’m interested in Firewallah Gold, but at 2x the cost of the ER-12, it probably won’t make the list. Let’s discuss this later, yes? Please send me some suggestions for viewing too.