OpenVPN, WireGuard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which VPN protocols would you use? Therein lies my problem. In my current use case, I must find a way to improve OpenVPN performance and throughput.
You may have been following my Linux home lab build. One of the most important decisions when building your home lab is selecting the proper router/firewall for your network. After many hours of research, online comparisons, reading reviews, and watching YouTube videos, I went with the Edgerouter 10x (ER-10x). Note: this article includes my affiliate links; however, I only link to hardware and services I’ve paid for and tested myself.
Last week, I figured out that it does not support WireGuard, at least not officially, as I recently discovered (my next to-do). This isn’t a knock on the ER-10x; it’s a remarkably capable router with many business-class features, and most important, rock-solid stability. 2024 Update: I’ve replaced the ER 10x with a Peplink Balance 20x – also does not support WireGuard.
That said, my VPN service provider of choice is ovpn.com. They have many locations, excellent performance, and offer dedicated IPs with open ports at $3/month. On routers, they support WireGuard or OpenVPN.
OpenVPN 2.4 internet speed test results using Google+M-Lab and wifiman.com.
The Edgerouter 10x is built on Debian Linux. This makes it a pleasure to work with because a lot of the functionality feels familiar. Over the past year, I’ve spent more time in the command line and less time using the GUI.
Setting up OpenVPN is one of those command-line-only features. However, after downloading the .ovpn file and setting it up on the router, I soon hit a crippling OpenVPN limitation. The CPU! The ER-10x features 880 MHz CPU cores, which is often overkill. However, in this case, OpenVPN performance is not very efficient as throughput largely depends on the CPU’s core speed.
On my first speed test, download speeds were around 15 Mbps download and 12 Mbps upload. I needed a solid 20 Mbps down for the IoT devices connected to a VLAN that uses that VPN connection.
My basic setup at home currently is: dual WAN with backup 4G LTE ISP auto-failover, VLANs for isolated Guest WiFI network, and IoT devices, both wired and wireless. For now, I’ll run with what I have; it works!
Table of Contents
Improving OpenVPN Performance
OpenVPN config Screenshot from my Manjaro i3 SSH session with the router.
Note: I’ve already verified results when I initially set up everything a week ago using my Ubuntu server over higher LAN throughput with iperf. As the hardware/CPU limits are so low on the Edgerouter, the ISP tests were very much representative of those tests. If you are using OpenVPN in a hardware-restricted setup, try the following config tweaks. I’ll try to take the time and revisit this article with some redone iperf test results. If you have the time, you can share your test results in the comments section below or by email using the “contact” link.
My ISP download speed is just over 100 Mbps. In this part of the world, this is as good as it gets for under $200 per month. That said, even before this OpenVPN setup, the IoT devices on my home network were restricted to a maximum download of 20 Mbps. I am using an EdgeSwitch to limit wired connections’ bandwidth and the Unifi controller via Unifi APs to limit wireless bandwidth. These network restrictions ensure that one or more devices don’t gobble bandwidth.
My plan? Improve OpenVPN performance as much as possible to at least hit 20 Mbps download speeds, as you can see from the above before vs. after internet speed tests. (I’ve since disabled bandwidth restrictions on the OpenVPN VLAN).
After optimizing OpenVPN’s performance, the max up/down speed is just about what the previous limits were. Let’s look at how you can go from 15 Mbps to 20 Mbps internet download speed on an 880 MHz CPU core router.
OpenVPN server Location
Whether you are using NordVPN (awesome 24/7 customer support), OVPN (best dedicated IP VPN, in my opinion), or another VPN service, the first step should be selecting the VPN servers closest to you. In my case, its servers are located in South Miami. Not much to elaborate on here… Closer is generally faster. Still, you should test locations for yourself because not all servers perform equally. Some are under more load than others. Thankfully, OVPN shows load levels for VPN server locations.
Disable compression
If the CPU isn’t a bottleneck, then feel free to enable compression. On the Edgerouter, compression will use CPU resources, leading to higher CPU usage. You can disable it with:
comp-lzo no ;deprecated - remove or use 'compress' without an algorithm
or recommended for OpenVPN version 2.4+:
compress
Providing just compress without an algorithm is the equivalent of comp-lzo no which disables compression but enables the packet framing for compression.
Use UDP for better OpenVPN performance.
With OpenVPN, in most cases, UDP is faster than TCP. TCP packets are heavier, adding overhead. TCP also numbers packets in a sequence, while UDP doesn’t. UDP uses very minimal headers, making it less resource-intensive. Here’s the config line:
proto udp
Choosing the right Cipher
By default, OpenVPN uses Blowfish, a 128-bit cipher. Regarding the level of security you require, you will have to decide between better encryption vs. faster throughput with respect to CPU load. Again, especially with this 880 MHz CPU. If there’s no CPU bottleneck, I would recommend using AES-256-GCM. In my case, I’m using AES-128-CBC as it resulted in faster OpenVPN throughput.
cipher AES-128-CBC
Disable cipher negotiation
You can set ncp-disable (disable “negotiable crypto parameters”). This completely disables cipher negotiation and instead uses what’s specified by the cipher option discussed previously. As of OpenVPN 2.4, this is now deprecated. Also, read OpenVPN Cipher Negotiation (Quick reference).
ncp-disable
Optimize TUN/TAP/UDP I/O writes
Set fast-io to optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select before the write operation.
“The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms, which don’t support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%. This option can only be used on non-Windows systems, when proto udp is specified, and whenshaper is NOT specified.” – Source.
Set send/receive buffers
You can set the UDP socket send and receive buffer sizes. On OpenVPN 2.3.9+, this defaults to the operating system’s default (usually 64K).
Add to client config (bytes):
sndbuf 512000rcvbuf 512000
Or, if you have access, set buffers in the server config:
sndbuf 512000rcvbuf 512000push "sndbuf 512000"push "rcvbuf 512000"
Read more about fine-tuning these buffers here. These make a noticeable difference when tuned correctly.
Adjust client MTUs to match the OpenVPN server
You can use the following command to grep connection logs for ‘MTU’ mismatches. Use the warnings about size mismatch to adjust tun-mtu if necessary. My router defaults to 1500, which is also OpenVPN’s default, so there is no need to mess with it. Also, see warnings about adjusting tun-mtu and be sure to read about mssfix.
sudo cat /path/to/openvpn.log | grep WARNING
Which will display any warning like this:
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1500', remote='link-mtu 3000'
Set the transmit queue length
Set the TX queue length on the TUN/TAP interface. This defaults to the system OS, which in my case is 1000.
txqueuelen 2000
Default ovpn.com config (before)
clientdev tunremote-cert-tls servercipher aes-256-cbcpullnobindreneg-sec 0resolv-retry infiniteverb 3persist-keypersist-tunremote-randomproto udpmute-replay-warningscomp-lzoroute-delay 10
My improved OpenVPN performance config file. (After)
clientdev tunremote-cert-tls servercompressproto udpcipher aes-128-cbcncp-disablefast-iosndbuf 512000rcvbuf 512000txqueuelen 2000pullnobindreneg-sec 0resolv-retry infiniteverb 3persist-keypersist-tunremote-randommute-replay-warningsroute-delay 10
OpenVPN Performance – Conclusion
Often, even more so in work environments than at home, we are obliged to use technology, devices, software, and other tools we wouldn’t typically support. In these cases, we are still tasked with making things work, finding a workaround, and patching things up. Using OpenVPN on an Edgerouter feels a lot like that right now.
My next article should be the top five home and small business routers; what do you think? I would still include the Edgerouter 12, but I do have at least three others off the top of my head that I’m looking at next. For one, I’m interested in the Firewalla Gold, but at 2x the cost of the ER-12, it probably won’t make the list. Let’s discuss this later, yea? Please send me some suggestions to look into as well.
Published: Mar 24, 2021 | Last updated: April 22, 2024
Tags: performance, security, sysadmins
Discussion
Great post, really nice to read.
Ubiquity hardware/software is to be reckoned with, but one might not want to dismiss core Unix/Linux open-source software on bare-metal as well.I’m running OPNsense on a mini PC (not wanting to advertise so I won’t link anything unless asked for) and I’m near line-rate performance on a Gigabit fiber connection, on my home network, with lots of vlan, firewalling, QoS, etc…
Sure, VPN eats a lot of resources and I need to do some more thorough testing, and it’s very true that ovpn, though quick and easy to setup, is not really shinning in the performance department, but If I recall correctly, I could get around 40 to 50 percent bandwidth depending on endpoint and parameters with my hardware (which is an ‘affordable’ 150$ box btw.)
So as a *nix and open-source advocate, you might want to consider these alternatives as well, and give them a fair trial in your testing.
Kind Regards
Agreed with Ubiquiti. Also, the value isn’t there anymore, especially now with price gouging, so many items out of stock.
Have a look at this TP-Link lineup (hard to beat the value for a home lab type rack setup):
Router: VPN Router - Gigabit Routers for Business - TP-Link (+ OpenVPN client)
Switch: TL-SG2210MP | JetStream 10-Port Gigabit Smart Switch with 8-Port PoE+ | TP-Link
Controller: OC200 | Omada Hardware Controller | TP-Link
Access points: Access Points | TP-LinkIf you want to use Wiregaurd, then can add or replace the router with https://www.pivpn.io/ on an RPi 4.
Or use a https://store.gl-inet.com/products/brumegl-mv1000-edge-computing-vpn-router router. (supports Wireguard client up to 250 Mbps ISP speed)
Just one example, And there are a bunch of other Ubiquiti alternatives out there.
Thank you for your post.
Background:
I have an OpenVPN server running on my Windows 10 VPS. The Internet connection of VPS is ~750 Mbps for Download and ~450 Mbps for upload (Obtained by multiple speedtest.net tests). The VPS has 2 vCPU and 8 GB RAM. The VPS serves only two clients of OpenVPN. However, the speedtest for clients normally shows 30 Mbps of the test while VPN is enabled.
What I have tried:
- Please see the config
Config:
- Server
;local a.b.c.d--duplicate-cnport 443;proto tcpproto udpsndbuf 393216rcvbuf 393216push "sndbuf 393216"push "rcvbuf 393216"txqueuelen 4000tun-mtu 9000 mssfix 0fragment 0;dev tapdev tunca "ca.crt"cert "ERVER.crt"key "C:\\SE.key" # This file should be kept secretdh "dh.pem";topology subnetserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txt;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100;server-bridge;push "route 192.168.10.0 255.255.255.0";push "route 192.168.20.0 255.255.255.0"push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 208.67.222.222"push "dhcp-option DNS 8.8.8.8"keepalive 10 120tls-auth "tls-auth.key" 0 # This file is secretcipher AES-128-CBCpersist-keypersist-tun;mute 20explicit-exit-notify 1- Client
dev tunproto udpremote IP 443resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverkey-direction 1cipher AES-128-CBCverb 3<ca>-----BEGIN CERTIFICATE-----</ca><cert></cert><key>-----BEGIN PRIVATE KEY-----</key><tls-auth></tls-auth>
