Disable TLS-crypt in PIVPN Raspberry to increase speed.

[chutiloco]

Hi,

I have installed piVPN in a Raspberry PI 3B+ with ISP connection 100 Mbps symmetric. Standard installation AES256 cypher + TLS HMAC AES-256CTR

On client site, traffic is redirected throught a router Asus-N66u with AsusMerlin firmware. Client site has 300 Mbps symmetric connection. Asus router is connected to ISP router by 1000 Mbps ethernet cable and OpenVPN client configured to redirect all traffic to piVPN server.

When connecting in client site with laptop connected to ISP router to piVPN I got around 85 Mbps speed connection. When I connect any device to Asus Router I get 9 Mbps symmetric. Bottle neck is Asus Router processor, I see clearly when doing speed test it raise suddenly to 100% of usage. Playing with configuration I have setup cypher to "cypher none", I got a warning on logs but it seems working. Then I get 14 Mbps symmetric.

I assume root cause of low speed is now TLS HMAC configuration, I have tried to remove it but I haven't found clear steps how to setup just to have authentificated login and then remove TLS crypt HMAC.

What suprised me is that Rapsberry PI never go over 5% of cpu usage...

Not very concern about security in this connection, I just want to get acceptable speed of 30 Mbps with Asus Router.

Any guidance please?

[300000]

I installed wireguard on my raspberry and speed double compare with openvpn .only downside there is no authentication for wireguard .uf you use it for personal should be ok

[300000]

Wrong double post

[chutiloco]

I installed wireguard on my raspberry and speed double compare with openvpn .only downside there is no authentication for wireguard .uf you use it for personal should be ok

Router Asus N66u only have OpenVPN client. I don't believe it's compatible with Wireguard.

[300000]

Slow speed on openvpn as long story and there is nothing make it better.

You can add this in both server and clien config .may be it goes bit faster


rcvbuf 9888899
sndbuf 9888889

[TinCanTech]

Do you run openvpn on the Asus router or the client device ?

[chutiloco]

Slow speed on openvpn as long story and there is nothing make it better.

You can add this in both server and clien config .may be it goes bit faster

rcvbuf 9888899
sndbuf 9888889

I have already played with rcvbuf and sndbuf with no result. I really know bottle neck is cypher that overload Asus Router.

Openvpn is available to get speeds over 500 Mbps. In fact when using computer OpenVPN client I'm getting 85 Mpbs speed with server line is 100 Mbps

Do you run openvpn on the Asus router or the client device ?

I run OpenVPN server in Raspberry PI in location A, Asus Router is the client device in client site (location B). All computers in client site can connect with Asus router Wi-Fi lan, all traffic through Asus Router client is then redirected to OpenVPN server raspberry using router openvpn client. So computers or any devices in client site don't need any OpenVPN client installed.

[TinCanTech]

Post your server config file, there may be some things we can improve.

[chutiloco]

Post your server config file, there may be some things we can improve.

Code: Select all

dev tun
proto udp
port 3111
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_xxxx.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_xxxx.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 72.xx.xxx.xxx"
push "dhcp-option DNS 72.yy.yyy.yyy"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

Thanks for help. Playing with configuration file above I got improvement changing cypher and AUTH setup

Original setup: cypher AES256, AUTH SHA256. Download speed: 9,36 Mbps Upload speed: 9,36 Mbps
First setup: cypher none, AUTH SHA256 Download speed: 9,40Mbps Upload speed: 10 Mbps
Second setup: cypher none, AUTH none Download speed: 20 Mbps Upload speed: 22 Mbps
Third setup: cypher none, AUTH SHA1 Download speed: 12 Mbps Upload speed: 12 Mbps
Fourth setup: cypher none, AUTH MD5 Download speed: 13 Mbps Upload speed: 13 Mbps
Fifth setup: cypher DES, AUTH none Download speed: 11 Mbps Upload speed: 11 Mbps
Sixth setup: cypher AES128-CBC, AUTH none Download speed: 14 Mbps Upload speed: 15 Mbps
Seventh setup: cypher AES128-CFB, AUTH none Download speed: 15 Mbps Upload speed: 18 Mbps

Other combination of cyperh auth were tested with similar or worst speed. Any suggestion in setup is welcome but I really believe here, harwdare processor of router Asus N66u is the problem. Speeds above are connected with LAN ethernet cable to router. When connecting to Router with WiFI I loose 2 Mbps down/up.

What surprised me is that raspberry pi 3b + as server with 1.4 Mhz was using only max 7% of CPU. I was evaluatining purchase of another Raspberry PI as Router VPN client access but WiFi signal isn't powerful and setup will be quite more complicated. I assume router Asus A86u is the solution...

[TinCanTech]

Not very concern about security

Why bother with a VPN or any cipher then ?

There is not much you can do with your config except dropping all security ..
Unless you want to discuss improving cipher code with the developers.

Have no idea if a Pi or Router is better. I would use a real server ..

There is an old saying:

"Secure / Reliable / Cheap -- You can choose only two .."