1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Memory usage and impact on VPN wireless speed

Discussion in 'Tomato Firmware' started by veinypea, Jul 18, 2014.

  1. veinypea

    veinypea Reformed Router Member

    I have shibby tomato-RT-N66U_RT-AC6x--120-AIO-64K installed on a Asus RT-N66U. I have it configured to run an open VPN from Private Internet Access.

    My Internet speed with VPN turned off:
    Computer 19M
    Wireless 19M

    My Internet speed with VPN turned on:
    Computer 13M
    Wireless 8M

    My question is why doesn't the wireless performance match the computer's performance with the VPN turned on? Is this normal? The know the VPN is working the router hard. Is it because of memory usage on the router?

    The VPN version of shibby is smaller than the AOI version. Could I expect the VPN version to have slightly faster wireless performance than the AIO version with the VPN turned on because there is less memory being used?
     
  2. koitsu

    koitsu Network Guru Member

    It is not due to memory usage. It's most likely due to CPU usage; VPNs encrypt traffic, and encryption is a CPU-intensive task. Hardware offloading for encryption is a custom thing and quite often is not supported by consumer-level hardware nor by certain firmwares.

    That said: the data you've provided, while useful, is not enough to troubleshoot the problem. This kind of profiling/debugging is tedious/difficult to do.

    What you should be testing, by the way, is the following scenarios:

    1. VPN disabled, testing network throughput between wireless client and wired computer
    2. VPN disabled, testing network throughput between wireless client and Internet (ex. speedtest.net)
    3. VPN disabled, testing network throughput between wired computer and Internet (ex. speedtest.net)
    4. VPN enabled, testing network throughput between wireless client and wired computer
    5. VPN enabled, testing network throughput between wireless client and Internet (ex. speedtest.net)
    6. VPN enabled, testing network throughput between wired computer and Internet (ex. speedtest.net)

    When using speedtest.net, by the way, do not choose "automatic select server". Manually pick the same server every time. Failure to do this means an invalid test.

    Finally, I should note that the term "VPN" here is ambiguous/vague:

    If you're using a VPN in the sense of you subscribe to a VPN service and have your router siphoning all your Internet traffic through that VPN provider, then you are almost certainly going to see slower speeds for all LAN clients (wired and wireless). The VPN provider might be located in another country (many are in Hong Kong or the UK or China), or may be located on the other side of the country (US West vs. US East), which increases latency, which means your throughput speed will be slower. There's nothing you can do about that problem if that is true, other than go with a VPN provider who is closer to where you are. (And if so, you should have tried using them first, like during a trial period, so you could test throughput before agreeing to sign up with them)

    If you're using a VPN in the sense of you have your router connecting to your place of work's VPN concentrator, then it's very likely you're siphoning all your Internet traffic through your workplaces' VPN thus their Internet connection + wasting their bandwidth + they potentially could know all the sites/places you're visiting (nothing guarantees that the traffic between their VPN concentrator and the Internet is encrypted, only between you and their VPN concentrator). You shouldn't do this -- many, many workplaces do not like it. (At a previous job I witnessed two people being terminated for doing this excessively, specifically for wasting company resources despite previous warnings).
     
  3. veinypea

    veinypea Reformed Router Member

    Thanks Koitsu. My internet speed numbers above are as you suggested from speedtest.net for 2, 3, 5, and 6.

    If it is a CPU usage issue and not a memory issue could I expect the VPN version of Shibby to use less CPU than the AIO version?

    And if it was using less CPU would my wireless internet speed with VPN on get closer to my actual internet speed on the computer because the router would not be working as hard?
     
  4. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Turn off vpn encryption, wireless encryption, then both, and compare your results from wireless. You should see an increase. Not practical but gives you an idea of the encryption overhead.

    However wireless will always have a higher cpu overhead compared to wired.
     
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    Someone more familiar with Tomato's encryption should have a better idea of this, but my hunch is that wireless encryption (WPA2, etc.) is being handled by the CPU instead of being offloaded to specialized hardware, so when you add a CPU-hungry process like VPN into the mix it has a larger impact on wireless clients. Every packet of data sent to and from every wireless client gets encrypted & decrypted, same with every packet of data sent to and from a VPN client/host. Wired clients don't have encryption to deal with, nor do they have to be routed through the wireless driver (which itself is implemented, at least in part, in software that runs on the CPU), it's just dumping packets from one VLAN to another VLAN with a NAT translation in the mix (which wireless clients have to go through too, they just require additional steps on top of that).

    Running more tests like Koitsu suggests, particularly some with wireless encryption turned off, will help you figure out what's really going on instead of my (admittedly) pure conjecture. Copying files between wireless and wired clients (as he suggests) avoids some of the more CPU intensive hops your data can travel through.

    AIO vs. VPN image shouldn't make a big difference, unless you're flipping on some of the features included in AIO which the VPN image would block you from flipping on. If you flip them off AIO and VPN should be virtually identical, aside from less NVRAM and flash space (if you don't have JFFS enabled then the latter won't matter at all).

    Not to belabor the point, but are you connecting to a VPN service (your router is running as a VPN client connecting to someone else's server), or are you running a VPN server on your router and clients (such as your wireless device) are connecting to it? The latter is more CPU intensive than the former, particularly if multiple clients are connecting to the server on the router.
     
    Last edited: Jul 23, 2014
  6. veinypea

    veinypea Reformed Router Member

    Thanks. That answers my question on AIO vs VPN versions.

    To answer you question about my VPN, below is the link and copied instructions for the VPN setup using Private Internet Access. Anything stand out as being a questionable configuration?

    https://www.privateinternetaccess.c...tup-for-newer-branches-including-tomatousb/p1

    • Click VPN Tunneling menu, then OpenVPN Client submenu
    • Choose the Client 1 tab and then Basic tab below
    • Check Start with WAN if you want to auto-connect whenever your router is online/starts up
    • Set Interface Type to TUN
    • Set Protocol to UDP
    • Set the Server Address/Port to us-east.privateinternetaccess.com (or whichever server you prefer) and port to 1194
    • Set the Firewall to Automatic
    • Set Authorization Mode to TLS
    • Check Username/Password Authentication
    • Enter Your Username/Password in the boxes that newly appear below the check box
    • Ensure that the Username Authen. Only box is unchecked
    • Uncheck Extra HMAC authorization
    • Check Create NAT on tunnel
    • Click on the Advanced tab
    • Set Poll Interval to 0
    • Uncheck Redirect Internet Traffic
    • Set Accept DNS configuration to Strict
    • Set Encryption cipher to Use Default
    • Set Compression to Adaptive
    • Set TLS Renegotiation Time to 0
    • Leave Connection retry as 30
    • Uncheck Verify server certificate (tls-remote)
    • In the Custom Configuration textbox, input the following:
    • persist-key
    • persist-tun
    • tls-client
    • comp-lzo
    • verb 1
    • Click on the Keys tab
    • Paste the contents of ca.crt found in OpenVPN Config Files, into the Certificate Authority text area
    • Press the Save button before the Start Now button
     
  7. Monk E. Boy

    Monk E. Boy Network Guru Member

    It all looks fairly normal to me, though you should understand most settings are "unique" to a VPN service, in that you need to have clients (in this case your router) configured that way in order to use their service. If you switch to another service, you may need to change settings here and there in order for it to work with their service. That's all fairly normal.

    There are a setting or two that I question in the name of security, but it's not like you can flip those bits on and still use their service. They probably have them flipped off so that they can accept connections from a wider array of clients (not everyone uses OpenVPN, for instance).

    Basically, this does answer one of the outstanding questions - you are using the OpenVPN client in Tomato to connect to an external VPN server.
     
  8. ipse

    ipse LI Guru Member

    You may not like my suggestion, but it's what I ended up doing in an EXACT similar scenario: my Linksys E4200v1 with Shibby 120 does 8-9Mbps with PIA client enabled. 25% of my cable speed (50Mbps).
    My options were:
    a. Use only my HTPC (i3) - which does full 50Mbps - but it has to run 24/7 in some cases - not efficient
    b. Get a new router - a Netgear R7000, does full 50Mbps via VPN without breaking a sweat.

    I opted for the second alternative and I'm happy so far. Disadvantage? $$$
     

Share This Page