Following up on my post in the OpenVPN Service topic:
I now have FTTN, and have done some tests with OpenVPN running on both the EdgeRouter X and the EdgeRouter Lite. Both these wired-only routers are made by Ubiquiti, cost under $100, and include an OpenVPN client that can be configured through the command line.
I would recommend these routers only for people who are either good with command line network configuration, or who have someone else to deal with such things. Although Ubiquiti's web UI does have setup wizards that can make these devices work like consumer-grade routers, the wizards don't cover OpenVPN or the firewall rules that would prevent VPN leaks. On the plus side, the command line tools and configuration structure are quite sensible to someone who knows networking, the support community is pretty good, and common operations like port forwarding and checking connectivity can be done from the web UI. After getting mine configured the way I wanted it, I haven't really had to touch it.
Device specs:
https://wikidevi.com/wiki/Ubiquiti_Netw ... geRouter_X
https://wikidevi.com/wiki/Ubiquiti_Netw ... outer_LITE
The EdgeRouter Lite has 3 ethernet ports, a 500 MHz dual-core CPU, and can offload some routing functions to hardware, making it capable of gigabit speeds in certain configurations. Unfortunately, OpenVPN makes the hardare offloading features mostly useless.
The EdgeRouter X is about half the size and price of the Lite, has 5 ethernet ports, and an 880 MHz dual-core dual-threaded CPU. Although the processor has some hardware offloading capabilities, they are not used by EdgeOS 1.8 (the current version). This makes it slower than an offload-enabled EdgeRouter Lite for basic routing, but faster for things like OpenVPN and QoS.
I tested both routers using Sonic's production OpenVPN server through my 20 Mbps FTTN line, against both https://speedof.me/ and ftp://ftp.sonic.net/pub/testfile.compressed.100meg (with curl). I had a few basic firewall, NAT, and port forwarding rules enabled, all typical of consumer internet setups.
EdgeRouter Lite results:
speedof.me: 9.24Mbps
ftp.sonic.net: 11.66Mbps
openvpn CPU load: 85-96%
EdgeRouter X results:
speedof.me: 18.19Mbps
ftp.sonic.net: 18.61Mbps
openvpn CPU load: 71-83%
The EdgeRouter Lite handled OpenVPN up to about half the download rate of Sonic's FTTN x1 service. In other words, too slow. A better approach for this device would be to make use of its IPSEC VPN acceleration, as Dane mentioned here:
viewtopic.php?p=20083#p20083
The EdgeRouter X handled OpenVPN at full FTTN x1 speed. With a $50 price tag, an outstanding feature set, and very modest power consumption, that makes it a winner for me.
Judging by the CPU usage I saw, I'm guessing that today's EdgeRouter X would be unable to run OpenVPN at full FTTN x2 speed. However, this might change with future OS updates. The OpenVPN client is currently a single-threaded application, which leaves most of the device's CPU cores sitting idle even while the process hits a CPU limit. A multi-threaded implementation is already on the project roadmap, and depending on the design, could raise OpenVPN's effective bandwidth limit on this device. Also, the MediaTek MT7621AT SoC used in the EdgeRouter X reportedly has hardware acceleration features, including the AES ciphers used in OpenVPN, that simply aren't exposed by the OS yet. If Ubiquiti were to get the right drivers and use them in an EdgeOS update (much like they did to enable hardware offload on the EdgeRouter Lite) this little box would become even more capable.
https://community.openvpn.net/openvpn/w ... #Threading
https://forum.mqmaker.com/t/is-crypto-e ... are/241/16
https://community.ubnt.com/t5/EdgeMAX-F ... -p/1469737
Most of the time I spent setting up my device was about learning EdgeOS configuration options and testing for firewall/VPN leaks. The .ovpn file generated by Sonic's server was usable almost as-is; I just had to copy it to the router, tell EdgeOS where to find it, and set the auth-user-pass line to the path of a username/password file I created. I also ended up making a simple cron job to restart the openvpn process if it ever dies, such as after a power failure or when an FTTN outage lasts more than a few minutes.
It's worth noting that the EdgeRouter X has been noticed by the OpenWRT community, and some very early porting work has already begun. That could eventually turn into a good OS alternative.
I now have FTTN, and have done some tests with OpenVPN running on both the EdgeRouter X and the EdgeRouter Lite. Both these wired-only routers are made by Ubiquiti, cost under $100, and include an OpenVPN client that can be configured through the command line.
I would recommend these routers only for people who are either good with command line network configuration, or who have someone else to deal with such things. Although Ubiquiti's web UI does have setup wizards that can make these devices work like consumer-grade routers, the wizards don't cover OpenVPN or the firewall rules that would prevent VPN leaks. On the plus side, the command line tools and configuration structure are quite sensible to someone who knows networking, the support community is pretty good, and common operations like port forwarding and checking connectivity can be done from the web UI. After getting mine configured the way I wanted it, I haven't really had to touch it.
Device specs:
https://wikidevi.com/wiki/Ubiquiti_Netw ... geRouter_X
https://wikidevi.com/wiki/Ubiquiti_Netw ... outer_LITE
The EdgeRouter Lite has 3 ethernet ports, a 500 MHz dual-core CPU, and can offload some routing functions to hardware, making it capable of gigabit speeds in certain configurations. Unfortunately, OpenVPN makes the hardare offloading features mostly useless.
The EdgeRouter X is about half the size and price of the Lite, has 5 ethernet ports, and an 880 MHz dual-core dual-threaded CPU. Although the processor has some hardware offloading capabilities, they are not used by EdgeOS 1.8 (the current version). This makes it slower than an offload-enabled EdgeRouter Lite for basic routing, but faster for things like OpenVPN and QoS.
I tested both routers using Sonic's production OpenVPN server through my 20 Mbps FTTN line, against both https://speedof.me/ and ftp://ftp.sonic.net/pub/testfile.compressed.100meg (with curl). I had a few basic firewall, NAT, and port forwarding rules enabled, all typical of consumer internet setups.
EdgeRouter Lite results:
speedof.me: 9.24Mbps
ftp.sonic.net: 11.66Mbps
openvpn CPU load: 85-96%
EdgeRouter X results:
speedof.me: 18.19Mbps
ftp.sonic.net: 18.61Mbps
openvpn CPU load: 71-83%
The EdgeRouter Lite handled OpenVPN up to about half the download rate of Sonic's FTTN x1 service. In other words, too slow. A better approach for this device would be to make use of its IPSEC VPN acceleration, as Dane mentioned here:
viewtopic.php?p=20083#p20083
The EdgeRouter X handled OpenVPN at full FTTN x1 speed. With a $50 price tag, an outstanding feature set, and very modest power consumption, that makes it a winner for me.
Judging by the CPU usage I saw, I'm guessing that today's EdgeRouter X would be unable to run OpenVPN at full FTTN x2 speed. However, this might change with future OS updates. The OpenVPN client is currently a single-threaded application, which leaves most of the device's CPU cores sitting idle even while the process hits a CPU limit. A multi-threaded implementation is already on the project roadmap, and depending on the design, could raise OpenVPN's effective bandwidth limit on this device. Also, the MediaTek MT7621AT SoC used in the EdgeRouter X reportedly has hardware acceleration features, including the AES ciphers used in OpenVPN, that simply aren't exposed by the OS yet. If Ubiquiti were to get the right drivers and use them in an EdgeOS update (much like they did to enable hardware offload on the EdgeRouter Lite) this little box would become even more capable.
https://community.openvpn.net/openvpn/w ... #Threading
https://forum.mqmaker.com/t/is-crypto-e ... are/241/16
https://community.ubnt.com/t5/EdgeMAX-F ... -p/1469737
Most of the time I spent setting up my device was about learning EdgeOS configuration options and testing for firewall/VPN leaks. The .ovpn file generated by Sonic's server was usable almost as-is; I just had to copy it to the router, tell EdgeOS where to find it, and set the auth-user-pass line to the path of a username/password file I created. I also ended up making a simple cron job to restart the openvpn process if it ever dies, such as after a power failure or when an FTTN outage lasts more than a few minutes.
It's worth noting that the EdgeRouter X has been noticed by the OpenWRT community, and some very early porting work has already begun. That could eventually turn into a good OS alternative.