I’ve been wanting to get a VPN service due to privacy concerns for a while now. I have not done it until now mostly because of my assumptions about VPN service speeds and reliability. A (blog post)[http://blog.level3.com/global-connectivity/verizons-accidental-mea-culpa/ “Verizon’s Accidental Mea Culpa”] by Level 3’s Mark Taylor prompted me to finally take action. As it turned out, I was about half-right in my guesses and below I’ll tell you why.
First, though, let me talk about my choice of VPN service. To clarify, my primary concern was privacy, speed, and reliability. Conducting illegal activities was not part of my search criteria, however I did keep in mind the attitude towards using popular file sharing protocols since there are plenty of legitimate uses for those. I looked at about 10 different options and ended up going with PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”). Don’t take this as a “best of 10,” though, because I have not properly reviewed any of them.
Before choosing PrivateInternetAccess, I was leaning towards AirVPN because of their origins. But, what turned me off is their slow support for prospective customers (I requested a trial and am still waiting on a reply) and their social features oriented website. For instance, their customer and forum accounts are one and the same, and when logging in one has to explicitly check the option to not be added to the active users list. The control panel has all the usual social profile features of a forum member (user information, post tracker, status feed, etc) in addition to billing information and other service related information such as current plan, support tickets, and invoices. I understand the need for a community, but when you are a privacy oriented service I feel there are better ways of going about setting that up.
All this in contrast to (PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”), or PIA for short, that only has options for setting your e-mail, password, and subscription. That’s more up my alley. And they are cheap.
I did briefly consider running my own VPS setup on a VPN, but the cost/benefit didn’t work out.
Let’s talk benchmarks. I should warn that these numbers are not very scientific in the sense that, although I performed multiple tests while setting things up and messing around, the results below are from one-time runs that were done specifically for this post but still looked representative of my overall experience.
There were three main scenarios that I looked at, with the only difference being where the VPN client was set up.
- For all of the speed tests I chose one closest geographical location (VPN server was set to the same state).
- There was no other significant traffic on the LAN
- DOCSIS 3.0 cable modem with a 100BASE-T cable plugged in to WAN (because it helped with cable management and wasn’t going to come close to capping my bandwidth)
- 50/5 Mbps ISP plan
- OpenVPN setup
- All the snapshots were done within a 30 minute window
Scenario 1 — no VPN.
This is the baseline — low ping, speeds as advertised. No surprise there.
Scenario 2 — VPN on a Windows PC running PIA’s software
Triple the latency and triple the speed. Pretty impressive, huh? The conclusion is obvious — to increase the speed we must increase the latency! Call your ISP now and demand higher ping times! All kidding aside,
the increase in latency is due to additional VPN hops and the increase in speed is most likely due to LZO compression. Still, rather impressive considering I am going through a VPN. Certainly, not what I was expecting and in a good way.
Scenario 3 — VPN on TL-WDR4300 router running OpenWRT Attitude Adjustment
This is really the use case I was going for. I wanted to set up VPN service on my router for use for the entire house. The latency did not change from the previous scenario, however the download speed took a huge hit — about 1/4th of my regular speed and 1/10th of the VPN link with compression enabled. That’s not where I want to be for the entire house. The drop is mainly due to lack of processing power and cryptography instruction set of the Atheros chipset.
Here are some router details and benchmarks:
r36088 | Atheros AR9344 rev 2 | TP-LINK TL-WDR4300 (rev. 1.6) | MIPS 74Kc V4.12
OpenSSL 1.0.1h 5 Jun 2014 built on: Tue Jul 8 12:26:54 CEST 2014 options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr) compiler: ccache_cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/include -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DOPENSSL_NO_ERR -DTERMIO -Os -pipe -mips32r2 -mtune=mips32r2 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -fpic -fomit-frame-pointer -Wall -DSHA1_ASM -DSHA256_ASM -DAES_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md5 2262.45k 7884.17k 20603.42k 36201.19k 46113.77k sha1 2093.89k 6299.78k 14280.39k 20922.61k 24506.03k des cbc 4773.74k 5072.14k 5074.42k 5106.69k 4915.20k des ede3 1722.16k 1746.40k 1748.50k 1751.77k 1756.32k aes-128 cbc 7946.99k 9082.26k 9267.77k 9436.00k 9639.67k aes-192 cbc 7108.66k 8013.22k 8061.08k 8232.59k 8185.86k aes-256 cbc 6321.97k 7008.89k 7149.37k 7204.08k 7282.47k sha256 1778.04k 4265.98k 7643.96k 9560.77k 10464.99k sha512 553.24k 2236.05k 3239.23k 4406.14k 5018.68k sign verify sign/s verify/s rsa 2048 bits 0.108095s 0.003021s 9.3 331.0 sign verify sign/s verify/s dsa 2048 bits 0.030133s 0.036694s 33.2 27.3
The moral of the story here is VPN service can be fast and reliable, but if you want it to be on par with your home ISP, you will need the hardware to support it. So, I am now looking for a more powerful router. At first glance it looks like (MikroTik)[http://www.mikrotik.com “MikroTik”) or (Ubiquiti)хhttp://www.ubnt.com “Ubiquiti”) might have what I’m looking for.