Privacy

OpenVPN Performance through PrivateInternetAccess

I’ve been wanting to get a VPN service due to privacy concerns for a while now. I have not done it until now mostly because of my assumptions about VPN service speeds and reliability. A (blog post)[http://blog.level3.com/global-connectivity/verizons-accidental-mea-culpa/ “Verizon’s Accidental Mea Culpa”] by Level 3’s Mark Taylor prompted me to finally take action. As it turned out, I was about half-right in my guesses and below I’ll tell you why.

First, though, let me talk about my choice of VPN service. To clarify, my primary concern was privacy, speed, and reliability. Conducting illegal activities was not part of my search criteria, however I did keep in mind the attitude towards using popular file sharing protocols since there are plenty of legitimate uses for those. I looked at about 10 different options and ended up going with PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”). Don’t take this as a “best of 10,” though, because I have not properly reviewed any of them.

Before choosing PrivateInternetAccess, I was leaning towards AirVPN because of their origins. But, what turned me off is their slow support for prospective customers (I requested a trial and am still waiting on a reply) and their social features oriented website. For instance, their customer and forum accounts are one and the same, and when logging in one has to explicitly check the option to not be added to the active users list. The control panel has all the usual social profile features of a forum member (user information, post tracker, status feed, etc) in addition to billing information and other service related information such as current plan, support tickets, and invoices. I understand the need for a community, but when you are a privacy oriented service I feel there are better ways of going about setting that up.

All this in contrast to (PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”), or PIA for short, that only has options for setting your e-mail, password, and subscription. That’s more up my alley. And they are cheap.

I did briefly consider running my own VPS setup on a VPN, but the cost/benefit didn’t work out.

Let’s talk benchmarks. I should warn that these numbers are not very scientific in the sense that, although I performed multiple tests while setting things up and messing around, the results below are from one-time runs that were done specifically for this post but still looked representative of my overall experience.

There were three main scenarios that I looked at, with the only difference being where the VPN client was set up.

  • For all of the speed tests I chose one closest geographical location (VPN server was set to the same state).
  • There was no other significant traffic on the LAN
  • DOCSIS 3.0 cable modem with a 100BASE-T cable plugged in to WAN (because it helped with cable management and wasn’t going to come close to capping my bandwidth)
  • 50/5 Mbps ISP plan
  • OpenVPN setup
  • All the snapshots were done within a 30 minute window

Scenario 1 — no VPN.

Speedtest without VPN

This is the baseline — low ping, speeds as advertised. No surprise there.

Scenario 2 — VPN on a Windows PC running PIA’s software

Speedtest with VPN on a PC

Triple the latency and triple the speed. Pretty impressive, huh? The conclusion is obvious — to increase the speed we must increase the latency! Call your ISP now and demand higher ping times! All kidding aside,
the increase in latency is due to additional VPN hops and the increase in speed is most likely due to LZO compression. Still, rather impressive considering I am going through a VPN. Certainly, not what I was expecting and in a good way.

Scenario 3 — VPN on TL-WDR4300 router running OpenWRT Attitude Adjustment

Speedtest with VPN on a TL-WDR4300 router

This is really the use case I was going for. I wanted to set up VPN service on my router for use for the entire house. The latency did not change from the previous scenario, however the download speed took a huge hit — about 1/4th of my regular speed and 1/10th of the VPN link with compression enabled. That’s not where I want to be for the entire house. The drop is mainly due to lack of processing power and cryptography instruction set of the Atheros chipset.

Here are some router details and benchmarks:

r36088 | Atheros AR9344 rev 2 | TP-LINK TL-WDR4300 (rev. 1.6) | MIPS 74Kc V4.12

OpenSSL 1.0.1h 5 Jun 2014
built on: Tue Jul 8 12:26:54 CEST 2014
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
compiler: ccache_cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/include -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DOPENSSL_NO_ERR -DTERMIO -Os -pipe -mips32r2 -mtune=mips32r2 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -fpic -fomit-frame-pointer -Wall -DSHA1_ASM -DSHA256_ASM -DAES_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               2262.45k     7884.17k    20603.42k    36201.19k    46113.77k
sha1              2093.89k     6299.78k    14280.39k    20922.61k    24506.03k
des cbc           4773.74k     5072.14k     5074.42k     5106.69k     4915.20k
des ede3          1722.16k     1746.40k     1748.50k     1751.77k     1756.32k
aes-128 cbc       7946.99k     9082.26k     9267.77k     9436.00k     9639.67k
aes-192 cbc       7108.66k     8013.22k     8061.08k     8232.59k     8185.86k
aes-256 cbc       6321.97k     7008.89k     7149.37k     7204.08k     7282.47k
sha256            1778.04k     4265.98k     7643.96k     9560.77k    10464.99k
sha512             553.24k     2236.05k     3239.23k     4406.14k     5018.68k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.108095s 0.003021s      9.3    331.0
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.030133s 0.036694s     33.2     27.3

The moral of the story here is VPN service can be fast and reliable, but if you want it to be on par with your home ISP, you will need the hardware to support it. So, I am now looking for a more powerful router. At first glance it looks like (MikroTik)[http://www.mikrotik.com “MikroTik”) or (Ubiquiti)хhttp://www.ubnt.com “Ubiquiti”) might have what I’m looking for.

Leaving GoDaddy on the SOPA/PIPA Bandwagon

Although it’s a few days past the 18th, I finally transferred my domain names that used to be registered with GoDaddy to other registrars. I’ve used  GoDaddy’s services for several years now and haven’t had any issues. That is until I learned about their support of SOPA/PIPA. The decision to leave was made immediately, however it took a few days to figure out where to take my business.

SOPA/PIPA Blackouts

I’ve been keeping an eye out for the websites that participated in the blackout and their level of participation. The level ranged from completely taking the website down to watermarking logos. The biggest disappointment for me personally was the level of participation which slashdot showed. From what I could see, all it was just a couple of sticky posts inviting discussion on the subject. They did freeze all new article content for the duration of the blackout, but left all the old news posts intact. It is better than, say, covering your logo with sopa-themed graphic, however I felt that it didn’t have the impact I hoped for and they should have done more. Wikipedia was one of the greatest examples of the level of participation I expected.

Here’s a list I grabbed from http://sopastrike.com/ around 19:45 on Saturday, January 21st. Oh and here’s a small list of sites I noticed that participated but are not on that list:

  • xkcd.com
  • amazon.com

Confirmed Participants: