I’m looking to upgrade my current router but can’t figure out if the S1300 is worth the price difference. How comparable are the speeds of these routers using vpn/wireguard?
The S1300 should get almost 10Mbit for 128bit AES with OpenVPN as seen here:
For comparison, a Raspberry Pi 3 B+ will do ~37Mbit
For openvpn/wireguard, B1300 and S1300 is almost the same
Openvpn 25Mbps, Wireguard 190Mbps
Are you getting that speed while copying a text file over the OpenVPN link with compression enabled?
What method are you using to get these numbers?
where are you getting your numbers?
sfx@raspy3:~ $ openvpn --genkey --secret /tmp/secret
sfx@raspy3:~ $ time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc
Thu Jun 6 18:59:24 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real 0m41.372s
user 0m41.212s
sys 0m0.120s
Take the “real time” value (in seconds)
3200/time = max throughput in Mb/Sec
So RPi3B+ is around 77 Mb/Sec in theoretical throughput…
Anyways, bit of discussion on that topic over at SNBForums.com
I’ll have to take a look at my B1300 when I get a chance…
I would expect OpenVPN to be about half of Pi3B+ – as it’s a Cortex-A7 running at half the speed…
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc
This test is only a self-check of correctness for OpenVPN to encrypt and decrypt a packet crafted for upto the specified --tun-mtu setting. It is not a speed benchmark test.
If you run it without --verb 0 you can see what its doing. The last few lines are:
Fri Jun 7 07:50:12 2019 TESTING ENCRYPT/DECRYPT of packet length=19998
Fri Jun 7 07:50:12 2019 TESTING ENCRYPT/DECRYPT of packet length=19999
Fri Jun 7 07:50:12 2019 TESTING ENCRYPT/DECRYPT of packet length=20000
Fri Jun 7 07:50:12 2019 OpenVPN crypto self-test mode SUCCEEDED.
Interesting my Raspi 3b + running in 64 bit mode (OpenWRT) completed the check more than 2x as fast as yours:
real 0m 16.33s
user 0m 16.33s
sys 0m 0.00s
Which using the magic 3200 gives 195 Mbps (on a CPU without AES instructions!!)
I am using the openssl speed bench. OpenVPN will not be able to go faster than openssl’s max encryption per second. The real world number will be lower.
openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 5881191 aes-128 cbc’s in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 1648690 aes-128 cbc’s in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 426536 aes-128 cbc’s in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 107570 aes-128 cbc’s in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 13476 aes-128 cbc’s in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 6739 aes-128 cbc’s in 3.00s
OpenSSL 1.1.1c 28 May 2019
built on: Fri May 31 19:01:33 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,–noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_SMALL_FOOTPRINT
The ‘numbers’ are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 31366.35k 35172.05k 36397.74k 36717.23k 36798.46k 36803.93k
I’m using the ‘36803.93k’ number to get a ball park 37Mbit.
The Pi 3 B+ has a A53 - heres some documents for comparison of the two.
So:
The Cortex-A35 can deliver up to 40% faster performance[1] than the Cortex-A7 — at the same clock speed — while consuming 10% less power
And:
At the same clock speed the Cortex-A35 reaches 80%-100% of the performance of a Cortex-A53 depending on the workload
The A53 in the Pi 3B + will be quite a bit faster, clock for clock.
Depends - RPi3B+, even in 64bit is going to pale against other Cortex-A53’s that have the ARM crypto extensions (Pi3/Pi3B+ doesn’t)
Default Raspbian on Pi3 runs the A53 as a 32-bit ARMHF, so perf there is going be reflect that.
Getting back to B1300/S1300 - OpenVPN perf there is going to be slightly faster, around 15 percent, compared to AR300M with the AR9531 running at 612MHz…
WG, I would think the S1300/B1300 might be quite a bit faster than AR300M as an estimate - wider memory bus on the IPQ40XX vs. the AR9531…
OpenSSL provides a higher level interface to abstract away cipher specifics. This is called the EVP interface. OpenVPN uses the EVP interface.
When calling openvpn speed <cipher>
it does not use this interface, but the cipher-specific one.
Instead, calling openvpn as such:
openvpn speed -evp aes-128-cbc
Uses the more generic interface, and actually will detect applicable optimizations for your processor such as AES-NI and enable them accordingly. In the case of the pi3b+ it does not have specific AES instructions, but it does have a more generic hardware acceleration they call NEON which in more recent (2014) versions of OpenSSL they utilize with assembly code.
When running in this mode on my RPi3B+ I get the following:
openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 7718360 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 2639178 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 731593 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 187992 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 23692 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 11847 aes-128-cbc's in 3.00s
OpenSSL 1.1.1c 28 May 2019
built on: Fri May 31 19:01:33 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_SMALL_FOOTPRINT
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 41164.59k 56302.46k 62429.27k 64167.94k 64694.95k 64700.42k
A theoretical maximum of 63Mbps.
Yes thats right, but 64bit mode will not make it faster - it could well make it slower using unneeded larger 64 bit addresses. 64bit is for addressing more then 4GB of memory - but it has 1GB. I’m unsure why openwrt chose to make it 64bit - it makes all the binaries bigger for no gain.