Ok, I’ll admit being a little surprised by my own numbers:
Brume2 cascade ovpn
d/l
u/l
test 1
55.78
22.39
test 2
53.3
20.78
test 3
60.51
21.71
Setup:
Brume 2 opvn client, tcp 443 aes-128-gcm connected to internal openvpn server (pfSense, Xeon D-1541)
Brume 2 ovpn server in cascade mode, udp 1194, aes-128-gcm with tls-auth enabled.
Viscosity OVPN client on M1 Macbook Pro 14" connected via wireless AP (Unifi 6 LR) to a managed switch with the Brume 2.
The fact that @wcs2228 was able to get 30 in both directions but I only managed 61 down / 21 up probably means there’s something goofy happening, but I don’t have time to debug it right now.
All in all, it does look like a pretty substantial performance hit on the cascade at the moment, at least for OVPN.
Edit:
Ok, this makes a little more sense when you look at it in the context of OpenVPN server performance on the Brume and not OpenVPN client performance on the Brume, which is all I’d ever tested. On the server side, I pretty consistently got about 120mbps down and only 60mbps up to a MT2500 server. So I suspect the bottleneck is on that side of things.
I’ve noticed this on my Mango and Beryl, too, on the rare occasions when my upload isn’t limited (i.e., outside the US). I consistently get 25-50% better upload speeds than download speeds. (Of course, an order of magnitude lower on the Mango.)
Weird. I’ve occasionally seen this, but it’s more like 10%, not 50%, and almost always at hotels (where my assumption is that it’s traffic shaping on their part, rather than a function of the router).
OT, I know, but I just did a test. Laptop wirelessly to Mango on 3.15, in repeater mode to a fiber 150/150 connection at an airbnb’s isp-supplied router, serving as a client to the home router which can max out any OpenVPN connection I can make (it being 200/35, with no cascade to the internet), out to speedtest. 4.88 d/l and 7.3 u/l. So, given all the haircuts along the way but without any obvious bottleneck, u/l is much better than download. This is consistent with what I’ve seen in the bast.
(Way, way off topic: using the mango because the beryl is in lost baggage. Divide your credit cards and your travel routers.)
I haven’t checked that, but it’s relatively easy to generate a new cert pair and upload it. openvpn-easy-rsa is available in repo, and this guide explains the rest…
That said, poor form to generate keys using sha1 these days - definitely something that needs to be updated. It looks like you might be able to update it in the /usr/bin/cert_manager script - change the 1024s to 2048 or 4096, and all the 2048’s to 4096. And most importantly change the sha1’s to sha256 or sha512.
I am able to connect over OpenVPN from my Android smartphone to the Brume 2. I use the “official” OpenVPN Connect app and the same OpenVPN config file that I use for testing on Windows PC. There are no errors in the log like those you listed.
Doesn’t change the fact that generating certs with sha1 is insecure af these days, hence the warning. Someone with a similar issue in a support thread on OpenVPN’s official forums noted that they “solved” the problem by downgrading to an older client. To which a dev (correctly) responded, “Your VPN is still insecure.”
Just to be clear, Mozilla has been talking about this since 2014, and it was fully and practically broken in 2020, so it’s not like it should take anybody by surprise.
Always carry anything that I might need on carry on for just this situation (travel router, chromecast etc). In the old days it was heaps of proprietary AC adapters, luckily USB is not much more common place for charging multiple devices On the way home throw them in my checkin, if they’re lost I can replace when I get home but not easily when I’m overseas
Same. I’ve got a Peak Design Tech Pouch that has cables, chargers and whatever GL product I happen to be carrying at the time. I usually pack a second in my checked bag, just in case. The really annoying one recently has been the steam deck, which I just can’t find a way to pack well. C’est la vie…
Got my Brume 2 today, Fedex is the worst shipper in the world, what a disaster, customer support is almost non existing, gets 1 star on Trustpilot here in NL.
Aside from that, got a (Proton) Wireguard connection up in a minute, speeds are over 300 Mb/s on a 1 Gb connection which is great.
I changed the Brume 2 Wireguard server to uses Port 51821 to get cascading WireGuard server with NordVPN WireGuard, which had a conflict on Port 51820.
Performance is pretty good (my Internet plan is max. 30Mbps upload from the ISP).
The crypto department is a mess. Where is Bridger? I am not sure if the packet acceleration works. It is slow
I don’t understand the decision to cut down entire WIFI support, basically any wifi dongle doesn’t work. The device has heaps of storage, what’s the point stripping the FW?
I am still into plain stock openwrt device, it is pain even to change the default 80 service port, okay found it later.
If you compile from infra builder, you don’t get needed kmod libs.
Also for those who will manage to brick the device the filename has to be oppenwrt-gl-mt2500.bin in uboot, at least that’s what uart says.
In bridge mode Adguard menu disappear…
Isn’t too easy to set an static IP, custom DNS in bridge mode.
Can’t set the port of Adguard and dnsmask from web. - it’s somehow working from cli / luci.
Bridge. Connect to a wired network. Bridge mode is a networking feature that allows two routers together. When it enabled, it essentially turns the the router into a switch. The bridge-enabled router will still transfer data, but it won’t perform traditional Network Access Translation (NAT) processes.
What are your use cases for the Brume 2 in bridge mode vs. buying a switch?
I’m trying to use it as a mini server / Adguard for my lan. Redirecting the DNS requests has limitations in classifying dns clients … I want it to be also in the same lan of the main router from home.
Using it as just a security gateway (unfortunately without wifi) is just one scenario.
After some research… :
Use Adguard with all features (that is not possible with dns redirect dnsmasq to AdGuard), from your main router lan…
Step1
Install nano package from plugins, will need it.
Step2
Activate AdGuard and do what settings do you need in it.
Step3
Using luci - Network → DHCP and DNS → advanced settings → set dnsmasq dns port to 5353 (different from 53)
Step4
Login via ssh and with: nano /etc/AdGuardHome/config.yaml
change dns port from 3053 to 53 and save
Step5
In AdGuard settings → DNS setings → Private reverse DNS servers
type your dnsmasq details like … 192.168.8.1:5353.
Step6
Open port 53 in firewall. Also ports 80, 22, 3000 will be useful, but take care when you will use the device in others scenarious.
Step7
Instruct / Set your main router dhcp server to inform the dhcp clients AdGuard dns server.
Now you can use Adguard with all features (that is not possible with dns redirect dnsmasq to AdGuard), from your main router lan, and see in AdGuard Dashboard every client request.
For vpn and tor you must connect a pc in the Brume2 lan port.
Warning: If you disable AdGuard then dns wil not work!
I have my GL-MV1000W Brume 1 set up as a secondary/backup AdGuardHome server on my LAN. It is still in Router mode, with no WAN nor WWAN connection and only Ethernet LAN is connected. I disabled dnsmasq (includes DHCP server), then set up AdGuardHome to listen on TCP Port 53 directly and my main router’s dnsmasq (the only DHCP server on LAN) advertising the Brume 1 IP address as the DNS server. Client devices IP addresses are captured by AdGuardHome.
I do not use VPN on Brume 1, but that is possible with additional configuration.
On the way home throw them in my checkin, if they’re lost I can replace when I get home but not easily when I’m overseas 
