This also actually isn’t too surprising to me, given that on the download side OpenVPN can run at 3x that speed, meaning that you’ve got more than enough overhead to cascade. When you factor in the second core you’ve got plenty of overhead in both directions.
I would expect that you’ll see some differences in WG though, when you can do it.
Editing for your edit: Clearly limited by your 30mbps upload here - not a limitation of the device. It’s late enough here that I’m not going to reflash everything to test, but if I get around to it tomorrow I’ll post numbers that aren’t limited by an arbitrary upload.
I have both a GL-MV1000W Brume 1 and a GL-MT2500A Brume 2.
Currently, I am only using the Brume 1 as a secondary/backup AdGuardHome server on LAN-only, without any routing or wifi. I have a Synology NAS running a primary AdGuardHome server in docker. Originally, I had the Brume 1 set up as a VPN appliance on LAN-only, but decided to deploy it for a more useful purpose.
The Brume 2 is really small yet more powerful, so gets better VPN performance and I agree has more potential to run other tasks.
Both devices could function well as non-wifi main routers with wifi access points. They are inexpensive enough to just have for personal amusement and learning .
I’m planning on making mine a tor relay and possibly putting a couple of LXC containers on it. The main function will probably be using it to answer questions here, though.
I built an image using the infra-builder, but the package exists in OpenWRT trunk. I’d start by trying to install luci-app-lxc and see what’s broken, then ask GLI to add it. Or build your own image
Ok, I’ll admit being a little surprised by my own numbers:
Brume2 cascade ovpn
d/l
u/l
test 1
55.78
22.39
test 2
53.3
20.78
test 3
60.51
21.71
Setup:
Brume 2 opvn client, tcp 443 aes-128-gcm connected to internal openvpn server (pfSense, Xeon D-1541)
Brume 2 ovpn server in cascade mode, udp 1194, aes-128-gcm with tls-auth enabled.
Viscosity OVPN client on M1 Macbook Pro 14" connected via wireless AP (Unifi 6 LR) to a managed switch with the Brume 2.
The fact that @wcs2228 was able to get 30 in both directions but I only managed 61 down / 21 up probably means there’s something goofy happening, but I don’t have time to debug it right now.
All in all, it does look like a pretty substantial performance hit on the cascade at the moment, at least for OVPN.
Edit:
Ok, this makes a little more sense when you look at it in the context of OpenVPN server performance on the Brume and not OpenVPN client performance on the Brume, which is all I’d ever tested. On the server side, I pretty consistently got about 120mbps down and only 60mbps up to a MT2500 server. So I suspect the bottleneck is on that side of things.
I’ve noticed this on my Mango and Beryl, too, on the rare occasions when my upload isn’t limited (i.e., outside the US). I consistently get 25-50% better upload speeds than download speeds. (Of course, an order of magnitude lower on the Mango.)
Weird. I’ve occasionally seen this, but it’s more like 10%, not 50%, and almost always at hotels (where my assumption is that it’s traffic shaping on their part, rather than a function of the router).
OT, I know, but I just did a test. Laptop wirelessly to Mango on 3.15, in repeater mode to a fiber 150/150 connection at an airbnb’s isp-supplied router, serving as a client to the home router which can max out any OpenVPN connection I can make (it being 200/35, with no cascade to the internet), out to speedtest. 4.88 d/l and 7.3 u/l. So, given all the haircuts along the way but without any obvious bottleneck, u/l is much better than download. This is consistent with what I’ve seen in the bast.
(Way, way off topic: using the mango because the beryl is in lost baggage. Divide your credit cards and your travel routers.)
I haven’t checked that, but it’s relatively easy to generate a new cert pair and upload it. openvpn-easy-rsa is available in repo, and this guide explains the rest…
That said, poor form to generate keys using sha1 these days - definitely something that needs to be updated. It looks like you might be able to update it in the /usr/bin/cert_manager script - change the 1024s to 2048 or 4096, and all the 2048’s to 4096. And most importantly change the sha1’s to sha256 or sha512.
I am able to connect over OpenVPN from my Android smartphone to the Brume 2. I use the “official” OpenVPN Connect app and the same OpenVPN config file that I use for testing on Windows PC. There are no errors in the log like those you listed.
Doesn’t change the fact that generating certs with sha1 is insecure af these days, hence the warning. Someone with a similar issue in a support thread on OpenVPN’s official forums noted that they “solved” the problem by downgrading to an older client. To which a dev (correctly) responded, “Your VPN is still insecure.”
Just to be clear, Mozilla has been talking about this since 2014, and it was fully and practically broken in 2020, so it’s not like it should take anybody by surprise.
Always carry anything that I might need on carry on for just this situation (travel router, chromecast etc). In the old days it was heaps of proprietary AC adapters, luckily USB is not much more common place for charging multiple devices On the way home throw them in my checkin, if they’re lost I can replace when I get home but not easily when I’m overseas
Same. I’ve got a Peak Design Tech Pouch that has cables, chargers and whatever GL product I happen to be carrying at the time. I usually pack a second in my checked bag, just in case. The really annoying one recently has been the steam deck, which I just can’t find a way to pack well. C’est la vie…
Got my Brume 2 today, Fedex is the worst shipper in the world, what a disaster, customer support is almost non existing, gets 1 star on Trustpilot here in NL.
Aside from that, got a (Proton) Wireguard connection up in a minute, speeds are over 300 Mb/s on a 1 Gb connection which is great.
I changed the Brume 2 Wireguard server to uses Port 51821 to get cascading WireGuard server with NordVPN WireGuard, which had a conflict on Port 51820.
Performance is pretty good (my Internet plan is max. 30Mbps upload from the ISP).
The crypto department is a mess. Where is Bridger? I am not sure if the packet acceleration works. It is slow
I don’t understand the decision to cut down entire WIFI support, basically any wifi dongle doesn’t work. The device has heaps of storage, what’s the point stripping the FW?
I am still into plain stock openwrt device, it is pain even to change the default 80 service port, okay found it later.
If you compile from infra builder, you don’t get needed kmod libs.
Also for those who will manage to brick the device the filename has to be oppenwrt-gl-mt2500.bin in uboot, at least that’s what uart says.
