Performance Analysis of OpenVPN on a Consumer Grade Router
Michael J. Hall
TL;DR
The paper evaluates OpenVPN performance on a consumer-grade WRT54GL router running DD-WRT, using a $2^{k-p}$ fractional factorial design to identify how factors like interface type, transport protocol, cipher, compression, and workload affect throughput, RTT, and jitter. It finds that throughput is mainly limited by the router's CPU and is heavily influenced by the encryption cipher (AES-256) and, to a lesser extent, the transport protocol, with encryption accounting for about 84% of throughput variation and RTT variation largely driven by the transport protocol (~66%). The study demonstrates that OpenVPN on inexpensive embedded hardware can be feasible for certain Internet-scale speeds but is throughput-limited, and it provides a data-driven basis for selecting configurations to balance security and performance. Practical impact includes guidance for home users and small businesses on configuring OpenVPN on embedded routers, and it highlights the need for hardware upgrades or topology adjustments to achieve higher throughputs in VPN deployments.
Abstract
Virtual Private Networks (VPNs) offer an alternative solution using Internet Protocol (IP) tunnels to create secure, encrypted communication between geographically distant networks using a common shared medium such as the Internet. They use tunneling to establish end-to-end connectivity. OpenVPN is a cross-platform, secure, highly configurable VPN solution. Security in OpenVPN is handled by the OpenSSL cryptographic library which provides strong security over a Secure Socket Layer (SSL) using standard algorithms such as Advanced Encryption Standard (AES), Blowfish, or Triple DES (3DES). The Linksys WRT54GL router is a consumer-grade router made by Linksys, a division of Cisco Systems, capable of running under Linux. The Linux-based DD-WRT open-source router firmware can run OpenVPN on the Linksys WRT54GL router. For this case study, the performance of OpenVPN is measured and analyzed using a $2^{k-p}$ fractional factorial design for 5 minus 1 factors where $k=5$ and $p=1$. The results show that the throughput is mainly limited by the encryption cipher used, and that the round-trip time (RTT) is mostly dependent on the transport protocol selected.
