hi folks how are you? anyone knows why external provider wiregaurd tunnells works so slow? i have a premium account in protonvpn and the tunnel configured on the openwrt router gives me 30mb max....if i run the same tunnel from mi laptop directly it gives me 130mb in some cases 200mb. both running at the same internet connection with 1000mbits speeds. thanks in advance.
underpowered router SoC's keeping you back.
2 Likes
I suppose that your router's cpu will be less powerful than your laptop's, to understand you can try to see the htop command (after installing it on the router)
1 Like
It could be related to the hardware you're using for your router. WireGuard is more performant than most other VPN protocols, but still requires encryption that is not hardware accelerated on most devices.
ubus call system board
2 Likes
i'am using a tplink archer c7 v4...cpu running the external provider vpn is at 10% usage
"kernel": "5.15.167",
"hostname": "AC-1750-OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v4",
"board_name": "tplink,archer-c7-v4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ath79/generic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
Yup... the performance you're getting is in-line with the processor in your device. The limitation is the CPU/SoC of the router itself (just not that powerful).
2 Likes
i tried htop command but it says command not found....
opkg update
opkg install htop
2 Likes
yes i did it....the cpu gets overload when i run a speed test....but the strange thing is last night gives me 90/100mb....the packages installed on the router makes a diferrence wright?
htop requres CPU time too, but it's not much compared to the VPN.
run htop when there's no traffic over the VPN, to see the differance.
i'm seeing that,other strange thing is that the router can manage a 1000mbit connecion but not a vpn? i'm not expecting superfast speeds....but at least 60/70mbits. it's strage because when i bought it openvpn protocol was supported by default...and worked pretty well...with 70mb speed average.
the router needs to manage the routing, and the VPN.
To understand this, it's useful to have some context...
The SoC inside the router is highly optimized for routing, but it has a relatively weak general purpose CPU. A silly analogy is that an airplane is designed to be fast when flying, but it cannot go that fast when on the ground for a whole lot of reasons. A Formula 1 race car, by contrast, is made to go really fast on the road, but is also designed specifically so that it doesn't fly by having wings that provide a lot of down-force.
The CPU itself is required for handling the encryption, but the actual functional CPU (as compared to the routing engine hardware) is not powerful enough to manage high bandwidth VPN encryption/decryption, thus the performance you are seeing is in-line with expectations.
i understand that,but still being strange....sometimes mostly at night gives me almost 100mb running on the router...but thanks for the help.
What makes you believe that QCA956X could route 1000 MBit/s in the first place?
…it can't, far from it.
The raw routing performance of this SOC is around 180-200 MBit/s, yes software flow-offloading can push that a bit (roughly doubling those figures), but that obviously only affects the fast path, where the kernel basically never touches/ sees most packets (which is not the case for sqm, vpn and anything else where every packet counts).
This SOC was designed 15 years ago (yes, the clockspeed was raised from initially 400 MHz to up to 750 MHz in the later iterations, such as yours, but that only brought a linear speedup - and the <200 MBit/s figure above already covers the newer ones), in ~2009-2010, when 6-16 MBit/s VDSL was king of the road, maybe ~25 MBit/s tops. It's also single-clore, single-thread design, so there are no free cycles on the other cores, everything has to pass the single-core bottleneck.
Keep in mind that everything mentioned above applies before the VPN usage, a service which was considerably less common 15 years ago (even more so in the consumer market - and using very different encryption ciphers) and is pretty demanding on CPU power, which this SOC is rather scarcely equipped with.
This is the ceiling of this SOCs capabilities, already with its back to the wall, it can't do anymore - and you need considerably faster hardware for that.
While filogic 820/ 830 is pushing into this territory from below, this aging thread is still on topic - even more so for VPN usage:
I've come across this issue too and did a lot of experiments with WireGuard and OpenVPN. I had a Linksys EA4200v1 router which when new was a powerful router that worked well, but now obsolete. However, it had what I thought was a good CPU. It likewise could use OpenWrt, DD-WRT, and Tomato firmware. I was thinking different different firmware would yield better results and I'd use the fastest firmware. They all were the same speed. It wasn't the firmware. The testing was done with OpenVPN and WireGuard. I could not get any more than 10 Gbps over the VPN no matter what. The OPs issue is something that can't be "fixed."
It can forward sum total a bit above gigabit, absent vlan offload suppory halves that in an instant due to extra memcopy, this is competing with 100mbps encryption utilising all cpu.
You need some armv8 like filogis or x86/64 with AES-NI to approach wire speed vpn (any laptop from last 10 years will encrypt faster than dedicated router of similat era)