Many of us also want to use their routers as a VPN server, therefore the WireGuard, OpenVPN, etc. performance is coming up quite frequently in different threads. I therefore thought it might be a good idea to have a separate topic for that.
I just run a few VPN performance tests by executing the following steps:
Install iPerf3 on the laptop and install the iperf3 package on my OpenWrt device
Connect to the OpenWrt device via ssh and run iperf3 -s
Connect the laptop directly to the OpenWrt device via ethernet
To make sure that the results will reflect the firewall performance of the device in a realistic way, I decided to use a static IPv4 adresses (within the same subnet) on the WAN port of the OpenWrt device and on the laptop. Afterwards, I run the tests connecting the laptop directly to the WAN port of the device.
Please note that the -M parameter is setting the MTU that shall be used. Using the correct MTU made a big difference (up to approx. 35%) in my tests.
I don't have much experience making that kind of tests so feel free to comment and suggest possible optimizations.
I will add one comment per device and VPN type. It would be great if some of you could add more results for other (or the same) devices as well.
Where is the VPN involved in this? And you shouldn't run iperf3 on the router, it should be run on two client devices with the traffic going through the router. Otherwise you're also measuring the impact of the router having to generate the necessary traffic (which can have a significant impact on lower powered devices).
I'm not sure if I got your point. VPN is always a client connected to a server, right? So why do you expect to have 2 client devices? VPN is involved in my tests because I am measuring the amount of data transferred via the VPN from the client to the server and vice versa.
I don't know how iperf3 is generating the traffic but from my perspective there is no need for it to produce complex (e.g. unique) content for every packet. So I would expect that generating the traffic shouldn't cause much CPU load but as meantioned before, I don't know any details about iperf3
If you still think I am wrong please let me know how you would measure VPN performance to compare it on different devices.
It's still not clear where the VPN is operating in your 'setup'. Your initial post talks about assigning static IP addresses on the WAN port of the OpenWRT device and the laptop from the same subnet. There's no indication of what the VPN setup is between these two devices. As it is, from the description in your initial post I would expect the traffic to be transferring outside the VPN.
It might be useful to post an example configuration (i.e. the contents of /etc/config/network and /etc/config/firewall minus any sensitive data such as encryption keys, public IPs etc.) from one of the devices so people can understand the setup.
You might expect that, but it's not the case in the real world. Running iperf3 on the device (especially 'low power' devices like many common routers) can and does have a significant negative impact on the results you obtain.
What are we measuring here? Comparing apples and oranges again? Wireguard has one algorithm, OpenVPN has many, IPsec has even more. Two of these have kernel implementation, one is userspace. Many routers have hardware accelerators, but those rarely used by default. At least in userspace implementations where it requires OpenSSL configuration.
Google for "Performance comparison of VPN implementations WireGuard,
strongSwan, and OpenVPN in a 1 Gbit/s environment". It provides better testing setup and parameters.
The main target of this topic from my perspective is to compare the VPN speed of different OpenWrt devices so that people know what maximum VPN speed they can expect if they buy such a device. I also consider it interessting how the performance differs for the different VPN types (e.g. because of possible hardware acceleration) even it is common IT knowledge that some VPN types are faster than others. And yes, for OpenVPN the cipher should be meantioned as well, for WireGuard this is not necessary because there is only one.
Here are the WAN settings and relevant firewall settings from LuCI (I think it's easier for others to follow the discussion based on the screenshots, you will find the censored configuration files at the end of this post).
So my laptop and the WAN port of my OpenWRT device where in the 192.168.0.0/24 subnet and my laptop was in the WAN zone of the firewall of my OpenWRT device. Therefore I was not able to connect to the iperf3 server running on my OpenWRT device (192.168.1.1).
To access the iperf3 server and to measure the VPN performance I connected to my WireGuard server running on my OpenWrt device using the following client configuration (keys are, of course, censored):
After connecting to my WireGuard server I was able to access the iperf3 server running on 192.168.1.1 and I executed the tests meantioned in my initial post.
So from my perspective the traffic was clearly transferred via the WireGuard VPN connection but let me know in case you come to a different result.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:358a:be05::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.0.100'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2606:4700:4700::1113'
list dns '2a01:4f8:c012:ed89::208'
config interface 'vpn'
option proto 'wireguard'
option private_key '<CENSORED>'
option listen_port '61820'
list addresses '192.168.3.1/24'
config wireguard_vpn
option description 'Dell PC'
option public_key '<CENSORED>'
option preshared_key '<CENSORED>'
option private_key '<CENSORED>'
list allowed_ips '192.168.3.6/32'
option persistent_keepalive '25'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '61820'
option proto 'udp'
option target 'ACCEPT'
I doubt that someone's interested with the results of 6 years old APU board on 100 megabit connection. I struggle with VPN on OpenWRT in general. Nothing is 100% working (unlike pfSense).
I do not think it was questioned whether you where measuring VPN performance but the question was how did you measure.
A good way is between a client on your LAN e.g. a Laptop/PC running iperf3 and an other PC hooked up to your WAN running iperf3.
I measure with the router to test hooked up to my network.
The router has a OpenVPN or WireGuard server running.
The router has a modern PC hooked up to the LAN port running: iperf3 -s
On the WAN side (the upstream network) I have a modern PC with the WG application, which connects to the WG server on the router. when connected I can ping the PC running the iperf server.
Now simply run an iperf3 test between those two PC's connected via WG.
Running iperf3 is CPU intensive so you should not run iperf3 on the router otherwise it does not measure WG throughput but also how good your router can run iperf3.
You didn't but it was questioned if there was VPN involved in my measurements or not:
But I in-between understand your (and krazeh) point about the traffic generation and I agree that the setup described by you would be the better one, especially for single core or quite slow devices.
DL-WRX36 iperf3 throughput, router lightly used measured between PC on the WAN side and PC on the LAN side, standard WG app is used.
no irqbalance, no packet steering, no offload, no NSS, no AES hardware acceleration.
I did not post base line result but the router has 900+ Mb/s LAN <> WAN throughput
Note this is 23.05 with OpenVPN 2.5.8 on the router, so no DCO
Again tested with iperf3 between client PC on the WAN side and Client PC on the LAN side.
Client PC uses OpenVPN 2.6.2 with wintun driver
running iperf3 on the router especially skews WireGuard on multicore routers as it is multithreaded, not so much OpenVPN as it is single threaded, so iperf3 can run on the other cores.
Note DCO which is coming for OpenVPN is multithreaded
