OpenWrt/WireGuard scalability

We're planning a network of potentially several thousand clients. Are there any guidelines/limitations/historical experience the number of clients a WireGuard server can handle? The traffic is relatively light - the clients are PCs with a dedicated application that are sending/receiving text files. I'm estimating 1 to 4 transactions per seconds. I do have the keep-alive enabled at 25 seconds.

Thanks

Sounds like you might want to look at mqtt instead if possible?
There are a few VPN providers who use WireGuard so I guess it scales fairly well in general but be sure to do load testing.

Generally speaking it should be fine. I have experience with 2 wireguard servers (1GB bandwith each) running ca. 500 Archer C59v1, Archer C7v4 and v5 routers as well as a handful of Zotac mini PCs with any kind of traffic (surfing, streaming, VoIP calls, messaging, etc.) just fine.

Thanks all. I also found a reddit entry indicating 65536. So, it looks like there isn't a structural limitation to my case. I'll test performance.

Per IP...not counting those reserved by the device itself. This is not a OpenWrt limitation - I'd suppose it's the Kernel and what it (the system ) can handle, as noted.

Also, connection tracking is set to 16k connections by default. Aside other threads that debate this setting, you may run into other system config needed adjusting on any Linux machine.

A processor that naively handles the WG alogarithms would be best, I'm not sure if any have been produced yet. I think that's why the other poster mentioned another protocol instead.

Haven't seen any native wg cipher offloading on CPUs yet but their performance page has some general metrics showing wg vs ipsec using the same cipher as well as ipsec performance with aes-ni offload.

1 Like