Hi everyone, what are the expected speeds for a raspberry pi 4 running wireguard server? I have seen people posting speeds ranging 100-200 Mbps but I get nowhere near that. I have two separate pi4s running the 23.05.3 and get 30-50 Mbps on both Pi4s.
One pi (primary router) is at my home which has 200 up/down and the another pi is at a remote location which has 1 gig up/down and it is behind a primary router.
I have used a windows 11 laptop (wifi and wired) and a Galaxy S24 to test via nperf.com and wifiman app. All test have been done on 3 separate days but I still get the 30-50 Mbps. Is that the expected speed for a RP4 running wireguard serve?
If not, anyone know where I can do some reading on how to improve the speed? I have looked but have not found anything. TYIA.
Are you CPU bound when connected and running some speed test?
Yes, I saw that list and that's when I figured something might be going wrong since I am getting 10% what the listed speeds.
"Top" command shows that the CPU is anywhere from 92 to 84% idle while running speed test on nperf.com
Any undervolt? Or overheat causing throttling?
Even my Pi Zero can give more than 100Mbps so I can't believe Pi 4 can be that slow.
I use a fanless case that is aluminum. It keeps the PI ranging from 38-42 degrees Celsius based on the graph log so I don't believe overheat throttling is an issue.
I don't know about undervolting because I am still a newb LOL. To get both RP4s working all I did was install the latest stable release and install the necessary packages to get the wireguard working.
In LuCI, Network/Interfaces/Global Settings->Packet Steering and try the tests with it enabled.
I'm fairly sure this is also true for Top:
Those CPU loads include all 4 cpus, so .84 is divied by 4 (the number of CPUs) = @ 0.21 capacity.
Changing the "packet steering" to enabled allowed me to get between 80-110 Mbps to my remote RP4 with the wireguard running. However, I did start getting some issues with the second part of the speed test, i.e. the upload part. It does not matter if it is on nperf.com/speedtest.net/fast.com. During the second part it either does not complete the test or it cuts the upload to 10-20 Mbps.
Did you reboot after save and apply? Did you enable packet steering on both RPIs?
If not try that next.
...And please let us see the top results too.
opps: I thouught the other RPI was in the loop. So, just the one you have to work with for now.
After rebooting both RP4s with the packet steering enabled samething happens. Speed test ranges from 80-110 Mbps down and 20 Mbps upload. Similar results in all major speed test sites and on wifiman app on the S24 cell.
Disable wire guard and try again.
Trying to determin if wireguard needs tweaking or the PIs.
And what was the CPU usage?
Can you show a topology diagram of how the remote location is setup? Specifically, it'll be good to understand how the device running the speed test connects to the pi and its tunnel.
CPU stayed about the same 79-90 idle.
Strange since it's two separate instals on two separate PIs hacing the same issue. One is ky hime router and the other is the remote router which is behind the isp router.
I cannot disable the wireguard in the remote location since i wint be there until next year to re-enable it
Then lets just work on the local one.
My RPI4 never got anywhere near that usage but I never used Wireguard.
And since ethernet is available lets limit testing, for now, to that.
But did it fail with the upload, like before?
The upload would never fail but instead would take forever to start but it would start. It would still stay limited to the mid 20s Mbps.
I'll respond tomorrow as its late right now at my current location.
Also, tomorrow, please tell us what chipset your Pi(s) use for the nic.
I use a USB ethernet adapter for the WAN port. It uses a realtek rt8153. I am not sure how to check the chipset of the NIC on the PI. But the built in NIC is used as the LAN.
Other information: When checking the isp speed on the RP4 without the wireguard turned on, I do get the speed I paid for 200up/200down. So I would assume the PI is configured correct and something is wrong with the wireguard, right?
I also tried playing arpund with the MTU size but did not the negavior of the upload speed.
Here is the info requested:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXXXXX::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.XX.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'WAN'
option proto 'static'
option device 'eth1'
option ipaddr 'XX.XX.XXX.XXX'
option netmask '255.255.255.0'
option gateway 'XX.XX.XXX.X'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'Wireguard'
option proto 'wireguard'
option private_key âXXXXXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '51810'
list addresses '192.168.XX.1/24'
list dns '1.1.1.1'
option mtu '1500'
config wireguard_Wireguard
option description 'Galaxy S24 Home '
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key âXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.XX.2/32'
option endpoint_host 'XXXXXXXXXXXXXXXXXXX'
option endpoint_port '51810'
option route_allowed_ips '1'
config wireguard_Wireguard
option description 'Laptop Home'
option public_key 'XXXXXXXXXXXXXXXXX '
option private_key 'XXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXX'
option route_allowed_ips '1'
option endpoint_host 'XXXXXXXXXXXXXXXXXX
option endpoint_port '51810'
list allowed_ips '192.168.XX.3/32'
root@OpenWrt:~#
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '100'
option limit '150'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'ARTHUR-s-S24'
option ip '192.168.XX.102'
option mac 'XXXXXXXXXXXXXXâ
config host
option name 'Sheena-Marie-s-S23'
option ip '192.168.XX.234'
option mac âXXXXXXXXXXXXXXXXXXâ
config host
option name 'Living-Room-TV'
option ip '192.168.XX.161'
option mac âXXXXXXXXXXXXXXXâ
config host
option name 'Bedroom-TV'
option ip '192.168.XX.222'
option mac âXXXXXXXXXXXXXXXâ
config host
option name 'OpenWrt'
option ip '192.168.XX.168'
option mac âXXXXXXXXXXXXâ
config host
option name 'HomeTheaterPC'
option ip '192.168.XX.103'
option mac âXXXXXXXXXXXXXXXXXâ
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'udp'
option src 'wan'
option src_dport '518XX'
option dest_ip '192.168.XX.1'
option dest_port '518XX'
option name 'Wireguard'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '518XX'
option dest_ip '192.168.XX.168'
option dest_port '518XX'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
list proto 'tcp'
option src 'wan'
option src_dport '3XXXX'
option dest_port '3XXXX'
option dest_ip '192.168.XX.103'
Please let me know if I missed anything that should have been redacted. Thank you.
Chnaged the mtu back to 1500. When running a speed test on nperf with a server closer to my location and packet steering on, i can get 200+ on the download but the the upload is 30 Mbps. The cpu idle during the download part is 57% and during the upload part of the test it is 90-96% idle.
You have actually over-redacted your config...
anything that starts with 192.168., 172.16. - 172.31., or 10. does not need to be redacted because they are part of the RFC1918 address ranges and are therefore not personally identifiable information.
Can you repost your config without redacting those addresses?