root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXXXXX::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.86.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'WAN'
option proto 'static'
option device 'eth1'
option ipaddr 'XX.XX.XXX.XXX'
option netmask '255.255.255.0'
option gateway 'XX.XX.XXX.X'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'Wireguard'
option proto 'wireguard'
option private_key âXXXXXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '51810'
list addresses '192.168.87.1/24'
list dns '1.1.1.1'
option mtu '1500'
config wireguard_Wireguard
option description 'Galaxy S24 Home '
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key âXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.87.2/32'
option endpoint_host 'XXXXXXXXXXXXXXXXXXX'
option endpoint_port '51810'
option route_allowed_ips '1'
config wireguard_Wireguard
option description 'Laptop Home'
option public_key 'XXXXXXXXXXXXXXXXX '
option private_key 'XXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXX'
option route_allowed_ips '1'
option endpoint_host 'XXXXXXXXXXXXXXXXXX
option endpoint_port '51810'
list allowed_ips '192.168.87.3/32'
root@OpenWrt:~#
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '100'
option limit '150'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'ARTHUR-s-S24'
option ip '192.168.86.102'
option mac 'XXXXXXXXXXXXXXâ
config host
option name 'Sheena-Marie-s-S23'
option ip '192.168.86.234'
option mac âXXXXXXXXXXXXXXXXXXâ
config host
option name 'Living-Room-TV'
option ip '192.168.86.161'
option mac âXXXXXXXXXXXXXXXâ
config host
option name 'Bedroom-TV'
option ip '192.168.86.222'
option mac âXXXXXXXXXXXXXXXâ
config host
option name 'OpenWrt'
option ip '192.168.XX.168'
option mac âXXXXXXXXXXXXâ
config host
option name 'HomeTheaterPC'
option ip '192.168.86.103'
option mac âXXXXXXXXXXXXXXXXXâ
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'udp'
option src 'wan'
option src_dport '518XX'
option dest_ip '192.168.87.1'
option dest_port '518XX'
option name 'Wireguard'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '518XX'
option dest_ip '192.168.87.168'
option dest_port '518XX'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
list proto 'tcp'
option src 'wan'
option src_dport '3XXXX'
option dest_port '3XXXX'
option dest_ip '192.168.86.103'
Sorry about that psherman, as you see I know enough to get myself in trouble so I alway err on the safe side. Please let me know if anything else should be changed. TY.
This side appears to be configured as the 'server' peer, correct?
Assuming that is the case, normally the endpoint host and endpoint port are not required and should be left unspecified. Do this for all of your peers.
This redirect should be removed and replaced with a standard traffic rule (accept UDP port 51280 from source zone wan).
And this one should probably be deleted entirely (unless it is a different port relative to the existing WG config above, and also the host at 192.168.87.168 is actually running WG.
Make those changes, then restart this device and test again. I don't know that it will improve anything, though...
Let's have a look at the remote peer's configuration (we only need the network and firewall files from that side).
Yes, this configuration is for the server. Is that what you are asking?
Do you mean the endpoint hot and endpoint port on the "peers" tab? (I use luci since I am not good any CLI). If I leave the endpoint host and endpoint unspecified, how will I make sure that the endpoint will be directed towards the DDNS address?
This was supposed to be 192.168.86.168. That is the dumb AP that is also running openwrt. It mistankly corrected the redaction to .87 instead of .86.
The remote peers are already pointing to the your 'server' so you don't need to worry about this. However, if you ever need to reconfigure the remote endpoints, you can just add those parameters manually.
Is that endpoint running WireGuard? If so, why do you have 2 Wireguard 'server' configs?
So I will just delete the endpoint host and port on the peer and instructed. I will do it when I have a break at work and the results tonight. Right now I am at work and the upload speed is just 20 Mbps.
I am not sure what you are asking but hopefully this clears things up. My router is 192.168.86.1 and the Wireguard is 192.168.87.1. Does that make sense?
When creating the standard traffic rule, the protocol should be UDP source zone WAN but what about the "source address" source port" "destination zone" "destination port"? Should I just leave those blank or on its' default value/settings?
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 192.168.87.2/32
# ListenPort not defined
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXXXXX.XXXXXXX.XXX:51810
# PersistentKeepAlive not defined
When connected to the wireguard at home while still connected to the wifi or via ethernet then I get the correct 200 up/200 down speed. I know that it is a no no connecting to the wireguard server within the same network that is running the router because there might be routing issues. That is the only way I can get the correct up/down speed.
Regarding the remote server, despite deleting the firewall port forwarding rule, adding the traffic rule as recommended, and deleting the endpoint host and port on the peer tab, the issue still persists. I am getting around 150 Mbps down but up still 17-20 Mbps. CPU utilization similar to all the previous times. During the upload part of the test it seems the CPU is not getting utilized enough when compared to the download part of the test.
Do you think that updating the eeprom would help? I don't know if needs updating but grasping at straws.
So the remote peer config you provided is not an OpenWrt device... I thought we were talking OpenWrt on both ends?
That config looks fine, though.
So this proves that the Pi4 with OpenWrt is not limiting your connection speed.
No, this is actually fine. I've run similar tests myself.
How exactly is this being tested... can you provide a diagram?
Also, is this the same exact device as the one that was tested on the local network (your 200/200 test above)? How is it being tested now (what network is it connected to, where is the speed test being executed, etc -- this is why I'm asking for a diagram).
I use a RP4 running OpenWRT as my home router. The remote router is also a RP4 running openwrt. The peer config I pasted was from the home router for my S24 (android phone).
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXX=
Address = 192.168.99.10/32
# ListenPort not defined
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey =XXXXXXXXXXXXXXXXXXXXXXXXXXX=
PresharedKey =XXXXXXXXXXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXXXXX.XXXXXXX.XXX:51830
# PersistentKeepAlive not defined
This is the peer config on the remote server wireguard.
The 150 down/17-20 up is from the remote serve which is another RP4.
Here is the set ups:
RP4 (home router)-->Laptop or S24 (wireguard client) --> Connected to Wireguard server (RP4 remote location)-->speed test being done on nperf.com/wifimanapp/speedtest.net
The one I got 200/200 was S24 (wireguard client)-->wireguard server (home RP4). Tested speed on wifiman app and nperf.com.
It would also be really good to see a diagram of how the remote peer's network is setup... how is the computer connected to the Pi there, how is that Pi connected to the internet, etc.
That is that peer that I would connect to the wireguard serve. That is the device that I am using to test the speed to the remote server.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix XXXXXXX::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option gateway '192.168.86.168'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
config interface 'WireguardNJP'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX='
option listen_port '51830'
list addresses '192.168.99.1/24'
option mtu '1500'
config wireguard_WireguardNJP
option description 'Trial3'
option public_key XXXXXXXXXXXXXXXX='
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key XXXXXXXXXXXXXXXXXXXXXXX'
option route_allowed_ips '1'
option endpoint_host 'XXXXXXXXXXXXXXX
option endpoint_port '51830'
list allowed_ips '192.168.99.3/32'
config wireguard_WireguardNJP
option description 'Living room '
option public_key XXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.99.4/32'
option route_allowed_ips '1'
option endpoint_host 'XXXXXX
option endpoint_port '51830'
config wireguard_WireguardNJP
option description 'Laptop'
option public_key XXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXx'
option preshared_key âXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.99.7/32'
option route_allowed_ips '1'
option endpoint_host 'XXXXXXXXXXXXXXXXXx
option endpoint_port '51830'
config wireguard_WireguardNJP
option description 'Trial333'
option public_key XXXXXXXXXXXXXXXXXXXXXXX'
option private_key âXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.99.10/32'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WireguardNJP'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Wireguard NJ'
list proto 'udp'
option src 'wan'
option dest_port '51830'
option target 'ACCEPT'
This is the network and firewall of the remote RP4 when I am connected to that via my laptop running wireguard connection to that remote RP4. The trial333 is the peer config that I am using to do all the tests as I do not want to mess with the other peer files until I can get this correctly running.
