I thought this was a site-to-site configuration... I don't see the 'client' type connection on this remote peer's configuration that connects back to the 'server.' Can you explain how this works?
I am getting confused so I will try to clear things up. I use the remote RP4 running Openwrt and has a wireguard server. I use that device to connect to NJ where I have family so I can see certain shows that are not offered in my home country. So basically use their IP address. That is the main purpose of the device.
My home RP4 router (main router) has a wireguard serve just so I can connect to my home NAS sometimes. Hopefully that clears up the confusion.
How does the OpenWrt device in NJ connect to the internet? Is it the main router on the network, or does it exist behind a main router?
What device(s) are connecting to the remote OpenWrt device (in NJ)? When you are connected to the WG endpoing in NJ, is that the exclusive VPN connection, or is there some concurrent connection through the WG tunnel you have where you live?
When you are testing the bandwidth, where does the bandwidth test originate and terminate?
The RP4 openwrt is behind a main router. It is connected via ethernet to the main router. Main router ip is 192.168.1.1 and the RP4 openwrt is 192.168.9.1.
No devices are connected to the Openwrt router in NJ. It is only used for the wireguard serve purpose. So it sits idle unless I connect to one of the peers. It is an exclusive VPN connection. When I connect to NJ, I am on the home network not connected to the home wireguard. So laptop or s24 on home RP4 then connect to wireguard peer from the RP4 remote openwrt router which is behind the main router in parents' house.
Bandwidth test originates on my laptop or S24 via either wifemann app or nperf.com. I either choose an automatic server when testing on nperf or a serve near toronto (where I live)
What is annoying me is that there is such a difference between the download and upload. The remote server has a 1gig up/down so that should not be an issue. My home speed is 200/200 so if i get anywhere near that I would be happy.
Thank you. This clears up a lot of confusion.
All of the following applies to the NJ based OpenWrt device:
Remove the gateway below:
On all of the peers, remove the endpoint host and endpoint port lines:
Restart the Pi and test again.
Now, you also need a way to verify that the ISP and complete network config in NJ is actually capable of delivering the speeds you are expecting. Can you do that?
If I do that, how would I connect to the server? I disable that, would I still have able to connect to the server via 192.168.99.1?
I use the 192.168.9.1 set things up when first installing the wireguard on the openwrt. I started with a fresh openwrt install on the RP4 which only had the built in nic. Installed the necessary packages to get the ethernet nic working. Switched the built in nic to have the LAN interface (192.168.9.1) and the ethernet NIC to have the WAN interface. Then installed the packages for the wireguard.
And that would be under the network--> interface tab in luci, right? Can I just stop that interface instead of deleting it?
I will do that tomorrow morning.
Yes, when I was there last time I tested the speed and got the advertised speed. If I remember correctly, it was at least 900/900.
I can think of a few ways to do this... If you have remote access to any of the computers on the network in NJ, you could run a speed test from the browser on one of those machines... that would give you an idea of the performance of the ISP router > internet. If that checks out, we could then look at the Pi > internet.
Please see above regarding the speed on the NJ router (ISP). I got ~900/900 last week when I was there.
I will come back with the recommended changes tomorrow. My wife is next to me giving me dirty looks since I am still on the computer lol. Thank you so much for all the help psherman!
Unless I'm misunderstanding your network topology in NJ, 192.168.86.168 is not related to anything on that network at all. You said that the ISP router's lan is 192.168.1.0/24 and the OpenWrt lan is 192.168.9.0/24. WG on that device is 192.168.1.99.0/24. So I don't see how 192.168.86.168 factors in in any way at all.
You will be able to access the Pi at the address 192.168.9.1 or 192.168.99.1.
The truth is, there is an easier way to run this entire configuration, although you will need someone to assist you in NJ...
This device doesn't need a second NIC because you're not connecting anything physically behind the Pi... instead, you can use the built-in NIC directly as a client on the main lan. This requires a few config changes that will (temporarily) break the connection, so proper sequencing and coordination are key.
I wouldn't touch that... it's not really that relevant, but I would remove the gateway line.
To elaborate on this, my personal configuration does exactly this. I have a Pi4 running as a WireGuard server on my main lan (behind another router).
From a default configuration, you will edit the lan address to either be DHCP client or a static IP on the upstream network (using an address that is not used by any other devices and is outside the DHCP pool of the upstream router). You must also disable the DHCP server on the OpenWrt lan.
Then, in the firewall, you'll turn on NAT masquerading on the lan firewall zone.
Finally, you'll setup WireGuard (install the packages, setup your peers) and assign the wireguard network to its own firewall zone (you can set input, output, and forward to ACCEPT since it is a trusted network). The last step is to enable forwarding from the new wireguard zone > lan zone.
You don't necessarily need to start from scratch, but it might be worthwhile. If you have an alternate way to connect back to a computer on that network in NJ (for example, from a Mac to another Mac, Apple's Messages app actually allows you to control a remote computer), you can actually just coordinate with someone in that house so that you can use the computer almost as if you were in front of it yourself, but it will take some creativity.
Okay, this has been completed.
This also has been completed. I originally setup the PI in Toronto prior to going to Jersey. I wanted to have everything as easy as possible when I got there. So all I had to do was port forward from the ISP to the remote RP4 to get things going. Somehow I must have forgotten to remove the 192.168.86.1 gateway.
Restarted the router. However, these two changes have not changed the behavior. I can still get over 200 down and about 15-40 up. The range on the up part of the speed test is dependent on which website I am using to test the bandwidth. The highest up I got was through nperf but all other are around 15 Mbps
Do you think that making this change would fix the upload speed issue or is it just to clean things?
I am always trying to learn the best way to do things. But following written instructions with this type of stuff I get scared. I think I know what you mean but in Luci I would be more comfortable. Would the
So basically I would be setting up the router as if it is a ISP router LAN --> RP4 LAN rather than the way I have right now, ISP router LAN -->RP4 WAN, right?
Have you tried running iperf on the two RPi4s and checking that speed that gives you?
No, I have not done that yet.
So I just had someone in NJ run a speed test and it seems that something might have happened because they got the appropriate download speed but the upload was similar to what I was getting. I had already restarted the ISP router 3 times to see if it would fix the issue but it didn't. I had them unplug it and plug it back in and the speed of the upload went up to 100 Mbps which is better but no where near the speed they are paying for.
So I guess the issue is at the ISP modem. I don't how in one week the speed was 900/900 and now it is down to 200-330/10-20 up prior to the restarting via power cycling and 200-300 down/100 up after it.
I will wait until the ISP is called to see what is going on. I would like to thank everyone that has helped, especially psherman and LilRedDog. I will mark the topic solved in a couple days once the ISP is called and see if the speed is back to normal.
Note: Your Max MTU for the WG interface is WAN MTU - 80, so usally 1500-80 = 1420 (for PPPoE that is 1412).
Even 1420 can be too high if along the route the MTU is lower, causing slow or hanging connections etc.
1 Like
I know the ISP uses 1500 MTU so I should 1420, right?
Right that is the max 
Need to be the same on both sides
Both sides? Do you mean the ISP router and the remote RP4 router? Or do you mean the remote RP4 router and the peer connecting to that router?