I’m getting slow openvpn performance for some reason.. I only get about 200mbps-400mpbs when the openvpn server test speed shows 1.7-2.4 gpbs server side. My internet connection speed is 1gbps .. I have dco enabled on the client and the server. I see no reason I should be getting anything less than 900mbps - 1gbps. Any ideas are welcome.
It depends on your CPU's.
OpenVPN is really resource intensive even when using DCO.
WireGuard is much more performant
My DL-WRX36 (quad core A53) does 800 MB using WireGuard and 200 MB OpenVPN
2 Likes
a router upgrade is required for better speeds or go wireguard.
I’m running Intel server cpus x86_64 on router and openvpn server I barely see more than 25% usage from either machine when running speed test.. so it’s NOT THE CPUs.
1 Like
Supermicro were selling J1900 "server boards" in the past, this doesn't tell us anything.
The less than 25% cpu usage should. All Xeon platinum or higher.
1 Like
@Xeon64 What version of OpenWRT are you running?
EDIT: In 24.10.XX I had more performance than 25.12.0 (MT7621 small router test)
OpenWrt 25.12.0 r32713-f919e7899d / LuCI openwrt-25.12 branch 26.071.74370~780a7ce It’s been slow on older versions too.
1 Like
In 24.10.XX + DCO I get more performance than 25.12.0 (both with cipher CHACHA20-POLY1305)
Switching from 256-bit cipher to 128-bit did nothing .. if it was cpu related it should have gained at least 25% or more in speed.
I tried testing wireguard but couldn’t get it to work.. every time I added
[Peer]
PublicKey = [Server's public key]
to the server config file it removed it.. even though there are many examples of server configs with this info.
You can just Import/Load the configuration that is the easiest method if you have the config file
The Peer section should get the public key of the other side
My notes how I setup WireGuard:
WireGuard Client Setup Guide
My server is Ubuntu and my client is openwrt.. if I’m not mistaken the client requires a server public key.. if the server keeps deleting it from the config file what am I suppose to do? I don’t think it’s reading it correctly from the /etc/wireguard/public.key file.
Sure in the peer section of the client you add the public key of the server
But before you can setup the peer section you have to setup a WireGuard interface with private key (which automatically makes the public key)
Assuming your server cannot produce config files, you setup a WireGuard client at the Openwrt router, first generate private and public key and add address, Save and Apply then setup the peer section with public key of the server
Then take the public key of the WireGuard client that you have generated and add that to the peer section of the server
P.S. I have a WireGuard server running on my ubuntu VPS on an Oracle Cloud server
Some pointers about this in the Server setup guide at the end
I gave up.. I could never get it to work.. I tried all the keys from the client & server every single which way that is possible.. but I could never even get a single ping from the client to the server or vice versa.
Is this the correct output for a loaded dco module that is currently “ACTIVE”?
lsmod | grep -i dco
ovpn_dco_v2 86016 0
ip6_udp_tunnel 16384 1 ovpn_dco_v2
udp_tunnel 32768 1 ovpn_dco_v2
Sorry to hear that you could not get it to work, it is used successfully by very many users as it is faster and usually easier to setup then OpenVPN but apparently not in your case 
If you want we can help you trouble shoot, for that it will help if we see your configs.
But if you want to stay with OpenVPN then that is fine.
Here is my server config..
[Interface]
Address = 10.8.0.1/32
Address = 2a01:e945::1/128
PostUp = iptables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
PrivateKey = (apparently not needed for client config)
[Peer]
PublicKey = (this is put in public key under "peer settings" of wireguard interface)
AllowedIPs = 10.8.0.2/32, 2a01:e945::2/128
PersistentKeepalive = 25
I add the public key to peer setting of interface on my openwrt router.. I don’t understand what the public/private key is used for the interface if the peer settings requires a set too used from the server.
On server I can ping 10.8.0.1 but not 10.8.0.2
On client (openwrt) I can ping 10.8.0.2 but not 10.8.0.1
Please use the </> button on top of the message window when you post cli output and config.
A nice tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
Each WireGuard interface must have a private key.
The public key is calculated by WireGuard and is used at the other end
So the keys might be wrong
Furthermore your firewall rules are not complete you have to allow traffic on port 51820 on the ens3 (wan) interface. Depending on your VPS setup you need to allow it in your VPS Management but this is the same for an OpenVPN server
Furthermore you have to allow incoming (INPUT) traffic on the WireGuard interface and allow FORWARDING over the WireGuard interface
First about the keys:
It is easiest to make the keys on the OpenWRT router.
Add a new WireGuard interface and generate the keys, copy private and public keys
These are the keys for the server. so name them server-private.key and server-public.key
Delete this newly created interface
Setup a new WireGuard interface this will become your new client.
Generate a new key pair, copy the public key name it client-public.key
Setup this new WireGuard interface on your router with the addresses 10.8.0.2/24 and 2a01:e945::2/64 Note the /24 and /64
Save and Apply then create the peer section
Fill in the < server-public.key >, endpoint and port and as allowed IPs use 0.0.0.0/0, 0::/0 and do not forget to enable Route Allowed IPs!
See the WireGuard client setup guide also for setting up the firewall rules!
Now on to the ubuntu server
In the interface section of the server add the created server-private.key:
PrivateKey = <server-private.key>
So in the end it looks like this, note the /24 and /64 mask
[Interface]
PrivateKey = < server-private.key >
Address = 10.8.0.1/24
Address = 2a01:e945::1/64
MTU = 1420
ListenPort = 51820
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh
### begin gconijn ###
[Peer]
PublicKey = < client-public.key >
AllowedIPs = 10.8.0.2/32, 2a01:e945::2/128
I use helper scripts for postup and postdown adapt the subnet, port and interfaces
root@openvpndemo2:/etc/wireguard/helper# cat add-nat-routing.sh
#!/bin/bash
IPT="/usr/sbin/iptables"
IPT6="/usr/sbin/ip6tables"
IN_FACE="ens3" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.168.0.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="51801" # WG udp port
SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net
# IPv4
$IPT -t nat -I POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT -i $WG_FACE -j ACCEPT
$IPT -I FORWARD -i $WG_FACE -j ACCEPT
$IPT -I INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# IPv6
$IPT6 -t nat -I POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -I INPUT -i $WG_FACE -j ACCEPT
$IPT6 -I INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT6 -I FORWARD -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
root@openvpndemo2:/etc/wireguard/helper# cat remove-nat-routing.sh
#!/bin/bash
IPT="/usr/sbin/iptables"
IPT6="/usr/sbin/ip6tables"
IN_FACE="ens3" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.168.0.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="51801" # WG udp port
SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net
# IPv4 rules
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
# IPv6 rules
$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -D FORWARD -i $WG_FACE -j ACCEPT
$IPT6 -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
Make both scripts executable
chmod +x add-nat-routing.sh
chmod +x remove-nat-routing.sh