Hi,
Just a quick poll about tunnels.
Is there a sensible limit to the number of WireGuard tunnels in use at the same time? I imagine this is somewhat hardware specific, but suppose one is using a modern device with say 4 cores and >2GB RAM for OpenWrt, what is a sensible number?
What about tunnels routed through (but not peering on) OpenWrt?
Is it sane to have 5 WireGuard tunnels peered on OpenWrt and also 5 tunnels peered in LAN clients behind OpenWrt?
Thanks for any insight.
These from the perspective of any router along the path, are really just data packets (likely UDP) these do incur the same processing cost as any other UDP packet, so will also be subject to similar limits (e.g. for NATed links there is a limit on the number of connection that can be "active" in the conntrack table concurrently).
I would say, that really depends on the intended capacity of each of the tunnels and the computational resources of your router. But as food for thought one of wireguard's tricks to allow decent capacity is to use multiple CPUs for one tunnel, so the more parallel tunnels you have the less likely you will be able to exploit that capability...
I have an EA8500 running 8 WireGuard tunnels of course not at full speed and not all are running at the same time, usually 4 concurrent tunnels but that works without a problem.
So for your setup I do not expect any problem
So the limitation is conntrack regardless of where the tunnels peer, and that and crypography if peering on OpenWrt?
Yes, conntrack is a limit, but certainly not the only limit whether it is the relevant limit depends a lot on the details (like the configured size of the conntrack table the timeouts for inactive connections).