Wireguard server speed issue

Network ISP SpeedTest is 370mbps down, 290mbps up. OpenWrt is connected via wan (Xiaomi mi4c with only 10/100) port to home router Lan (1000mbps).

Client tested over 5g, before connecting over Wireguard speed is 550mbps down, 16mbps up.

When connected over Wireguard, I am just getting 29mpbs down and 7mbps up.

I have tried connecting to OpenWrt over lan (so Laptop -> OpenWrt -> Nat -> Internet) and I get 93mbps down, 94mbps up, which is in line with OpenWrt router's 10/100 wan/lan specs.

Where should I start trouble shooting?

the cpu load, install htop.

or do you mean this is using wireguard ?

No, this was testing OpenWrt router directly via Lan and without connecting remotely through wireguard.

Trying to install that. However, yesterday I installed and ran opkgscript to backup my installed software, and now I cannot update the software list, I get "opkg update command failed with code 6"...

that's usually network related ...

You're right. I have deleted to opkgscript files and still get the same error. Which is odd as it is the only thing that has changed. Router is still connected to internet in the same way as before.

Is this to be able to reinstall the software after an upgrade? You should try attended sysupgrade. It will generate a firmware file with the packages built in. Therefore you won't have to worry about installing software after an upgrade again.

More info here:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:425b:fae0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.6.1'

config device
	option name 'eth0.2'
	option macaddr 'HIDDEN'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'WG0'
	option proto 'wireguard'
	list addresses '10.0.0.1/24'
	option private_key 'HIDDEN'
	option listen_port '1111'

config wireguard_WG0
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.2/32'
	option public_key 'HIDDEN'
	option description 'Peer1'

config wireguard_WG0
	option description '2'
	option public_key 'HIDDEN'
	list allowed_ips '10.0.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option txpower '4'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key 'HIDDEN'
	option ssid 'Backup'
	option disassoc_low_ack '0'
	option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'WG0'
	option forward 'ACCEPT'

config forwarding
	option src 'wg0'
	option dest 'lan'

config forwarding
	option src 'wg0'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg0'

config rule
	option name 'Wireguard Server'
	list proto 'udp'
	option src 'wan'
	option src_port '1111'
	option target 'ACCEPT'
	option dest '*'
	option dest_port '1111'

root@OpenWrt:~# 

Ping via Network->Diagnostics is also successful. Any idea what the issue may be?

post the whole update error message.

Executing package manager
Downloading https://downloads.openwrt.org/releases/22.03.3/targets/ramips/mt76x8/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/targets/ramips/mt76x8/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/telephony/Packages.gz
Errors
Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/targets/ramips/mt76x8/packages/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/base/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/luci/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/packages/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/routing/Packages.gz, wget returned 1.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/mipsel_24kc/telephony/Packages.gz, wget returned 1.
The opkg update command failed with code 6.

What happens if you test the following:

ping 168.119.138.211
ping downloads.openwrt.org
wget https://downloads.openwrt.org/releases/22.03.3/targets/ramips/mt76x8/packages/Packages.gz

Problem solved based on this solution. wget-nossl package was the issue. Removed this, and now works fine.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

I've installed htop. How to I go about checking if CPU load is the issue?

check the top screen CPU bar(s) in htop while using the WG tunnel.

So in the top bar, CPU usage peaks between 80%-95% on download and 50%-60% on upload (when running 2 tunnels, I did get a combined 27 down, 27 up with 97% CPU usage).

However, in the list of processes, it doesn't show what is causing jump, although clearly it is wireguard.

Is this essentially an insurmountable hardware limitation? Would using another VPN protocol result in higher speeds? Is there a way to overclock, or reduce other processes to give more CPU power for the VPN?

It seems a bit odd that when connected via wifi or lan, I get maximum speeds, but through the tunnel, the speeds are way lower.

Thanks!

Thanks. It's for restoring a factory reset router.

WG runs in the kernel, not sure it'll come up with the default (or any) settings, since it's not a separate process.

yup

WG is less CPU intensive than openVPN, not sure if any other VPN tunnel would requires even less CPU.

perhaps, but is it worth it ? to get, say 10% extra throughput ?

not at all, WG = encryption = CPU intensive.

OK, thank you, I now understand that while still excellent value, why these devices can be had for 5 euros.

they've got 100mbit ports, you shouldn't need any additional details to stay away

but I agree, at 5€ they're a steal, if used as (capped at 100mbit) APs, with expectations
set accordingly.

You can download the image from ASU with all the packages built in. So you can flash that to the factory reset router rather than having to manually install packages.