Wireguard server speed on Asus TUF-AX4200

Installing and Using OpenWrt
1

My ISP speed is 500 mbps.
image

I installed Wg server on the router with MTU 1420.
The client on my laptop has the same MTU 1420.

The laptop is connected to the router by ethenet cable.

The client is run as

wg-quick up ./wg2.conf 
Warning: `/home/morpher/Documents/MyProjects/secrt/wg2.conf' is world accessible
[#] ip link add wg2 type wireguard
[#] wg setconf wg2 /dev/fd/63
[#] ip -4 address add 192.168.5.3/32 dev wg2
[#] ip link set mtu 1420 up dev wg2
[#] resolvconf -a tun.wg2 -m 0 -x
[#] wg set wg2 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg2 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

The speed drops to max 90.

image

Playing with MTUs did not help.

CPU load during the test:

image
image1159×166 14.9 KB

Can the speed be increased somehow? What's a reason for the drop from 500 to 90 mbps?

4

You mean desktop?
I don't have one, only my Asus ROG

Cpu: 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
Mem: 32531908 kB

5

Did not understand the question, but here is graph of traffik:

image
image1184×683 60.1 KB

Hades is my wg server

8

I'm not sure it's OpenWRT-related, just asking what can be a reason for the problem.
There is a similar topic here: Wireguard dropping connection speed by almost 80% - #18 by efahl

I just wanted to know maybe someone with Ax4200 had solved the problem.

9

Ethernet cable from my laptop to LAN1 on the router.

10

You’ll need to ask Asus or the maintainers of the firmware you are using. We can help you if you are running OpenWrt — all other firmware is a black-box and is not supported here.

1 Like
12

Of course, Im running OpenWRT.

13

Oh, in that case… let’s start by looking at your config in detail:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
14 
ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX4200",
	"board_name": "asus,tuf-ax4200",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "23.05.3 240325"
	}
}

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4a:7f43:6b96::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'c8:7f:54:b7:0d:78'

config device
	option name 'lan2'
	option macaddr 'c8:7f:54:b7:0d:78'

config device
	option name 'lan3'
	option macaddr 'c8:7f:54:b7:0d:78'

config device
	option name 'lan4'
	option macaddr 'c8:7f:54:b7:0d:78'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'c8:7f:54:b7:0d:78'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'erebus'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option mtu '1340'

config interface 'nyx'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option mtu '1340'

config interface 'hades'
	option proto 'wireguard'
	option private_key 'xx='
	option listen_port '52820'
	list addresses '192.168.5.1/24'

config wireguard_hades 'wgclient1'
	option public_key 'xxxx='
	option preshared_key 'xx+XI='
	list allowed_ips '192.168.5.2/32'

config wireguard_hades 'wgclient2'
	option public_key 'KAYgteiifGa8p4gA/xxx='
	option preshared_key 'xx+XI='
	list allowed_ips '192.168.5.3/32'

nft -s list ruleset

table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname "br-lan" oifname "eth1" counter accept
		iifname "br-lan" oifname "wg1" counter accept
		iifname "br-lan" oifname "wg3" counter accept
		iifname "erebus" oifname "wg1" counter accept
		iifname "erebus" oifname "wg3" counter accept
		iifname "nyx" oifname "tun1" counter accept
		iifname "nyx" oifname "tun3" counter accept
		iifname "hades" oifname "wg1" counter accept
		iifname "hades" oifname "wg3" counter accept
	}

	chain input {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		iifname "lo" accept
		iifname "br-lan" accept
		iifname "erebus" accept
		iifname "nyx" accept
		iifname "eth1" udp dport 52820 counter accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth1" meta nfproto ipv4 masquerade
		oifname "wg0" ip saddr 10.100.0.1 counter snat ip to 10.71.166.195
		oifname "wg1" ip saddr 10.100.0.2 counter snat ip to 10.71.166.195
		oifname "wg1" meta nfproto ipv4 masquerade
		oifname "wg2" ip saddr 10.100.0.3 counter snat ip to 10.71.166.195
		oifname "wg3" ip saddr 10.100.0.4 counter snat ip to 10.71.166.195
		oifname "wg3" meta nfproto ipv4 masquerade
		oifname "tun0" meta nfproto ipv4 masquerade
		oifname "tun1" meta nfproto ipv4 masquerade
		oifname "tun2" meta nfproto ipv4 masquerade
		oifname "tun3" meta nfproto ipv4 masquerade
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "erebus" ct state new meta mark set numgen random mod 2 offset 1
		iifname "erebus" ct state new ct mark set meta mark
		iifname "erebus" ct state established,related meta mark set ct mark
		iifname "nyx" ct state new meta mark set numgen random mod 2 offset 1
		iifname "nyx" ct state new ct mark set meta mark
		iifname "nyx" ct state established,related meta mark set ct mark
		iifname "hades" ct state new meta mark set numgen random mod 2 offset 1
		iifname "hades" ct state new ct mark set meta mark
		iifname "hades" ct state established,related meta mark set ct mark
	}
}
15

Given that you have the mtu of your local networks set lower than the default 1500, I would posit a guess that it could be related to an MTU mismatch.

Usually, the MTU is left at default for the local networks, and reduced only for the wan and/or tunnels when required.

Have you tried removing the MTUs for all networks? How did you arrive at the MTU values you are using now?

16

Deleting my posts, misunderstood issue, sorry.

17

Mtus are diminished by 80 bytes because the WG interfaces are connected in series. But that's not a problem.
In the simplest setup provided by OpenWRT guide to Wireguard setup, the speed drops as descibed in this post: Wireguard dropping connection speed by almost 80% - #18 by efahl

Maybe someone else with the same router has the same problem and solved it?Or came to a conclusion the problem cannot be solved, maybe.

18

It probably is a problem. My old linksys EA6900 dual core 800 Mhz is even faster.

Second problem is how you are testing it seems you connect from inside?

Some more figures Netgear R7800 (dual core 1725 Mhz) over 300 Mb/s, my Dynalink DL-WRX36 ( quad core 2.2 Ghz) well over 800 Mb/s.

But anyway with 10 Mb/s upload you are severely limited.
I have never heard of an ISP with 500/10 Mb/s is this real?

19

Let me try to make things simpler. I follow the setup described in: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

When i connect

[laptop wg client]->[router's wg server]->[isp] 

wg client mtu = 1420 
router's wg server mtu = 1420

my connection is 80 mbps instead of 500 mbps.

What maybe a cause?

20

The mtu you are using on your interfaces as already stated by psherman and it looks you are testing from inside your own network.

You test a wg server from your wan side e.g from a friend or from cellular internet and then run an iperf3 test to a computer inside your network.

So possible causes are flaw in your setup and flawed testing methodologie

21

Firewall mssfix solves this mtu mismatch for tcp (a checkbox in luci)

22

I had Comcast in the US - my plan was 400/20. It might have even been 800/25 at some point. I dropped them for many reasons and got a 10G symmetric fiber line. But yeah, DOCSIS cable operators in the US tend to have a massive imbalance (not sure how much is based on technical reasons vs cost, though)