I am confronted with a slight issue:
I setup openwrt 21.0.2 (custom image build) on an x86/64 device.
Everything is working as expected. I also installed a wireguard server on the device.
However, this is where the odd thing happens: I have a good download speed from any client (4G, another machine in another ISP/connection) but very slow upload. I am hosting a speedtest server in my own network, so the diagram would look like this:
Client -> Wireguard -> Openwrt -> Speedtest server
On the firewall I am dropping everything except DHCP renew and Wireguard port
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wg0'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
---------------//-----------------------------------
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wireguard'
config forwarding
option src 'wireguard'
option dest 'wan'
I do not understand this one: * remove the wg0 device stanza. - wg0 is the name of the interface I am using for wireguard. I added it as WG0, protocol Wireguard... I think the "config device" portion showed up after I disabled ipv6 on the wireguard interface...
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wg0'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
list src_ip 'fc00::/6'
list dest_ip 'fc00::/6'
option target 'DROP'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
list src_ip 'fe80::/10'
option target 'DROP'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'DROP'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'DROP'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'DROP'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'DROP'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option proto 'udp'
option family 'ipv4'
option dest_port '33434-33689'
option target 'DROP'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wireguard'
config forwarding
option src 'wireguard'
option dest 'wan'
One thing that happened in the initial setup: I initially did forwarding from wireguard zone to LAN but that only allowed local access and no internet to peers. I added the forwarding to WAN as well and that solved that issue.
The initial test I did using a pc in another network (different ISP as well ) and from my phone.
From that pc I had a 450Mbps download / 60Mbps upload.
From my phone , at this moment I have 100Mbps download and 30Mbps upload. And while 4G is not the best of options, the difference is considerable...
Usually this is configured as a /24, while all of the peers are configured a /32 addresses.
You can go ahead and leave the device wg0 stanza -- that should be fine.
This is not doing anything useful AFAICT. I'd remove it.
So if you are testing through the internet, you need to consider the speed of each internet connection in general. What is the ISP speed (up and down) for the connection that is local to the router we're working with?
And how about the speed when you're not using WG on that remote PC? You need to test with and without WG running.
Same deal here. What is the 4G speed with and without the WG tunnel running?
You have to look at the maximum speed as a function of the slowest part of the link.
This route serves a specific purpose: to stop android devices to use 8.8.4.4 as secondary dns. I am using pi-hole in my network and since I only have 1 server.. the second DNS was filled in automatically on the android device with google dns which ended up bypassing the pi-hole.
So if you are testing through the internet, you need to consider the speed of each internet connection in general. What is the ISP speed (up and down) for the connection that is local to the router we're working with?
My connection is 1gbps down/500 mbps up and the test machine was on a similar connection: 1gbps down/500 mbps up, just a different provider.
It looks like on 4G it's the only place it works ok.. since without vpn i have 120mbps down and 30 mbps up. I should have checked this before posting...
For some reason, it seems all is good now... I can easily saturate the internet connection with wireguard... dunno what was wrong. I will mark this topic as closed.. if i have a way of doing this.