Wireguard slow upload, fast download

Hello,

Happy new Year everyone!

I am confronted with a slight issue:
I setup openwrt 21.0.2 (custom image build) on an x86/64 device.
Everything is working as expected. I also installed a wireguard server on the device.
However, this is where the odd thing happens: I have a good download speed from any client (4G, another machine in another ISP/connection) but very slow upload. I am hosting a speedtest server in my own network, so the diagram would look like this:

Client -> Wireguard -> Openwrt -> Speedtest server

On the firewall I am dropping everything except DHCP renew and Wireguard port

cat firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
---------------//-----------------------------------
config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'wan'

cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd83:3f07:7d5c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.50.1'
        list dns '192.168.50.24'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config route
        option interface 'lan'
        option target '8.8.4.4'
        option gateway '192.168.50.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'key1'
        option listen_port '51820'
        option nohostroute '1'
        list addresses 'xxx.xxx.xxx.xxx/28'

config wireguard_wg0
        option description 'Laptop'
        option endpoint_port '51820'
        option public_key 'key1'
        list allowed_ips 'xxx.xxx.xxx.xxx/28'
        option preshared_key 'psk1'

config wireguard_wg0
        option description '70'
        option public_key 'key1'
        option preshared_key 'key2'
        list allowed_ips 'xxx.xxx.xxx.xxx/28'
        option endpoint_port '51820'

config device
        option name 'wg0'
        option ipv6 '0'


I also enabled packet steering but with no influence.
HW specs: intel i3 7100 2C/4T
8Gb RAM
16Gb SSD

So there are a few things to look at here... these may or may not solve the speed issues, but let's clean thigns up.

Is this router acting as the WG 'server'?

If so...

  • Why is 'nohostroute' in the interface declaration? That should probably be deleted.
  • What are the addresses in the list addresses and allowed IPs fields? They should be RFC1918 address ranges (which you do not need to redact).
  • The peer config stanzas allowed_ips field should be defined with /32 (and this should be the same address on the peer's interface configuration
  • you probably want/need to add option route_allowed_ips '1' to your peer config stanzas.
  • remove the option_endpoint_port from each of the peers.
  • remove the wg0 device stanza.

It would also be useful to see the /etc/config/firewall file and the peer config from the peer that is being used to test.

And regarding speed data

  • what speeds are you getting for up and down?
  • How are you testing -- is the remote peer (client) on the local network or is it on the internet?

Hello,

Thanks for taking the time to reply. I corrected some of the issues:

cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd83:3f07:7d5c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.50.1'
        list dns '192.168.50.24'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config route
        option interface 'lan'
        option target '8.8.4.4'
        option gateway '192.168.50.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'key1'
        option listen_port '51820'
        list addresses '192.168.30.1/32'

config wireguard_wg0
        option description 'Laptop'
        option public_key 'key1'
        option preshared_key 'key1'
        list allowed_ips '192.168.30.3/32'
        option route_allowed_ips '1'

config wireguard_wg0
        option description '70'
        option public_key 'key1'
        option preshared_key 'key1'
        list allowed_ips '192.168.30.2/30'
        option route_allowed_ips '1'

config device
        option name 'wg0'
        option ipv6 '0'

I do not understand this one: * remove the wg0 device stanza. - wg0 is the name of the interface I am using for wireguard. I added it as WG0, protocol Wireguard... I think the "config device" portion showed up after I disabled ipv6 on the wireguard interface...

cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'DROP'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        list src_ip 'fc00::/6'
        list dest_ip 'fc00::/6'
        option target 'DROP'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv6'
        list src_ip 'fe80::/10'
        option target 'DROP'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option target 'DROP'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option target 'DROP'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'DROP'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'DROP'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option proto 'udp'
        option family 'ipv4'
        option dest_port '33434-33689'
        option target 'DROP'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'wan'

One thing that happened in the initial setup: I initially did forwarding from wireguard zone to LAN but that only allowed local access and no internet to peers. I added the forwarding to WAN as well and that solved that issue.

The initial test I did using a pc in another network (different ISP as well ) and from my phone.
From that pc I had a 450Mbps download / 60Mbps upload.
From my phone , at this moment I have 100Mbps download and 30Mbps upload. And while 4G is not the best of options, the difference is considerable...

there is no such thing - making up release versions doesn't help your issue

It was a typo... Version is 21.02.1

More specifically: OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.357.58218-b3cd473

Usually this is configured as a /24, while all of the peers are configured a /32 addresses.

You can go ahead and leave the device wg0 stanza -- that should be fine.

This is not doing anything useful AFAICT. I'd remove it.

So if you are testing through the internet, you need to consider the speed of each internet connection in general. What is the ISP speed (up and down) for the connection that is local to the router we're working with?

And how about the speed when you're not using WG on that remote PC? You need to test with and without WG running.

Same deal here. What is the 4G speed with and without the WG tunnel running?

You have to look at the maximum speed as a function of the slowest part of the link.

I corrected the /24 on the server. thanks for pointing that out. .I should have been less enthusiastic with the /32 :smiley:

config route
        option interface 'lan'
        option target '8.8.4.4'
        option gateway '192.168.50.1'

This route serves a specific purpose: to stop android devices to use 8.8.4.4 as secondary dns. I am using pi-hole in my network and since I only have 1 server.. the second DNS was filled in automatically on the android device with google dns which ended up bypassing the pi-hole.

So if you are testing through the internet, you need to consider the speed of each internet connection in general. What is the ISP speed (up and down) for the connection that is local to the router we're working with?

My connection is 1gbps down/500 mbps up and the test machine was on a similar connection: 1gbps down/500 mbps up, just a different provider.

It looks like on 4G it's the only place it works ok.. since without vpn i have 120mbps down and 30 mbps up. I should have checked this before posting...

Thank you

For some reason, it seems all is good now... I can easily saturate the internet connection with wireguard... dunno what was wrong. I will mark this topic as closed.. if i have a way of doing this.

Thank you all for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.