Wireguard speed is too low

x86cokr · January 16, 2021, 8:25am

Hi,

I configured wireguard on my openwrt router, Xiaomi Redmi AC2100 which has MT7621 in it.
However, the wireguard speed is around 35Mbps lower than I expected.
As the speed without vpn is higher than 250Mbps, I expected wireguard speed would be higher than 100Mbps, the result is as low as 35Mbps.
The test clients are windows 10 laptop, macbook, iphone, which results almost the same speed.

in /etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<Server-Private-Key>'
        option listen_port '31194'
        list addresses '10.9.0.1/24'

config wireguard_wg0
        option description 'wireGuard_wg0'
        option public_key '<Server-Public-Key>'
        option route_allowed_ips '1' 
        option endpoint_port '31194'
        option endpoint_host '<Wireguard-Server-IP>'
        list allowed_ips '10.9.0.0/24'

config wireguard_wg0
        option description 'client'
        option public_key '<Client-Public-Key>'
        option endpoint_port '31194'
        option persistent_keepalive '25'
        list allowed_ips '10.9.0.2/32'

in /etc/config/firewall

config zone
    option name         'wg'
    option input        'ACCEPT'
    option forward      'ACCEPT'
    option output       'ACCEPT'
    option network      'wg0'
    option masq         1 
    option mtu_fix      1
    
config rule
    option name         'Allow-wireguard'
    option src          'wan'
    option proto        'udp'
    option dest_port    '31194'
    option target       'ACCEPT'
    
config forwarding
    option src 'wan'
    option dest 'wg'
    
config forwarding
    option src 'wg'
    option dest 'wan'

in client-confg

[Interface]
PrivateKey = '<Client-Private-Key>'
Address = 10.9.0.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = '<Server-Public-Key>'
AllowedIPs = 0.0.0.0/0
Endpoint = <Wireguard-Server-IP>:31194

Please help me to increase speed
Thanks in advance

trendy · January 16, 2021, 8:49am

There is no need to masquerade the wg firewall zone.
Also no need for wan->wg forwarding. If I understand properly the wan is the outside internet zone.
Don't use endpoint_port orendpoint_host in the peer configuration part.
Check with top or htop the cpu utilization during the file transfer.

x86cokr · January 16, 2021, 9:16am

Thanks for your reply

I just deleted the following line by your suggestion in wg firewall zone.
option masq 1

If I delete the wan->wg forwarding, the Speedtest app doesn't work.

And it is endpoint to specify the address and port of wireguard peer. It won't work without endpoint_host or endpoint_port.

The cpu consumption rate on top during speed test is around 20%, and the speed is the same as before.

Do you have any other idea?

trendy · January 16, 2021, 12:51pm

Is the speedtest initiated from wan or wg?

x86cokr:

config wireguard_wg0
        option description 'wireGuard_wg0'
        option public_key '<Server-Public-Key>'
        option route_allowed_ips '1' 
        option endpoint_port '31194'
        option endpoint_host '<Wireguard-Server-IP>'
        list allowed_ips '10.9.0.0/24'

Which one is this peer?

x86cokr · January 16, 2021, 1:27pm

Is the speedtest initiated from wan or wg?
=> The speedtest app on wireguard client sends packet to the wireguard server on openwrt.
Which one is this peer?
Previously I tought that you meant in client config.
Now I just deleted the followings from /etc/config/network on openwrt server.
option endpoint_port '31194'
option endpoint_host ''
I agree with you this information isn't required on server.

However, the speed test result is the same as before.

x86cokr · January 16, 2021, 1:33pm

By the way, does HW/SW nat offloading affect the wireguard speed?

trendy · January 16, 2021, 4:21pm

Anything coming from wg zone to the router is governed by the INPUT policy of the wg zone.
I am talking about the wan->wg forwarding

Which means that you allow all packets from the internet to the wg.

You can try to set it off to test.
How are the clients connected to the router? Over 3G/LTE or some other way?

x86cokr · January 17, 2021, 2:30am

I just deleted the following by your suggestion, the speedtest works but the same speed result.

config forwarding
    option src 'wan'
    option dest 'wg'

Additionally, I deleted the following, the speedtest doesn't work.

config forwarding
    option src 'wg'
    option dest 'wan'

x86cokr · January 17, 2021, 2:47am

It looks that Luci doesn't allow to select only HW flow offloading.
It allows to select both of HW flow offloading and SW flow offloading, or allows to select only SW flow offloading like the following 2 pictures.
Is this normal?
Anyway the speed test result is the same.

I doubt that this supports Hardware flow offloading.

x86cokr · January 17, 2021, 3:17am

client on PC communicates over LAN or WIFI

trendy · January 17, 2021, 11:31am

You don't need to delete this, if you want to provide internet to the wg clients.

Better double check and configure accordingly. I don't use it anyway.

Try to measure the speed with iperf too. Don't use the router as endpoint, as the packet process is affecting the overall performance of the router.

x86cokr · January 18, 2021, 10:02am

Thanks again for your reply

As I'm currently in another country, I just found that their internet is ADSL, different from my country.

The place where I currently test uses ADSL, whose upload speed is only around 35Mbps. So the speed of wireguard server on the peer over the internet is restricted to 35Mbps, because vpn traffic both uploads and downloads in terms of vpn server.
Therefore, I just changed the test environment, which set the wireguard server on the intranet with the wireguard client, then the wireguard speed is about 87Mbps whose speed is still restricted by old test router wan 100Mbps speed.

The test environment is currently restricted, I can't test further for now.
But I expect that wireguard speed on my device will be higher than 87Mbps hopefully over 100Mbps, if use new router later.

eisengrau · January 19, 2021, 7:08pm

Can confirm that it is nothing to do with OpenWrt, nor your device. I have the same Redmi AC2100 with 19.07.5 and using Wireguard. The speed of your WAN connection, what ultimately decices your throughput with WG. And I can tell you, I only had positive experiences with WG on OpenWRT.

Also, if you are setting up a full WG tunnel (understand as: allowing 0.0.0.0/0 on your peer - mobile app client, whatever), you don't need to set up a separate firewall zone for the WG interface on your OpenWRT wireguard "server". You can instead add the wg interface to your LAN zone, or create an alternative LAN (VLAN) zone and forward that to WAN, and add the full tunnel WG interface to it - you don't want to forward your "main" LAN...

You can also test your speed with iperf3 as mentioned with a "split tunnel" configuration, eg. allowing only internal LAN forwardings on both sides. The tunnel will still use your WAN connection as a backbone, so you would get more realistic statistics this way (instead of relying on some shady, no-name "speedtest app" that connects to who-knows-what crappy server)

x86cokr · January 21, 2021, 5:16pm

Thanks for your reply
Good to hear you have the same device as mine.

I sent the device to the peer side over internet which is not ADSL. And the throughput result by speedtest is higher than 100Mbps which I expected in real internet. The test server on speedtest including ISP is definitely reliable.
I'll check stability more, but so far so good!

luochongjun · July 3, 2023, 9:47am

In my tests, wireguard performance did drop a lot, even at less than half the original rate without offload enabled. I am investigating this issue and will update here if I find anything.