Wireguard speed

Installing and Using OpenWrt
1

I have Openwrt x86 setup with Wiregueard on a subnet behind my OPNSense router.
With no vpn, I get +800Mbps according to Speeddtest.net
With Wireguard, I only get ~200Mbps.

I initially thought the issue was cpu throttling as my system would not scale above 1.1GHz but even after correcting the issue and the cpus scaling up to their max 2.4GHz, I am still only getting ~200Mbps down.

Could the double firewall/nat cause the slow speed?
Any thoughts/ideas appreciated.

2

Is bw of wg node more than 200mbps?

3

Sorry Im not sure what you are asking.

My best guess is bw is bandwith and wg is wireguard but Im still not sure what you are asking.

If it answers your question, I am using this to connect to my vpn provider which gives me full speed when I use their apps etc so I should be getting +800Mbps with the vpn

Thanks for your reply

4

It is possible that the vpn provider is not giving you that much speed. This can be the result of the price/tier you subscribe to (just like your isp) and/or their capabilities.

Try installing wireguard on your phone or computer and then run the same speed tests (be sure to deactivate the wireguard interface on the router first).

5

I get full speed when using the vpn apps on my phone/pc etc
They definitely do not limit it to 200Mbps

6

Ok. That is good to verify.

Let’s take a look at the config to make sure there are no errors.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
7

Thanks for your reply.
See output below

oot@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "Intel(R) Celeron(R) N4100 CPU @ 1.10GHz",
	"model": "ZOTAC ZBOX-CI329NANO",
	"board_name": "zotac-zbox-ci329nano",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "x86/64",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9d:656e:640c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '198.18.0.1'
	list dns '198.18.0.2'

config interface 'Strong'
	option proto 'wireguard'
	option private_key 'i
	list addresses '100.96.4.21/32'
	list dns '198.18.0.1'
	list dns '198.18.0.2'
	option mtu '1384'

config wireguard_Strong
	option description 'Imported peer configuration'
	option public_key 'm4/jMq8aC2lVF1ZvgSCMTxzE7LPT+K+em98W8CT4EQg='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '216.131.83.236'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
8

Has your VPN provider told you to adjust the mtu?

9

No, thats was from experimenting with different settings.
It didnt increase or decrease the speed.

But your right, I should change it back

10

Try changing it back and see if that improves anything. Aside from that, I don't know why it would be so slow -- I get faster than that with a Raspberry Pi 4.

11

Increased to 250Mbps but still not where it should be.
I|m going to try taking the OPNSense box out of the picture and see if that makes any difference.

12

First a correction. My x86 box is behind a router running OpenWRT on an Asus router, NOT behind an OPNSense box. The x86 box WAS an OPNSense box which I just converted to OpenWRT.

Now an update. I removed the Asus router running OpenWRT and setup the x86 box as the main router, so no more subnet. Ran the speedtest and got my full +800Mbps.

So the issue is definitely caused when I run the vpn on the subnet behind the other OpenWRT router.

Hope this helps the diagnosis

13

wait.... this contradicts what you were saying earlier:

Your initial statement suggested that you have OpenWrt running on an x86 device. If OpenWrt was running on an Asus router, that was the reason for your issues.... the processor on that device is certainly not powerful enough to handle Wireguard at the full bandwidth.

This has nothing to do with the double-NAT situation and everything to do with the processor that is being used to handle the Wireguard encryption/decryption.

1 Like
14

Sorry for the confusion.

I have an Asus router with OpenWRT as my main router. No vpn.
I have a second router (the Zotac with Intel N4100 quad core) running OpenWRT x86 on a subnet, running the vpn, behind the Asus router.

If I setup the x86 router as the main router with vpn, I get +800Mbps
If I put the x86 router with vpn on a subnet behind the Asus router, I only get 200Mbps.

Hope this clarifies and thanks so much for your attention

15

Oh...I see. In that case, it could be an MTU issue (ironically) when you cascade the WG interface into wan of the x86 box up to the Asus router and out to the internet.

Aside from something of that nature, there's no reason that traffic would otherwise slow through the Asus if that device isn't responsible for any encrpytion/decryption, but rather just routing packets.

16

What Asus router are we talking about?
Is it indeed capable of routing 250 Mb/s ?

17

Its an Asus AX-1800S, which seems to be the same as a RTAX54.
As mentioned, if I turn off the vpn, it allows the subnet to connect at +800Mbps, so it is certainly capable of +250Mbps.

To ensure nothing else was slowing things down, I connected the Zotac box directly to the lan port of the Asus, so no hubs/switches in between them.

[/quote]

What Asus router are we talking about?
Is it indeed capable of routing 250 Mb/s ?
[/quote]

18

Is there anything I can do to test the above theory? I know I can change MTU on the Wireguard interface? What about the main router? Any settting I should ttry?

19

Since I cant seem to get full speed wiith the vpn on a subnet, if set the x86 box up as the main router with the vpn, can i specify which clients on the network shoulld go throough the vpn or restrict which clients use it?

20

You can use Policy Based Routing (PBR):
https://openwrt.org/docs/guide-user/network/routing/pbr