I've successfully enabled WireGuard and set up clients on my NBG6817, on Openwrt 21.02rc1. Upon connecting on my laptop I can see my LAN assets/router GUI, all fine.
BUT. There is a big discrepancy between download and upload speed. Download is consistently around 38-40Mbit, but upload is around 80Mbit... Therefore my download rate is almost the same I have with OpenVPN, so something must be fishy.
I've tried googling, and it may be connected to MTU? My MTU sizes are the default - WAN MTU is 1492, LAN is 1500. MTU on the WireGuard interface is 1420 (also tried setting it to 1412, also matching it on the client side, no change).
What should I try? Thanks all!
WireGuard config
Interface:
config interface 'wg0'
option proto 'wireguard'
option listen_port '1234'
option private_key 'server private key'
list addresses '10.20.40.1/24'
option mtu '1412'
So both OpenVPN and Wireguard cap out at 38-40Mbit/s download? Have you tried monitoring the CPU usage on the NBG6817 during the speed test? I think you had the right idea with the 1412 MTU, since you're not pushing 1500 through WAN it might help reduce fragmentation and use less CPU cycles.
Another thing you might try is toggling: packet steering, software/hardware flow offloading. If packet steering works to increase your download speed, I'd disable it and instead install the irqbalance package.
Edit: According to a comment from StackOverflow, Wireguard has an overhead of 60 for IPv4, and 80 for IPv6. So if you're using IPv4 only, maybe try setting the MTU to 1432 as a test. Another user reported better performance by lowering the MTU to 1400. Too high or too low will mean more reassembly of fragments than necessary.
Setting the same wouldn't work, since WireGuard has a overhead of 60 (ipv4) / 80 (ipv6) – baburao Feb 16 at 20:31
Thanks for the reply! I've packet steering, irqbalance both enabled... Should I disable one of them?
I woudln't have any problem with OpenVPN topping out at around 38-40Mbit as I know it is very CPU-heavy. But, WireGuard should be faster based on all reports (and the upload at 80Mbits attest to that). My network is IPV4 only, I've no need for IPV6 yet.
Both packet steering and irqbalance try to achieve the same thing, spreading the interrupts to all the cores evenly. But as far as I understand, packet steering works much better on high core count systems. On a dual core system, it might improve performance or degrade it (like the luci tooltip says). Irqbalance tends to work better than packet steering in this case, so disable one or the other. If you have SQM on, any form of flow offloading should be disabled because packets will bypass SQM (at least that was true in 19.07, I'm not sure if anything has changed for 21.02).
Wireguard should be faster, but it depends on what kind of hardware acceleration you might have (or might not be able to use with OpenWRT) or how optimized the algorithms wireguard uses are in comparison to what OpenVPN uses for your platform.
I'll try with packet steering disabled then! I don't have any kind offload enabled btw, and I don't think my router's platform has any kind acceleration for crypto (devs are trying to eek our mire performance with enabling the NSS cores, but crypto is not part of that effort as the returns were negligible when compared to routing gains) .
Tried with irqbalance only and it was a wash... My normal download speed on wifi tanked to ~100Mbit. With only packet steering enabled it jumped up to 200Mbit, so I'll stay with that. I'll test WG performance with packet steering only sometime later when I've access to fast network different from my own.
Just an update now that I was finally able to test WG with packet steering only on a good internet connection other than my home network.
Irqbalance definitely doesn't like my router and or config. With just packet steering, I was clearing 100Mbit with WG, and almost 70 with OpenVPN. Might be a thing to keep in mind for users of a Zyxel NBG6817.