Hello everyone...
I have my router installed and configured correctly and I have some active monitoring on it, such as Wireguard as we can see below.
I would like to know if this is normal behavior or what I can do to improve it.
There is no use of the VPN and even so, I have graphics in the monitoring.
Thanks!!
The low bit rates seem to suggest that you have a handshake and the tunnel is working, but little or no other traffic. The problem is that we don't know what that VPN is for in your setup, so it's hard to know if this is normal and/or if it needs improvement. In other words... what are you expecting?
When you say "there is no use of the VPN" -- what do you mean? You're not actively using it, or you are surprised that nothing is flowing through the tunnel? Or is the tunnel disabled??
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Hello @psherman ...
Q: When you say "there is no use of the VPN" -- what do you mean? You're not actively using it, or you are surprised that nothing is flowing through the tunnel? Or is the tunnel disabled??
A: I´m not actively using VPN at the moment, my VPN Server , tunnel, connection works perfectily when I need use 
root@horus:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "horus",
"system": "Intel(R) Celeron(R) CPU N2808 @ 1.58GHz",
"model": "ULTRATOP ULTRATOP Liva",
"board_name": "ultratop-ultratop-liva",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "x86/64",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@horus:~#
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0b:4bce:7eb5::/48'
option packet_steering '1'
config interface 'lan'
option device 'eth1'
option proto 'static'
list ipaddr '192.168.15.1/26'
option ip6assign '64'
config interface 'wan'
option proto 'pppoe'
option device 'eth0'
option username 'cliente@cliente'
option password 'cliente'
option ipv6 'auto'
config interface 'onu_vsol'
option proto 'static'
option device 'eth0'
list ipaddr '192.168.1.2/30'
option ip6assign '64'
config interface 'wireguard'
option proto 'wireguard'
option private_key '<edited>'
option listen_port '1195'
option ip6assign '64'
list addresses '192.168.17.1/24'
list addresses 'fd00:17::1/64'
config wireguard_wireguard
option description 'Cel_POCOX3PRO_RR'
option public_key 'YTcAFTPBpjnm7qgdDWz6OZgadDYlxLyDJFgr8oKVXXM='
option private_key '<edited>'
list allowed_ips '192.168.17.2/32'
option persistent_keepalive '25'
root@horus:~#
root@horus:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0b:4bce:7eb5::/48'
option packet_steering '1'
config interface 'lan'
option device 'eth1'
option proto 'static'
list ipaddr '192.168.15.1/26'
option ip6assign '64'
root@horus:~# cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'onu_vsol'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NintendoSwitch-NAT_A'
list proto 'udp'
option src 'wan'
option src_dport '45000-65535'
option dest_ip '192.168.15.30'
option dest_port '45000-65535'
config redirect
option target 'DNAT'
option name 'DDNS_IPV4'
option src 'wan'
option src_dport '8181'
option dest_ip '192.168.15.1'
option dest_port '80'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'DDNS_IPV6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '8181'
option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
option dest_port '80'
config redirect
option target 'DNAT'
option name 'Transmission'
option src 'wan'
option src_dport '1111'
option dest_ip '192.168.15.1'
option dest_port '1111'
option dest 'lan'
config rule
option name 'Allow-Transmission'
option src 'wan'
option dest_port '1111'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
root@horus:~# cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'onu_vsol'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NintendoSwitch-NAT_A'
list proto 'udp'
option src 'wan'
option src_dport '45000-65535'
option dest_ip '192.168.15.30'
option dest_port '45000-65535'
config redirect
option target 'DNAT'
option name 'DDNS_IPV4'
option src 'wan'
option src_dport '8181'
option dest_ip '192.168.15.1'
option dest_port '80'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'DDNS_IPV6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '8181'
option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
option dest_port '80'
config redirect
option target 'DNAT'
option name 'Transmission'
option src 'wan'
option src_dport '1111'
option dest_ip '192.168.15.1'
option dest_port '1111'
option dest 'lan'
config rule
option name 'Allow-Transmission'
option src 'wan'
option dest_port '1111'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'wireguard'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'wireguard'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wireguard'
config rule
option name 'Allow_Wireguard'
list proto 'udp'
option src 'wan'
option dest_port '1195'
option target 'ACCEPT'
root@horus:~#
Based on what you've said and a quick read of your config, I don't see any issues there. I think everything is normal. I don't see any need to change anything.
It looks like the WireGuard interface is setup as the server side listening for incoming connections, so the interface is shown.
Unrelated, but as this looks like the server side ( listening for incoming connections) you do not need to enable Masquerading