Wireguard performance on AR-300M with Lede

alpha1974 · January 22, 2018, 3:27pm

Hi folks,

I use AR-300M lite with clean LEDE image (built with LEDE image builder) as I want to test wireguard VPN connections.

I am able to establish stable wireguard VPN connections to a Debian 9 machine in my local network. My problem is the very slow performance through the wireguard tunnel: iperf3 shows only 2 mbps in both directions. Direct connection (without any vpn tunnel) shows around 90 mbps in both directions.

Is anyone else using wireguard on AR-300M? What is your network performance through the wireguard tunnel?

alpha1974 · January 28, 2018, 7:31pm

Just for the records: Limiting factor was my firewall´s intrusion protection sytem. Wireguard traffic was discovers as UDP flood.

alzhao · March 23, 2018, 5:25am

Can you tell me finally what is your speed of wireguard.

alpha1974 · March 23, 2018, 7:19am

Clean LEDE on AR300M-Lite (iperf3 through wireguard tunnel between AR300M and a local test server):

root@LEDE:~# iperf3 -c 10.0.10.1
Connecting to host 10.0.10.1, port 5201
[ 4] local 10.0.10.3 port 50784 connected to 10.0.10.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 6.43 MBytes 53.9 Mbits/sec 0 123 KBytes
[ 4] 1.00-2.00 sec 6.50 MBytes 54.5 Mbits/sec 0 158 KBytes
[ 4] 2.00-3.00 sec 6.56 MBytes 55.0 Mbits/sec 0 176 KBytes
[ 4] 3.00-4.00 sec 6.44 MBytes 54.1 Mbits/sec 0 186 KBytes
[ 4] 4.00-5.00 sec 6.50 MBytes 54.5 Mbits/sec 0 195 KBytes
[ 4] 5.00-6.00 sec 6.50 MBytes 54.5 Mbits/sec 0 206 KBytes
[ 4] 6.00-7.00 sec 6.62 MBytes 55.5 Mbits/sec 0 206 KBytes
[ 4] 7.00-8.00 sec 6.50 MBytes 54.5 Mbits/sec 0 206 KBytes
[ 4] 8.00-9.00 sec 6.81 MBytes 57.1 Mbits/sec 0 291 KBytes
[ 4] 9.00-10.00 sec 6.44 MBytes 54.0 Mbits/sec 0 291 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 65.3 MBytes 54.8 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 64.5 MBytes 54.1 Mbits/sec receiver

iperf Done.
root@LEDE:~# iperf3 -c 10.0.10.1 -R
Connecting to host 10.0.10.1, port 5201
Reverse mode, remote host 10.0.10.1 is sending
[ 4] local 10.0.10.3 port 50788 connected to 10.0.10.1 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 7.79 MBytes 65.2 Mbits/sec
[ 4] 1.00-2.01 sec 8.71 MBytes 72.4 Mbits/sec
[ 4] 2.01-3.00 sec 8.31 MBytes 70.5 Mbits/sec
[ 4] 3.00-4.00 sec 8.69 MBytes 72.9 Mbits/sec
[ 4] 4.00-5.01 sec 8.68 MBytes 72.5 Mbits/sec
[ 4] 5.01-6.01 sec 8.44 MBytes 70.6 Mbits/sec
[ 4] 6.01-7.02 sec 8.78 MBytes 72.7 Mbits/sec
[ 4] 7.02-8.00 sec 8.34 MBytes 71.3 Mbits/sec
[ 4] 8.00-9.00 sec 8.60 MBytes 72.0 Mbits/sec
[ 4] 9.00-10.01 sec 8.44 MBytes 70.2 Mbits/sec

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.01 sec 86.3 MBytes 72.3 Mbits/sec 0 sender
[ 4] 0.00-10.01 sec 85.3 MBytes 71.4 Mbits/sec receiver

iperf Done.

alzhao · March 27, 2018, 11:27am

This speed is unbelievable.

Can you give the specs of your server? How about using the mini router as server as well?

alpha1974 · March 27, 2018, 1:28pm

My test server is just a Debian9 Virtual Machine with latest Wireguard-Packages. Mini Router was connected via LAN to the Debian-Server. On both ends (Mini Router and Debian) only Wireguard was running - and of course iperf3 Both systems were running in the same local subnet.

It was just a quick performance test between two machines, without any forwarding/routing from the Debian-Server out to the Internet…

Taigerr · April 29, 2018, 7:59am

hi there,
How did you do your settings to get Mullvad Wireguare working please? can you post on here

rk47 · May 1, 2018, 12:28am

Begin where it says “Installing WireGuard”

alzhao · May 1, 2018, 2:36am

Check the docs here:

Crazycat36 · May 31, 2018, 5:23am

How did you get the wireguard network interface to add properly all I’ve been getting is

Form token mismatch

The submitted security token is invalid or already expired!

In order to prevent unauthorized access to the system, your request has been blocked. Click “Continue »” below to return to the previous page.

alzhao · May 31, 2018, 10:15am

Just ssh to the router and edit /etc/config/network directly

Crazycat36 · June 1, 2018, 4:42am

No lie it’s tough getting this to work

rk47 · June 27, 2018, 7:04pm

Will this bug be fixed in the new GUI ?

I understand why people are frustrated & confused: there are also conflicting directives between the instructions found on GL.inet, Wireguard.com (for OpenWRT), and various VPN web proxy services, for example:

# opkg install wireguard

# opkg install kmod-wireguard
https://docs.gl-inet.com/

→ What is the difference between “wireguard” & “kmod-wireguard” ?

Where commercial VPN services attempt to automate WireGuard installation using a shell script, the script fails on GL.inet firmware because curl is not installed. After installation of curl, the script fails because ca-bundle is missing:

curl: (77) Error reading ca cert file /etc/ssl/certs/ca-certificates.crt - mbedTLS: (-0x3E00) PK - Read/write of file failed

I understand that some people here are using WireGuard in applications where they control both ends of the tunnel. But GL.inet firmware should also support WireGuard with commercial VPN proxy services. This means:

Published installation scripts for OpenWRT should complete without errors
Published instructions for the OpenWRT LuCI GUI should work properly on GL.inet firmware

REFERENCES

https://danrl.com/blog/2017/luci-proto-wireguard/

alzhao · June 28, 2018, 12:52am

As I said we are making new UI and new guide. It is not ready in one night.

Then existing guide is too technical. But what you need to do is just typing the exact command we posted. Don’t modify.

jadeRUS · July 5, 2018, 9:56am

wir

Unknown package ‘wireguard’

kyson-lok · July 5, 2018, 1:22pm

@jadeRUS Which version of the firmware do you use? Do you try issue opkg update at first?

rk47 · July 7, 2018, 7:29pm

Your instructions did not work. And the VPN provider’s instructions also did not work. When I followed the VPN service provider’s instructions after trying the GL.inet instructions, a routing conflict effectively bricked my router, because I could not log in any more.

I need Wireguard because OpenVPN does not provide adequate performance on small devices. So I purchased another GL.inet router because your web site implies that Wireguard functions correctly. But for me it did not work correctly:

It seems these instructions only work if the user controls both end points. Where one is using a VPN proxy service, the instructions provided by GL.inet and the VPN provider both do not work. Yet the VPN provider’s instructions did work correctly on a different brand of router running LEDE.

There are also some syntax errors in your instructions, for example, in ‘WireGuard - GL.iNet Router Docs 2’

config zone                  
    option name 'wg-vpn'

→ “wg-vpn” is an invalid name for the interface. (The “-” character is not allowed, and the GUI will give a warning if you attempt to add this interface name in LuCI.)

I did not post on this subject to annoy you or complain about the wait for the new GUI. I just want you to be aware that the Wireguard setup instructions on your web site do not always work if the user does not control both end points.

I also want you to know that an API exists which will permit the internet proxy service provider to automatically configure the client’s router for Wireguard. Your GUI should support this feature if you want VPN users to purchase the hardware. That is not a complaint, it is valuable business intelligence:

In another year or two, when Wireguard is more widely deployed by commercial VPN service providers, the client devices which support this API will have a big advantage in the market.

The point I am trying to make here is that the GUI support for Wireguard clients will be the primary selection criteria for many people who purchase a travel router. A simple setup procedure will be all that matters, and the hardware specifications will become less important. So I think you should devote more resources to software development, and less on creating new models of hardware.

Despite all of these problems, I did not give you a bad review on any web site. I still like GL.inet because the products ship with extensible open source software that automatically updates. This means I do not need to spend time on manually updating custom-configured endpoints which I have to manage for clients. So I still recommend GLi in many cases, but I still need better Wireguard support. Until then, it should not be too difficult to include the monitoring module in the repo:

“I also created a monitoring module. It is called luci-app-wireguard and should be available in all major repositories.”

https://danrl.com/blog/2017/luci-proto-wireguard/

alzhao · July 11, 2018, 5:35am

Hi @rk47, no tension, you are a good customer. Just trying to make things work.

Seems manual config is so difficult and I even don’t want to promote it. Now we are developing UI3.0 and will work with 2 commercial wireguard providers so that their server can work with our router directly.

Will put testing firmware of V3.0 to our website for testing.

rk47 · July 14, 2018, 11:59pm

I think thats a good idea. Soon the other providers will want to follow these 2 pioneers, so most VPN providers will probably end up using the same API. In the long term, this will simplify everything for the user and you will sell more routers. When this feature is working I will send you more customers!

junk1 · September 4, 2018, 4:42pm

I am having the same problem as the OP. I am running the pre-installed Wireguard server on an AR-750s, and I can’t get more than 2Mb/s in either direction. My OpenVPN speeds are much higher, so there is something going on.

The OP found that the firewall was to blame. How would I go about checking that?