Best router for Wireguard out of the box?

[sfx2000]

I thought I read somewhere that WG intended to eventually support AES. If they do, that will provide some interesting performance gains on any platform with AES acceleration.

No plans have been discussed regarding AES support in WG - more focus has been put on the vector extensions and threading models...

Known Limitations - WireGuard

www.wireguard.com

Hardware Crypto​

WireGuard uses ChaCha20Poly1305, which is extremely fast in software on virtually all general purpose CPUs. As of writing, there is not an overwhelming amount of dedicated hardware support for it, though this is changing. Practically speaking, this is not a problem, as vector instructions on CPUs wind up being in the same ballpark (and sometimes even faster) than AES-NI instructions.

 

[sfx2000]

I thought I read somewhere that WG intended to eventually support AES. If they do, that will provide some interesting performance gains on any platform with AES acceleration.

Note 2

WG, at the moment, is hard coded to use ChaCha20-Poly1305 - which some commenters point out, could be a problem if the cyrpto is somehow compromised - and that's where simplicity can be a potential issue (unlikely, but it's a valid observation).

One other item regarding WG, AES, and perceived performance concerns...

[noise] [ANNOUNCE] WireGuard Launched!

Not everything is just about performance - but there, WG scales well, because of ChaCha20-Poly1305, across many cpus/architectures without needing specialized instruction sets like AES-NI or ASIMD...

 

[Hm736]

Because i found this post I I got interested and bought the GL-AX1800 Flint and it’s really great so far.

I installed the latest beta firmware (4.0.1) and was able to get ~700Mpbs with wireguard.

With the desktop app from Mullvad I was able to get 1GB/s but 700Mbps are enough for me.

Until now it’s a no brainer for me, it only costs ~90€, the setup was done in a few minutes without a hassle and it even has ad guard home preinstalled.
But let’s see how it turns out in the next few weeks.
The only "bummer" is that GL-inet is a Chinese company so hopefully they don’t do something shady but at least it seems like everything is open source.

But I still don’t get why this is the only router (or at least I know of) that is easy to setup, cheap and even can achieve high VPN speeds.
Should it not be easy for other big company’s to do the same?

 

[Tech Junky]

But I still don’t get why this is the only router (or at least I know of) that is easy to setup, cheap and even can achieve high VPN speeds.
Should it not be easy for other big company’s to do the same?

Being that it's relatively cheap it's nice to see someone doing it right. Honestly I never thought something under $200 would hit above 500mbps other than maybe a pi. Not sure mullvad would be the top pick for Gbps wireguard though either way twice the cost of Nord.

Mind signing up for Nord and testing their speeds as well with the money back trial?

 

[Hm736]

Being that it's relatively cheap it's nice to see someone doing it right. Honestly I never thought something under $200 would hit above 500mbps other than maybe a pi. Not sure mullvad would be the top pick for Gbps wireguard though either way twice the cost of Nord.

Mind signing up for Nord and testing their speeds as well with the money back trial?

Mullvad is the best VPN I know of and the speeds are great, even with OpenVPN I could hit 1GB/s on my PC.

Sorry don’t want to try NordVPN, I don’t trust them at all especially with their shady history.

 

[Tech Junky]

Hmm.. I have used them now for about 5 years w/o any issues. They were the only one I could hit gig plus with using WG. I tried a handful of other providers and none of them compared or had quirks that were questionable to get them to work upon reboot w/o needing to login to activate them.

 

[Scott D]

But I still don’t get why this is the only router (or at least I know of) that is easy to setup, cheap and even can achieve high VPN speeds.
Should it not be easy for other big company’s to do the same?

I honestly don't know why big companies can't or wont do something similar or even better. I got my Flint for around $105 USD and so far It's easily the easiest and best router I have ever owned. I don't get the speed yet but that's my ISP. I cant't wait for fiber to see just what it will be capable of.

 

[Scott D]

Being that it's relatively cheap it's nice to see someone doing it right. Honestly I never thought something under $200 would hit above 500mbps other than maybe a pi. Not sure mullvad would be the top pick for Gbps wireguard though either way twice the cost of Nord.

Mind signing up for Nord and testing their speeds as well with the money back trial?

I use Mullvad too. And there is no need to subscribe. You can Just pay ~$5 a month and if you're not happy, you're only out ~$5 instead of ~$69 for Nord. You can even mail in cash to Mullvad if you want.

 

[Tech Junky]

I use Mullvad too. And there is no need to subscribe. You can Just pay ~$5 a month and if you're not happy, you're only out ~$5 instead of ~$69 for Nord. You can even mail in cash to Mullvad if you want.

Nord has a 30 day refund. Plus if you stack some cashback apps it's even cheaper under $2/mo when they offered 3year options.

 

[treeskygrass]

Nord has a 30 day refund. Plus if you stack some cashback apps it's even cheaper under $2/mo when they offered 3year options.

But it’s still Nord. There’s a lot going on there…

https://www.reddit.com/r/VPNTorrents/comments/9adi37

 

[Christos]

Forget about "fast" Wireguard performance on a router. Wireguard is incompatble with NAT acceleration, so if you run Wireguard on it, the NAT capabilities will drop in the 200-400 Mbps range max (depending on the router's CPU). Your WAN's NAT capabilities then becomes the bottleneck.

But remember that WG runs on kernel mode, that is similar to NAT acceleration (aka hardware offload)

 

[CaptainSTX]

But remember that WG runs on kernel mode, that is similar to NAT acceleration (aka hardware offload)

I think the blurb you pasted from Merlin above is outdated. When I got my AX86S in December 2022 running a WireGuard client did disable hardware acceleration however on 382.2.2 both Runner and Flow Cache are enabled and the AX86S passes 940/42 Mbps without an issue. I haven't had an opportunity to connect by desktop to the AX86S directly nor does spdMerlin have the option to test the speed of a WireGuard client.

7/14/23

ISP Internet 1200/40

VPN Provider - StrongVPN

I had an opportunity to runs some tests and compare the speed of an Open VPN client vs. WireGuard client.

All tests were run to VPN servers in Miami which is 225 miles distant.

Router Used was an AX86S with a two core A53 Cortex processor, 1800 MHz

For comparison I also tested using a mini pc setup as a VPN appliance. It has an I7 processor.

All connections to my network were by Ethernet cables.

OpenVPN AX86S Router 55 tests recorded using spdMerlin during July.

Download Average 175.6 Mbps std dev 28.1 OpenVPN Miami

WAN - spdMerlin Download Average 590.6 std dev 70.9 to nearby ISP

When speed tests are run on my PC then with no VPN tunnel speeds are often over 900 Mbps. If using my VPN appliance running WG with a tunnel to Miami then VPN download speeds often exceed 800 Mbps when connected to a WG server in Miami.

WireGuard client running on router the Speed Test being run on PC. PC connected to router with Ethernet cable. In the 388.2.2 version of Merlin's firmware hardware acceleration is enabled even when WireGuard is on.

I just had the time to run 5 tests in this setup and the downloads ranged between 220 - 235 Mbps.

My conclusion is just as many/most consumer grade router's processors don't have enough processing power to enable fast OpenVPN connections that even when running WireGuard they can do better, but most consumer grade routers still don't have enough processing power for fast VPN connections.

Hopefully someone with the latest and greatest router can repeat my tests and get more than 25% of their ISP's provisioned speed when running a WireGuard client on their router.