Best router for Wireguard out of the box?

[Scott D]

Hello. Sorry if this has been asked and answered before but I'm looking for a fast Wireguard router that I don't have to use/add additional software to function. I currently have a GL-iNet Flint(GL-AX1800) that is working OK with Mullvad imported Wireguard config files. It worked right out of the box. Fiber is coming to my neighborhood within 2 months and I'd like to get something a bit faster for Gigabit Internet speeds. Is there something that simply works with Wireguard right out of the box and is faster than my Flint? I once had a RT-AC86U flashed to Asuswrt-Merlin but it kicked the bucket about a year ago after many, many years of successful use as my VPN router. Sorry if this in the wrong forum. I wasn't sure if I should put it here or in the VPN forum. Thank you for any help at all.

 

[Tech Junky]

@ gig speeds? Probably not on the consumer level / price point. Most of them will top out at 500mbps due to CPU/RAM limitations.

DIY though on the other hand can get you beyond the limitations of consumer gear. Using a Full PC CPU / RAM setup has enough power to get you line speed beyond gig speeds. With gig cable I was able to hit 1200-1500mbps through Nord.

You could do it on the cheap with a SFF PC ~$150 / dual port NIC for IN/OUT ports and Linux for the OS. All in ~$200 to get beyond the limits of off the shelf options. There are other things like Firewalla though that you can setup but, convenience costs more ~$500 IIRC.

Jumping into the SMB space though you can probably find something but, then you're better off going DIY at those price points and rolling in additional functions to the "router" like adding drives to it and making it into a NAS in addition to routing / VPN.

 

[Scott D]

Thank you Tech Junky. I once tried the pfSense way but had poor openVPN speeds on an Intel atom processor. I never found out why my speed was so slow before getting the RT-AC86U that simply blew the atom out of the water. I never tried pfSense again after that. Maybe I needed a better processor?

 

[Tech Junky]

A little more power use to get better encryption performance. I would be aiming for an i5 CPU if you're looking to do encryption beyond the basics you find in routers. You could though go as simple / lightweight as a PI4 based on this thread.

Still going to be a little involved in getting it working either way but, if you've dabbled in pfsense it shouldn't be a big leap from one to the other. I prefer a more robust option though if we're going outside of the plastic black box. It doesn't need to be high RAM though as it's more CPU bound when spawning additional threads as you use more bandwidth.

Under idle there's a handful of processes for "WG" and as you ramp up demand it spans more of them to handle the streams of packets to keep up with the speed of the connection.

It all depends on if you want a multipurpose system or just something to stick between the ISP / router for VPN at line speed. There's not too much configuration to do to use pfsense as the router and just bridge the GLI as an AP for WIFI.

Maybe start with a Pi and test from there. If it's not up to the needs then go up in CPU power or buy a used PC and a NIC to repurpose or buy a new SFF PC as mentioned and throw pfs on it.

Oh, and OVPN is notoriously slow anyway. Even with my setup it maxed out at 500-600mbps where WG kicked its butt 3X the speed.

 

[Scott D]

Wow! I had no idea the PI4 was capable of those WG speeds. I actually use no WiFi at all. It's all wired connections. I barely get 150-200mbps with my current ISP and WG on my GL-iNet Flint. I was getting maybe 100mbps before on my RT-AC86U and ~40mbps on pfs (my current ISP is horrible and metered). Thank you. I have more to look into.

 

[Tech Junky]

Yeah, if you end up using OVPN then you need a CPU w/ AES to deal with the encryption processing at a quicker pace but, even using a 8700K I wasn't able to break beyond 600mbps on OVPN but on the same nord server using WG instead got full line speed. I wouldn't have bothered with OVPN though if it hadn't been for a glitch on their servers that only was working for the primary PC and not letting clients passthrough it to get out. Primary worked fine but, the clients couldn't get TLS connections out from behind it. It was a bit odd and in about a month it started working again. Instead of sticking with OVPN I switched countries to get WG speeds that were higher but more latency and messed with geo based services like languages on streaming platforms. For a little while though some of the servers were also reporting locations all over the world vs local US locations. Occasionally while downloading things I'll see the IP / port spread across multiple locations / IP's as well. It's interesting when it happens as it shouldn't be.

 

[eibgrad]

Not quite out of the box, but any router that supports DD-WRT is a good option.

WG client and server, multiple tunnels, auto-configurable w/ import files from VPN provider, PBR (policy based routing), split DNS, built-in watchdog and killswitch, runs in the kernel (NOT user-space like some implementations), etc.

Most ppl will find 3x or more improvement from OpenVPN to WG. My older RT-AC68U, which tops out around 30Mbps w/ OpenVPN, gets up to 111Mbps w/ WG! Obviously more modern and powerful routers would see similar improvements.

Only issue is that like many other third-party firmware, there's NO AX (WiFi 6) support, just AC (WiFi 5).

That's why confining yourself to purely OOTB is severely limiting your options. Most OEM implementations are NOT going to give you all those features. I'm not even sure they all run in the kernel (which is essentially for best performance). Things like PBR are NOT common, and as a result, usually means you can't run both a WG server and client at the same time on the router.

In short, I don't know of any better option at this point than DD-WRT, OEM or third-party. And @egc (one of the developers) on the DD-WRT forums provides GREAT support. He's placed a tremendous amount of time and effort into the implementation, and it shows.

 

[Christos]

The easiest way to use wireguard is Tailscale.
It can be installed in many routers and platforms.

Tailscale Docs

See solutions for scenarios that span multiple products.

tailscale.com

 

[Scott D]

The easiest way to use wireguard is Tailscale.
It can be installed in many routers and platforms.

Tailscale Docs

See solutions for scenarios that span multiple products.

tailscale.com

First time hearing about this. I use Mullvad WG client config files. Is it compatible with Mullvad configs?

 

[Scott D]

Not quite out of the box, but any router that supports DD-WRT is a good option.

WG client and server, multiple tunnels, auto-configurable w/ import files from VPN provider, PBR (policy based routing), split DNS, built-in watchdog and killswitch, runs in the kernel (NOT user-space like some implementations), etc.

Most ppl will find 3x or more improvement from OpenVPN to WG. My older RT-AC68U, which tops out around 30Mbps w/ OpenVPN, gets up to 111Mbps w/ WG! Obviously more modern and powerful routers would see similar improvements.

Only issue is that like many other third-party firmware, there's NO AX (WiFi 6) support, just AC (WiFi 5).

That's why confining yourself to purely OOTB is severely limiting your options. Most OEM implementations are NOT going to give you all those features. I'm not even sure they all run in the kernel (which is essentially for best performance). Things like PBR are NOT common, and as a result, usually means you can't run both a WG server and client at the same time on the router.

In short, I don't know of any better option at this point than DD-WRT, OEM or third-party. And @egc (one of the developers) on the DD-WRT forums provides GREAT support. He's placed a tremendous amount of time and effort into the implementation, and it shows.

Thank you. I am familiar with DD-WRT but not enough to pick a good, fast router for fast WG performance in DD-WRT. Any suggestions? I once had a Netgear Nighthawk running OVPN on DD-WRT.

 

[eibgrad]

I *assume* if you use Tailscale (e.g., from Entware), then it's running in user space. Problem is, one of the greatest benefits of using WireGuard, beyond the simplicity of it, is it runs in the kernel, provided you're using firmware w/ a supported kernel.

That's an incredibly important difference, esp. for those with less powerful (usually older) routers. That's what kills the performance on my own RT-AC68U when it comes to OpenVPN. I would expect any improvement w/ Tailscale to be marginal, thus making it far less interesting (at least to me). That's why I suggested DD-WRT. It's my understanding that @brainslayer and @egc over there have back ported the feature into older kernels!

I believe Tailscale is closer to a mesh system (peer to peer), similar to Himachi or ZeroTier, whereas OpenVPN is client/server. It just uses WG as its underpinnings. In that way, you as the user aren't directly exposed to it. OTOH, I'm not sure just how widespread is the support for it among commercial WG providers. Seems to me most are building their own frontends (due to privacy concerns) (e.g., NordVPN's NordLynx, ExpressVPN's Lightway), or exposing WG directly in a per-user peer to peer relationship.

But I don't claim to be an expert on how WG is supported these days among the providers. WG is still in its infancy, and so a lot of this is being flushed out over time.

For those who choose Tailscale, for whatever reasons, if you're using a desktop OS (Windows, Mac, Linux), it's far less important if WG runs in user space since those platforms don't suffer from the inefficiencies of the router. But it's often a showstopper for the router given its much lesser capabilities, at least until it becomes commonplace in the kernel (ala DD-WRT). Without such support, I just don't see the point unless you're looking for an Hamachi/ZeroTier like solution for its own sake, regardless whether WG runs in user space or the kernel.

 

[RMerlin]

Forget about "fast" Wireguard performance on a router. Wireguard is incompatble with NAT acceleration, so if you run Wireguard on it, the NAT capabilities will drop in the 200-400 Mbps range max (depending on the router's CPU). Your WAN's NAT capabilities then becomes the bottleneck.

You need to run Wireguard on a separate device that does not need to handle NAT at the same time if you want to get any significant performance increase over OpenVPN/IPSEC.

 

[Clark Griswald]

I would love to use OpenVPN and RMerlin's tweaks, but the switch doesn't seem as easy to setup as the RPi Wireguard installation. That is the only reason we use WG is the Simplicity of setup for the RPi. A few mouse clicks, some keyboard entries, QR code scan, and up and running.

 

[Christos]

On Linux, WireGuard is available as a kernel module. I don’t believe that many routers have Linux with kernel version that supports this functionality.

WireGuard vs. Tailscale​

 

[Scott D]

Thanks to everyone for the suggestions. I guess I'll have to wait. I really don't want to go back to a SFF type of device. Simply not user friendly.

 

[Tech Junky]

@Scott D You could always do the Pi4 w/ routing / firewall and then just connect it to a switch. Just need a couple of Ethernet USB dongles or a board that has 2 ports to be inline. Maybe a NUC which is small as well and a little beefier HW than the PI.

 

[RMerlin]

On Linux, WireGuard is available as a kernel module. I don’t believe that many routers have Linux with kernel version that supports this functionality.

All of the Broadcom Wifi 6 models do (they run either 4.1.xx or 4.19.xx depending on the SDK version). I don`t know what recent Qualcomm platforms use, but I suspect it must also be 4.x considering the time they came out. These would be fine for WG.

You could always do the Pi4 w/ routing / firewall and then just connect it to a switch. Just need a couple of Ethernet USB dongles or a board that has 2 ports to be inline. Maybe a NUC which is small as well and a little beefier HW than the PI.

I thought I read somewhere that WG intended to eventually support AES. If they do, that will provide some interesting performance gains on any platform with AES acceleration.

 

[Scott D]

All of the Broadcom Wifi 6 models do (they run either 4.1.xx or 4.19.xx depending on the SDK version). I don`t know what recent Qualcomm platforms use, but I suspect it must also be 4.x considering the time they came out. These would be fine for WG.


I thought I read somewhere that WG intended to eventually support AES. If they do, that will provide some interesting performance gains on any platform with AES acceleration.

I think my GL-iNet Flint GL-AX1800 has a IPQ6000 quad core ARM processor @ 1.2GHz supposedly capable of WG speed up to: (copied from GLiNet's website but I also know they inflate these numbers)

WireGuard
Max. 667Mbps

OpenVPN
Max. 112Mbps

We'll see just how fast when fiber arrives in my neighborhood.

 

[RMerlin]

I think my GL-iNet Flint GL-AX1800 has a IPQ6000 quad core ARM processor @ 1.2GHz supposedly capable of WG speed up to: (copied from GLiNet's website but I also know they inflate these numbers)

That would imply that Qualcomm`s Fastpath is compatible with Wireguard unlike Broadcom`s Flow Accelerator. I`d be curious to see someone actually test it out to confirm if that`s the case. If so, Broadcom needs to upgrade their own NAT implementation.

The OpenVPN speed seems about right for a 1.2 GHz CPU, I would expect around 100 Mbps out of a 1.2 GHz ARM CPU.

 

[sfx2000]

That would imply that Qualcomm`s Fastpath is compatible with Wireguard unlike Broadcom`s Flow Accelerator. I`d be curious to see someone actually test it out to confirm if that`s the case. If so, Broadcom needs to upgrade their own NAT implementation.

It's dependent on QSDK, as they have the right hooks in place for the NSS...

The claimed numbers quoted by GL-Inet are valid for Flint