RT-AC68 Wireguard

[treeskygrass]

@RMerlin said “The RT-AC68U does not support Wireguard because kernel 2.6.36 is not supported by Wireguard.”

While kernel support would be great, why is it required? OpenVPN doesn’t have kernel support either, at least until recently with DCO. Why can’t Wireguard run in user space like on my NAS, Tailscale, Mac, etc?

Would just like to understand this better. Thanks.

 

[RMerlin]

why is it required

Because Wireguard is a kernel feature.

Someone made a userspace implementation of it, but it's very resource intensive, and you lose any performance benefit that the real Wireguard offers by being a kernel space implementation. Asuswrt and Asuswrt-Merlin only support the native kernel implementation.

 

[bennor]

Some explanation here:

WireGuard on ASUS WiFi router with Broadcom ARMv7 32-bit chipset running ASUSWRT-Merlin — nixFAQ

Introduction WireGuard is now the most-hyped VPN implementation out there. Boasting code length of a fraction of the lines of code compared to IPSec, strong cryptography, a high-speed Linux kernel...

nixfaq.org

 

[treeskygrass]

Because Wireguard is a kernel feature.

Someone made a userspace implementation of it, but it's very resource intensive, and you lose any performance benefit that the real Wireguard offers by being a kernel space implementation. Asuswrt and Asuswrt-Merlin only support the native kernel implementation.

Many devices and operating system that don't have kernel support use user-spaces implementation, and they can be nearly as fast, and use less resources than OpenVPN.

Tailscale is user space: "Performance can always become somewhat of an arms race, but our results here demonstrate that we can keep up with our kernel counterparts provided that we are using the right kind of kernel interface – userspace isn’t slow, some kernel interfaces are!"

https://tailscale.com/blog/throughput-improvements/

Cloudflare too. https://blog.cloudflare.com/boringtun-userspace-wireguard-rust/

Wireguard - it's not JUST for kernel anymore.

 

[L&LD]

Then you need a powerful processor otherwise.

I believe(?)/assume that RMerlin stated 'Wireguard is a kernel feature' specifically for Asus routers.

 

[ZebMcKayhan]

Wireguard is a kernel feature' specifically for Asus routers.

Not at all, it's just a source from here: https://git.zx2c4.com/wireguard-linux-compat/ compiled alongside the firmware. Anyone could compile it and use it as long as prerequsitions are met.
I believe asus are using a release from 2021 but cannot remember which one.

 

[L&LD]

No, that is not what I meant.

For any real benefit on our underpowered routers, it must be run in kernel mode. For faster, more powerful processors, it needn't be.

 

[RMerlin]

Many devices and operating system that don't have kernel support use user-spaces implementation, and they can be nearly as fast, and use less resources than OpenVPN.

The userspace port of Wireguard is written in Go, which is very memory-intensive. Guides to run it on routers require the use of a swapfile.

Wireguard lose its performance edge once in userspace because just like OpenVPN will suffer from having to do context switches between user and kernel space. Just like OpenVPN-DCO will be faster than the regular userspace implementation by reducing the number of context switches.

nyone could compile it and use it as long as prerequsitions are met.

And one of these requirements is "kernel 3.10 or newer".