RT-AX88U Reduced bandwidth with Wireguard enabled.

[micer45]

I have a 900Mbps Fibre connection RT-AX88U with 3.0.0.4.388_20558 firmware

I enabled WireGuard VPN but have noticed that it then limits my internet speed to 500Mbps on any client connecting from my local network to the internet.

With Wireguard enabled

With WireGuard disabled

OpenVPN has no effect, just thought I would try WireGuard for a change as it easier to setup clients via the QR code.

 

[Jeffrey Young]

Limitation of the CPU. The CPU simply is not powerful enough to keep up with the extra encryption needed. There is a ton of forum messaess here concerning this issue.

 

[micer45]

I take it the CPU status indicators aren't really telling the full story.

Even downloading at full speed I rarely see them go above 5%, whether WireGuard is enabled or not.

 

[Tech Junky]

It's not the CPU it's the disabling of nat acceleration. The CPU load of wg is a lot lower in comparison to ovpn. This is a common issue though with consumer devices. If you used a different router / CPU type it should run at line speed. In comparison ovpn seems to have a hard cap of ~600mbps whereas wg can hit line speed regardless of the bandwidth. Running my diy box can hit 1.2gbps with wg.

 

[Jeffrey Young]

I don't have much faith in any of the Asus dashboard readings/display, I don't trust them nor do I use them.

As @Tech Junky said, it is actually the hardware acceleration that is the problem (which when disabled, puts it on the CPU, which can't handle it). 500mbits is pretty good though for the AX series. With the AC, I only got around 300mbits. Like @Tech Junky , my x86 machines have no issues getting 1g and better speeds.

 

[micer45]

No problem, thanks for the advice.

I have an old DELL Optiplex 7020, I5-4590, lying about, kept meaning to sell it.

What sort of Wireless/network card would be good if I wanted to build my own router?

 

[Jeffrey Young]

Since you only have a 1g service, really any good quality 1g or 2.4 card/adaptor will do.

Another option available to you is to keep your router (if you are happy with it) and set up a Wireguard server on your unused machine and port forward to it from your router. My ISP service does not even come close to 1Gbits, so I can afford to keep my WG server on the router.

For others though, I have gone both ways - a separate linux box as a server setting up a port forward in the router or setting up a DIY Router (RasPi with either OpenWRT or your own build - I did a Ubuntu 22.01 build) or pick up a good MiniPC with two NIC ports (again, OpenWRT, PFSense, or your own build). You have a lot of options before depending on your skill level, willingness to learn, and amount of research you put into it.

 

[Tech Junky]

I have an old DELL Optiplex 7020, I5-4590, lying about, kept meaning to sell it.

I just put Linux on my setup and then hang an AP off it for AX WIFI. Previously though I used a QNAP 2600AC card to host as an AP internally but, there's a lack of AX/AXE cards to host an AP using hostapd. There are a couple of M2's though that might work that run about $70 but I haven't tried them personally at this point and just waiting out the clock on WIFI7 options at this point since it will open up the door to 320mhz bandwidth.

sudo inxi -F
System:
  Host: server Kernel: 6.1.0-060100rc5-generic arch: x86_64 bits: 64 Console: pty pts/19
    Distro: Ubuntu 22.10 (Kinetic Kudu)
Machine:
  Type: Desktop Mobo: ASRock model: Z690 Steel Legend UEFI: American
    Megatrends LLC. v: 10.04 date: 11/17/2022
CPU:
  Info: 12-core (8-mt/4-st) model: 12th Gen Intel Core i7-12700K bits: 64 type: MST AMCP cache:
    L2: 12 MiB
  Speed (MHz): avg: 1929 min/max: 800/4900:5000:3800 cores: 1: 800 2: 3600 3: 801 4: 3600
    5: 800 6: 800 7: 800 8: 3600 9: 759 10: 3600 11: 800 12: 876 13: 3600 14: 931 15: 801 16: 822
    17: 3600 18: 3600 19: 800 20: 3600
Graphics:
  Device-1: Intel AlderLake-S GT1 driver: i915 v: kernel
  Display: unspecified server: X.org v: 1.21.1.4 with: Xwayland v: 22.1.3 driver: X:
    loaded: modesetting gpu: i915 tty: 172x54 resolution: 3840x2160
  Message: GL data unavailable in console for root.
Audio:
  Device-1: Intel Alder Lake-S HD Audio driver: snd_hda_intel
  Sound Server-1: ALSA v: k6.1.0-060100rc5-generic running: yes
  Sound Server-2: PipeWire v: 0.3.58 running: yes
Network:
  Device-1: Intel Alder Lake-S PCH CNVi WiFi driver: iwlwifi
  IF: wlp0s20f3 state: up mac: 60:a5:e2:e8:20:f6
  Device-2: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
  IF: enp5s0 state: up speed: 100 Mbps duplex: full mac: 24:5e:be:4d:c4:53
  Device-3: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
  IF: enp6s0 state: up speed: 2500 Mbps duplex: full mac: 24:5e:be:4d:c4:54
  Device-4: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
  IF: enp8s0 state: up speed: 1000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
  Device-5: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
  IF: enp9s0 state: up speed: 1000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
  Device-6: Realtek RTL8125 2.5GbE driver: r8169
  IF: enp10s0 state: down mac: a8:a1:59:7a:82:f0
  IF-ID-1: bo0 state: up speed: 2000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
  IF-ID-2: bonding_masters state: N/A speed: N/A duplex: N/A mac: N/A
  IF-ID-3: br0 state: up speed: 2500 Mbps duplex: unknown mac: 5a:ea:69:a9:d9:fb
  IF-ID-4: nordlynx state: unknown speed: N/A duplex: N/A mac: N/A
Bluetooth:
  Device-1: Intel type: USB driver: btusb
  Report: hciconfig ID: hci0 state: up address: 60:A5:E2:E8:20:FA
RAID:
  Device-1: md0 type: mdraid level: raid-10 status: active size: 18.19 TiB report: 5/5 UUUUU
  Components: Online: 2: sdd1 3: sdb1 4: sdc1 5: sde1 6: sda1
Sensors:
  System Temperatures: cpu: 31.0 C mobo: 35.0 C
  Fan Speeds (RPM): fan-1: 642 fan-2: 772 fan-3: 0 fan-4: 661 fan-5: 0 fan-6: 0 fan-7: 654
Info:
  Processes: 530 Uptime: 2d 21h 22m Memory: 15.39 GiB used: 4.27 GiB (27.8%) Init: systemd
  target: graphical (5) Shell: Bash inxi: 3.3.21

You have a lot of options before depending on your skill level, willingness to learn, and amount of research you put into it.

Very true. The easiest option is to use a preformed ISO as you mentioned but, taking something like Ubuntu opens all of the options and doesn't have the hang ups of some of the options listed with BSD as the underlying OS. There's some issues with HW that will drive people crazy when trying to roll their own setup. Being Debian based makes life easier as there are more updates / compatibility across vendors.

Taking the raw components or reusing the Dell mentioned and putting the OS on it is a simple enough venture. There are tons of "homebrew" instructions out there for implementing the DHCP / NAT / FW / etc.

I find working with IPTables is much more efficient than dealing with UFW though. I just put a "script" into my terminal to save it to a network drive, edit it, and then apply it to iptables vs dealing with the CLI and flying blind until you refresh the output. I might be using a total of 15-20 lines of rules at this point after playing with other options / methods in the past. Keeping things lean makes the packets flow as fast as possible.

I run a lot of different functions on the box though which is why you see the 12700K. While it's idle most of the time it's a huge boost to processing video files from OTA grabs in Plex. For just a router/vpn deice though there's cheaper options like the PI setups. The dell though since you already have it would work great. Just upgrade the NIC to whatever speed requirements you have internally / externally. I use a quad 5GE from QNAP because the price / performance made more sense and my raid / NAS portion of the box tops out just under 500MB/s.

If the ISP device has multiple ports you can use bonding to tie 2 x 1GE ports to get beyond the 1gig limits. I did this with cable to get to 1.2-1.5gbps on the gig plan. I've since switched to 5G for 1/2 the price though but still keep 2 cables plugged into that device for redundancy.

 

[micer45]

Thanks for all the info, looks like a fun project to take on and perfect as we move into the dark winter days

 

[Tech9]

OpenVPN has no effect

Your router can do >200Mbps on OpenVPN. If this speed is enough for your VPN use needs - you don't need any additional hardware.

 

[micer45]

The issue wasn't the VPN speed, it was the fact that my internet speed on all clients was limited to 500Mbps when the WireGuard VPN server option was enabled.
The clients weren't routed through the VPN but connected directly.

 

[Tech9]

I know, but switching to OpenVPN instead will resolve it if ~200Mbps is good enough speed for your VPN clients.

 

[Tech Junky]

I know, but switching to OpenVPN instead will resolve it if ~200Mbps is good enough speed for your VPN clients.

Let's see here... so you wan the OP to settle for 200mbps when they're paying for 900mbps?

WG gets OP 500mbps w/ or w/o VPN director pushing them straight out the WAN w/o being encapsulated. Yet, you're suggesting lower bandwidth at 200mbps?

If the OP wants full performance of 900mbps w/ WG enabled it's going to need to be a HW change as the Asus doesn't perform even the basic tasks w/o the magic NAT acceleration enabled and cripples the speed of other devices not using the VPN.

Turning off a "feature" like NA shouldn't instantly kill the ASIC performance of other LAN devices getting out to the WAN. It's not really a feature if it's just using compression to make things appear faster than they really are.

As to the whole "you don't need this or that" line you always inject into conversations about this sort of situation try giving alternative solutions. I know you're capable as you do just fine when it's about WIFI and recommending other options.

The OP already has a PC sitting in a box somewhere and if they want to take the leap and try something different what's the issue with doing so? The only thing that is questionable is whether they have 2+ ports to plug into the network for WAN/LAN configurations.

 

[Tech9]

Let's see here... so you wan the OP to settle for 200mbps when they're paying for 900mbps?

This is what the OP can get with no extra cost involved with the hardware he already has. He's going to decide if it's good enough or not.

As I have said multiple times - DIY is not for everyone and very few people on SNB Forums are interested or have the knowledge needed.

 

[micer45]

Thanks for all the advice so far

I've just installed pfSense on the DELL so that should keep me busy for the rest of the evening
Just using the onBoard GiGe network connection and I found another GiGe Intel pci card.

 

[Tech9]

for the rest of the evening

If you have no pfSense experience - much longer.

 

[Tech Junky]

If you have no pfSense experience - much longer.

Agree. It's a little more involved and temperamental in comparison to just setting up iptables rules and setting the interfaces.

 

[Tech9]

And the moment you need some more advanced configuration you're done with your bare Linux. Also, pfSense has support. You're on your own.

 

[Tech Junky]

And the moment you need some more advanced configuration you're done with your bare Linux. Also, pfSense has support. You're on your own.

It's not difficult to add a few lines to the interfaces file to designate wan/lan and iptables. But you can add things like pihole for ads and telemetry blocking. To simplify and monitor you can use webmin which provides a web GUI to input things if you don't like command line.

 

[Tech9]

Add few VPN interfaces of different type and VLANs, SSL proxy if you like, Suricata or Snort with manual rules, don’t forget Unbound with DoT and DNS interception, many want IP/DNS filtering as well… if you like doing things the hard way and not in GUI of a standard popular router/firewall OS - sure, your choice. I’m sure I can set pfSense much faster according to list or requirements than you your bare Linux. I know your answer will be you don’t need that. This thread is not about you though.