Turning on Wireguard on RT-AX88U slows all local download speeds

RS61

New Around Here
My home setup is a gigabit fibre connection into a bridged modem into my RT-AX88U which is set up as the main router in an AiMesh with 3x AX82U nodes, all with Cat6a wired backhauls. It's rock solid, and normally I get my gigabit up and down. Everything runs the latest up to date Asus own firmware.

Recently I decided to up my security and turn off a bunch of port forwarding and remote access. So I turned on the Wireguard server (not client) in the Asus router settings. Suddenly I get at most 400Mbps down and up. My downloads max at about 40 MBps on Steam, vs the 80+ that I get with Wireguard turned off. I don't actually have anyone connected to my VPN at any point - it's only for the rare occasion when I need to log in from out of the house. So there's some CPU usage from it but not a huge amount.

Having a look at the CPU, when I start downloading something, one of the four CPU cores maxes out to 100%, then another one does, and so on. The difference is that when Wireguard is turned off, it's one core that goes to 100% and then stays at 100%, no jumping around.

Is this normal behaviour. Does turning on the VPN server on this router basically limit you to a max throughput of about 400 Mbps because of a lack of processing power, etc? Has anyone been able to run gigabit up and down on an AX88U with a VPN server for remote access?
 

ColinTaylor

Part of the Furniture
This is a known problem when enabling Wireguard. It's a hardware limitation rather than a bug or configuration error.
 

Tech9

Part of the Furniture
Does turning on the VPN server on this router basically limit you to a max throughput of about 400 Mbps because of a lack of processing power, etc?

WireGuard is incompatible with NAT acceleration, Flow Cache. You get faster VPN speeds in exchange of entire network speed penalty. The subject was discussed here:


About 350-400Mbps is what your CPU can process with no NAT acceleration. Home routers rely heavily on different NAT hacks to achieve higher WAN-LAN transfer speeds.
 

RS61

New Around Here
Thank you both, that's exactly what I was after.

In my situation, where maybe once a month I need to log into my network remotely and the VPN speed isn't that important but local network speed and overall security is, would you suggest running Wireguard on my QNAP instead, or running one of the other protocols on the Asus router (assuming one of the others is compatible with NAT acceleration)?
 

doczenith1

Very Senior Member
Thank you both, that's exactly what I was after.

In my situation, where maybe once a month I need to log into my network remotely and the VPN speed isn't that important but local network speed and overall security is, would you suggest running Wireguard on my QNAP instead, or running one of the other protocols on the Asus router (assuming one of the others is compatible with NAT acceleration)?

Looks like I was a few days late with my response on reddit.

Your AX88U should have no problem reaching ~250 Mbps using OpenVNP which does not disable NAT acceleration. Give that a try if WireGuard on the QNAP does not work out.
 

RS61

New Around Here
Thank you. Weirdly running OpenVPN on my router did still reduce my speeds to about 700 Mbps. In the end I've got WireGuard set up on QNAP with the one port forwarded to it. Doesn't feel quite as safe, but I can't think of any specific risks, and the performance is great all round.
 

Tech9

Part of the Furniture
Weirdly running OpenVPN on my router did still reduce my speeds to about 700 Mbps.

It depends on what else is running on this router and now many VPN clients you have. AiProtection enabled and you may not reach Gigabit ever. Home routers have hardware tuned for power efficiency. They are weaker than RPi and have very limited RAM. They all rely heavily on NAT acceleration. No home router can do Gigabit with CPU processing. Think about true 100-400Mbps capable hardware (depending on the model) with some hacks applied to allow higher speeds and in some cases only. Many users don't know Bandwidth Limiter on Guest Network will have a huge performance impact on the entire network, for example.
 

RS61

New Around Here
Oh wow I definitely didn't know that. Is there a post somewhere that outlines which features on an Asus router has the biggest impact on local performance?
 

Tech9

Part of the Furniture
Here:


NAT acceleration disabled has the biggest performance impact, but on WAN-LAN traffic. Local traffic is switched, not routed. LAN-LAN performance has to remain the same, but WLAN-LAN... it depends on what router model we are talking about.
 
Last edited:

DroidST

Regular Contributor
Looks like I was a few days late with my response on reddit.

Your AX88U should have no problem reaching ~250 Mbps using OpenVNP which does not disable NAT acceleration. Give that a try if WireGuard on the QNAP does not work out.

I need to dig into this on my AX86U and do more testing.. perhaps I'll stick with OpenVNP if results are like the AX88U
 

maxbraketorque

Very Senior Member
Interesting to see confirmation of the network speed reduction with WG. Its too bad because it seems to be the future. There shouldn't be a network slow-down with OVPN. I have OVPN server and client running on my AC86U, and I get full gigabit speed.
 

princi

Senior Member
Interesting to see confirmation of the network speed reduction with WG. It’s too bad because it seems to be the future. There shouldn't be a network slow-down with OVPN. I have OVPN server and client running on my AC86U, and I get full gigabit speed.
Where is the confirmation?

He said he needs to investigate further, and if the results are the same, etc.

We know the AX88U has h/w limitations, the AX86U is a similar beast.

I’m more interested in testing on the new models, the PRO models for instance.
 

Tech9

Part of the Furniture
the PRO models for instance

We need someone to test on currently available GT-AX6000. It has the same CPU as upcoming Pro models. What I expect to see is the same NAT acceleration disabled limitation or around 400Mbps for this particular model. Some Qualcomm based home routers with lower CPU clock rate can do up to 500Mbps, but different hardware with different software. No direct comparison possible.
 

princi

Senior Member
Not only currently available hardware, 388 firmware for the router is also needed.

Looking like a long wait.
 

cc666

Senior Member
From my post in another thread:

I did some testing, had WireGuard with Proton VPN. I did NOT have all devices under the VPN only a handful.

I ran the following speed tests:

1 - Laptop - NOT on VPN but VPN was switched ON d/l speed was averaging around 400
2 - Laptop - NOT on VPN but VPN was switched OFF d/l speed was averaging around 520
3 - Laptop - ON VPN and VPN was ON d/l speed was around 290

Laptop in same exact location using OoKla. I am convinced that the NAT is off for all clients if the VPN is switched on. Really affects the speed of clients NOT under the VPN. The 290 was faster than Nord Not using wireguard but UDP. Nord was around 225.

Feel free to run these of your setup and report back.

CC
 

DroidST

Regular Contributor
From my post in another thread:

I did some testing, had WireGuard with Proton VPN. I did NOT have all devices under the VPN only a handful.

I ran the following speed tests:

1 - Laptop - NOT on VPN but VPN was switched ON d/l speed was averaging around 400
2 - Laptop - NOT on VPN but VPN was switched OFF d/l speed was averaging around 520
3 - Laptop - ON VPN and VPN was ON d/l speed was around 290

Laptop in same exact location using OoKla. I am convinced that the NAT is off for all clients if the VPN is switched on. Really affects the speed of clients NOT under the VPN. The 290 was faster than Nord Not using wireguard but UDP. Nord was around 225.

Feel free to run these of your setup and report back.

CC

essentially similiar results here, most likely I will be disable Wireguard and stick with OpenVPN in the router.

Right now, I'm testing 388/386 with 2 AiMesh nodes, VPN changes will have to wait.
 
Last edited:

CodyPredy

New Around Here
Running the latest 3.0.0.4.388_21709 firmware on my AX86U and getting full speed with Wireguard VPN Server turned on and remote client connected.
I'm guessing they fixed the issue. Can anyone else confirm this.

Configuration:
Desktop Ethernet -> No VPN
Macbook Pro -> WireGuard VPN Client (connected remotely)
AC68U Mesh node
AX86U (main router)

Getting aprox. 900Mbps which is close to my max ISP speed.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top