Why does WireGuard slow down the entire WAN-LAN speed?

RickGW

Occasional Visitor
So I set up a WireGuard VPN server on my ASUS RT-AX86U (running firmware 3.0.0.4.388_20566), but when I turn on the server, the total WAN-LAN speed implodes from 940/940 Mbit to ~ 480/480 Mbit, even though there are no clients connected yet. What's up with that?

I used the search, and apparently WireGuard does not do NAT acceleration which causes the problem, but is there really no other way?

I find it hard to believe that traffic outside the VPN connection must slow down too in order to achieve a higher VPN speed overall. Is that really the case?
 

degrub

Part of the Furniture
when NAT acceleration is turned off that is what you get.
May need different router. Or different VPN server, or use a different device as the server.
 

capncybo

Senior Member
While the "gist" of what degrub is saying above is close, it's not technically correct. I may regret attempting to clarify but I'll try...
It is a portion of the Hardware Acceleration (Known as Flow Cache) that is preprogrammed into certain Broadcom chips which is not compatible with WireGuard.
So to use WireGuard those chips are effectively disabled... but if you disable the hardware acceleration chips the router has to perform more routing via software & as you (may or may not know) the CPUs inside these routers are NOT SUPER-POWERFUL. So... As the ISP speeds exceed +350Mbps most of the current routers cannot keep up & the Network throughput is capped via CPU limitations. Note: It will vary slightly from router model to model but if you look at the specs. Most of the router spec increases are rather minimal & not up to the task of the almost common ISP speed of 1G.
 
Last edited:

RickGW

Occasional Visitor
when NAT acceleration is turned off that is what you get.
May need different router. Or different VPN server, or use a different device as the server.
That's what I was afraid of. Any tips for a dedicated WireGuard VPN device?
While the "gist" of what degrub is saying above is close, it's not technically correct. I may regret attempting to clarify but I'll try...
It is a portion of the Hardware Acceleration (Known as Flow Cache) that is preprogrammed into certain Broadcom chips which is not compatible with WireGuard.
So to use WireGuard those chips are effectively disabled... but if you disable the hardware acceleration chips the router has to perform more routing via software & as you (may or may not know) the CPUs inside these routers are NOT SUPER-POWERFUL. So... As the ISP speeds exceed +350Mbmps most of the current routers cannot keep up & the Network throughput is capped via CPU limitations. Note: It will vary slightly from router model to model but if you look at the specs. Most of the router spec increases are rather minimal & not up to the task of the almost common ISP speed of 1G.
Thank you for clearing it up. So in my case the logical way is to get a different device as a WireGuard server. Like, maybe, a Raspberry Pi 4 or something like that?
 

RickGW

Occasional Visitor
Which VPN are you using? I use Surfshark and on my now dead AX88U i was hitting 900Mbps down and 940Mbps up. On my AX92U crappy router i only hit 200Mbps because it only has OpenVPN and the router has not had an update in almost 2 years.
I’m creating my own VPN server so that I can access my LAN and other stuff while I’m not home.
 

capncybo

Senior Member
@RickGW I think even a raspberry pi4 may not be enough processing power to approach 1G but you are on the right track... Think maybe closer to a low-power fan-less x86.

@Mazz I'm trying to clarify things but your post is misleading as we were talking about routers where wireguard is enabled & the hardware acceleration gets turned off automatically
 

RickGW

Occasional Visitor
@RickGW I think even a raspberry pi4 may not be enough processing power to approach 1G but you are on the right track... Think maybe closer to a low-power fan-less x86.
Well, how about my Synology DS920+? Got it up and running already with Plex, AdGuard and off course storage, but wouldn’t WireGuard run smoothly on that one? I’m not aiming at 1 Gbps, but if I can get it to work on the Synology for just specific clients , that means I separated the routing part so that my main WAN-LAN speed remains 1 Gbps.
 

RickGW

Occasional Visitor
@RickGW Sorry I can't say for certain as (a quick google search) seemed to indicate that NAS uses TWO
Intel Celeron J4125 which I thought was similar but after looking here...

Perhaps you are onto something now ;-)
Ah what the heck, I’m just gonna try it and see if it works! I’m already familiar with Docker, where AdGuard runs, so I’m just gonna google how to setup WireGuard on a Synology NAS in Docker.
 

capncybo

Senior Member
Ah what the heck, I’m just gonna try it and see if it works! I’m already familiar with Docker, where AdGuard runs, so I’m just gonna google how to setup WireGuard on a Synology NAS in Docker.
Good luck & keep us posted...
 

degrub

Part of the Furniture
take a look at the small device reviews here -
 

Tech Junky

Very Senior Member
You're going to need something with AES-ni to get line speed. Having dome this myself using a standard PC rolling the router, switch, firewall, NAS, and media server into a single box. I can say for sure that using my 8700k/12700k CPUs Get line speed beyond gigabit. It just takes Linux and a PC with a decent NIC and a few configurations to make it work. Just about any PC though blows a router out of the water when it comes to performance and flexibility.
 

RickGW

Occasional Visitor
Good luck & keep us posted...
Well I’ve got the WireGuard server running in Docker, and my iPhone seems to connect, but I cannot access websites. Maybe a DNS conflict issue with AdGuard, also running on the Synology… must do some digging, will report back.
 

RMerlin

Asuswrt-Merlin dev
You're going to need something with AES-ni to get line speed.
It depends on the VPN technology used. WireGuard does not use AES, it uses Chacha20. AES-NI would only be useful with OpenVPN.
 

Tech Junky

Very Senior Member
It depends on the VPN technology used. WireGuard does not use AES, it uses Chacha20. AES-NI would only be useful with OpenVPN.
Good distinction. I guess the simplest version would be needing to use AMD/Intel CPUs to get the highest performance in a VPN setup. Even the enterprise gear lacks the ability to handle VPN at line speed even when they charge thousands for the hw.
 

RMerlin

Asuswrt-Merlin dev
Even the enterprise gear lacks the ability to handle VPN at line speed even when they charge thousands for the hw.
And the entreprise grade hardware is often 1-2 generation behind the home gateway market. I don't think for example any enterprise product uses the BCM4912 yet.
 

Tech Junky

Very Senior Member

I gave the MTK7921 a shot for hosting an AP in Linux and it was all over the place for speeds and requires some hacking to get it stable at AC speeds when it's an AX card.

When it comes to hardware Qualcomm comes out on top when being used for AP situations. BCM works fine to an extent though but they're lagging in producing M2 or even client adapters that are AX/E. There's another brand that's not coming to mind at the moment that works as well. I can see why router oems use BCM due to keeping the price down as they tend to be about half the price of QCOM.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top