Wireguard client on Asuswrt-Merlin (RT-AX86U Pro)

[SandLake]

I consider myself to generally to be quite technical but realistically I'm not!

I have been trying for quite a while to get a Wireguard VPN client running on a router with policy based rules but I couldn't manage it. I recently found out that both Asuswrt and Asuswrt-Merlin had introduced support for it so I bought myself an RT-AX86U Pro. I have flashed it with Asuswrt-Merlin 388.2 and set up a (Surfshark) VPN client and added a VPN Director rule for my main desktop PC.

I have gigabit FTTP broadband which gets me about 930/98 Mbps.

I have now run 2 speedtests through the VPN and got speeds of 485/53 and 370/61.

Those speeds are great but (!) I would have thought that I would have done better with Wireguard.

 

[L&LD]

Your results are expected.

I suggest you flash the latest RMerlin firmware though, 388.2_2 final.

 

[SandLake]

Thanks, that was a typo on my part, I am on 388.2_2

What is likely to be causing the reduction in speed, I didn't think that Wireguard was particularly processor intensive and the router doesn't appear to be under any significant load?

 

[Tech9]

What is likely to be causing the reduction in speed

- VPN encryption processing and router's Raspberry Pi like hardware
- no commercial VPN service guarantees the speed for $5/month or less

 

[drinkingbird]

Thanks, that was a typo on my part, I am on 388.2_2

What is likely to be causing the reduction in speed, I didn't think that Wireguard was particularly processor intensive and the router doesn't appear to be under any significant load?

Wireguard is not accelerated by anything in the hardware on the Asus, but its efficiency is why you're able to get close to 500M (other unaccelerated VPN protocols would be a fraction of that).

For comparison, you'd get about the same speed with openVPN (probably a bit less even), which does have some hardware acceleration (AES instruction set) in the Asus.

IPSEC VPN is probably the best performer on the Asus as it has an actual dedicated hardware chip for IPSEC offloading, but that is server mode only. Oddly, wireguard seems to perform much better in server mode as well, with @RMerlin seeing it hit around 800M in one test.

There is room for improvement, VPN only uses a single CPU right now, you might be able to get it using more by having multiple tunnels but that's going to be extra expense and configuration, and may not actually use more than 1 CPU (my bet would be not, but have not tried, I'm sure others in here could confirm or deny that).

You're already benefitting from the flow bypass introduced in 386.2 which allows non-VPN traffic to remain accelerated (before VPN would slow everything down, even traffic not going through it). The next improvement would be if they updated the linux kernel to a much newer one that supports multi-threaded crypto on at least OpenVPN, not sure about wireguard. But I wouldn't hold my breath on that one.

But no home router is going to be able to compete with an x86 processor, if you want to get full gig you're looking at building your own router/VPN server miniPC (or getting one of the premade ones that are all over Amazon). And of course you'll probably have to pay more for a higher tier VPN provider.

Long story short, like others have said, what you're getting is exactly what is expected.

 

[SandLake]

Thank you, very happy with the speeds, had always heard that Wireguard was 'lightweight' and assumed it would be faster.

I happen to have bought a chinese branded N100 X86 pc with 2 ethernet ports - the frustrating challenge that I will enjoy is that it is down to me to tinker with!

 

[Tech9]

Similar thread here:

Will a high-end consumer router have enough processing power to function as 1000 Mbps+ Wireguard VPN client?

QUESTION: Will a modern high-end consumer router such as Asus RT-AXE7800 have enough processing horsepower to function as 1000 Mbps+ Wireguard VPN client? BACKGROUND: I currently have a 1 Gbps (1000 Mbps) fiber broadband connection to my home. With my current Asus RT-AC86U router, my wifi...

www.snbforums.com

I really hope the "security" ideas are not similar too.

 

[drinkingbird]

Thank you, very happy with the speeds, had always heard that Wireguard was 'lightweight' and assumed it would be faster.

I happen to have bought a chinese branded N100 X86 pc with 2 ethernet ports - the frustrating challenge that I will enjoy is that it is down to me to tinker with!

To state the obvious, you can run a speed test through the VPN and watch the router's CPU cores in the GUI. Most likely one is hitting very hard and the rest aren't (another may be moderate, not sure if it uses the same CPU for routing and crypto or not). If they all go up, then wireguard actually is doing what it is supposed to, spawning multiple processes and getting load balanced, but as far as I know these chipsets assign specific tasks to specific CPU cores, so all crypto will hit one core.

If one core is hitting 100%, that's your limitation. If not it is your VPN provider (and potentially latency) limiting your throughput.

Not sure if possible with your provider (or the asus router) but you could try bringing up 2 tunnels and running 2 simultaneous speed tests from a machine assigned to each tunnel, see if it gets balanced at all. My guess is probably not.

Most likely that N100 will perform a lot better, using all 4 cores, would not be surprised if you can hit or exceed 1G easily with that (depending how much other stuff you layer on, pfsense/opnsense will take some CPU obviously, as will addons). May even be worth testing it with OpenVPN - the AES-NI instruction set might actually perform better than wireguard with no acceleration (though from what I've heard, wireguard still beats it).