Tutorial Wireguard server tweaks

[ZebMcKayhan]

Not sure how to get better results...move closer

What do you get if you ping wan to wan without wireguard? If its still high, it may be what it is, not much to do.

Some protocols works better with high latency then others. Ftp is rather good for file transfer atleast better then smb. Would guess http would be better then https but dont have anything to back that up.

Did you try iperf with "-P 10" option?

 

[jksmurf]

What do you get if you ping wan to wan without wireguard? If its still high, it may be what it is, not much to do.

Very similar results.

Some protocols works better with high latency then others. Ftp is rather good for file transfer atleast better then smb. Would guess http would be better then https but dont have anything to back that up.

Did you try iperf with "-P 10" option?

Yup, as attached. Looks like around 10 per stream going down, ~100 total; and average about 5 up, ~50 total.

Seems like there's not much more I can do really, but I have a learnt a huge amount via these trials, so thanks again for your patience. When you talk ping and grep and traceroute and git you folks don't know how greek that all sounds to many of us, like alien expletives.

Finally I really really wish Asus would:

1. Put a working MTU implementation into WG on the Router; and
2. Put TailScale on the Router (not part of this discussion but saves me making a subnet Router. I only have (and only want) the Router at that Address, no PC or other Tailscale enabled device, but as noted previously, I have prepared a RPi to drop in.

k.

 

[ZebMcKayhan]

Yup, as attached. Looks like around 10 per stream going down, ~100 total; and average about 5 up, ~50 total.

An average of 94Mbit/s is not bad, it would be what I would expect from 100Mbit connection.

The reverse test seems more flaky with more varying speeds across the streams. Still around 50Mbit/s... not sure if your link is to blame or processing power used to generate the streams. You could try to use some rpi to run iperf on instead of the router. Or accept that speed is probably not your issue.

 

[jksmurf]

An average of 94Mbit/s is not bad, it would be what I would expect from 100Mbit connection.

The reverse test seems more flaky with more varying speeds across the streams. Still around 50Mbit/s... not sure if your link is to blame or processing power used to generate the streams. You could try to use some rpi to run iperf on instead of the router. Or accept that speed is probably not your issue.

Thanks Zeb,

For closure on ISP, this is their response:

After touching base with our networks team, I can confirm that we don't block or throttle any traffic that is traveling over our network (including UDP etc.) unless its malicious in nature.

After reviewing the Ping data, I find it too be within range for traffic that is moving from a geo-location that far away from our country very in line with what I get when connecting to the USA or Asia servers for different services I use. I would also say the same for the traceroute I can see a latency jump once it moves from Singapore to New Zealand, but all packets are moved and any that are dropped are done via "time out" which is what happens when it normally hits a firewall.

It could be a good idea to view CPU usage within the router and ensure it's not too high for a router (over 60-70%) as this could cause BGP route flagging and a host of other issues along with going over the VPN configuration. Going over your VPN configuration would be a bit outside the scope of my support level unfortunately.

I am not sure this adds a lot more than what you already suspected.

 

[doczenith1]

My AC86U just lost its 2.4 GHz radio so I've bought a AX88U Pro. I would like to transfer my WireGuard config to the new router. Right now I'm stuck at figuring out the correct keys to use. For example, when I enter "v peer1" I get the same psk but a different public key than when I enter "v wg21" and scroll to the same peer. I am also seeing different public keys for all the peers when viewing "v wg21". I believe I should be using the values from each peer's conf file but where do I find the correct priv key to use for the server peer?

 

[ZebMcKayhan]

I believe I should be using the values from each peer's conf file but where do I find the correct priv key to use for the server peer?

No, not entirely. Each client only contains wg21 pub key and client priv key (and psk). It lacks the wg21 priv key and client pub key. The same goes for wg21 config, it only has wg21 priv key and client pub keys. All psk are there though.

In order to get all keys you need to fire up your old router and ssh into it.

#server peer:
nvram get wgs1_priv
nvram get wgs1_pub
#client1 peer:
nvram get wgs1_c1_priv
nvram get wgs1_c1_pub
nvram get wgs1_c1_psk #if used
#client2 peer:
nvram get wgs1_c2_priv
nvram get wgs1_c2_pub
nvram get wgs1_c2_psk #if used
#a.s.o

Copy the reply to each command to store in some text file somewhere. Then use the same keys to update the keys on your new router according to post #1.
Then safely delete your text file, or store it securely somewhere.

 

[doczenith1]

In order to get all keys you need to fire up your old router and ssh into it.

Thanks for the prompt reply! The "old" router is still up and running while I'm setting up the AX88U so easy to grab the values. An old AC1900P has been providing 2.4 GHz for the last few weeks.

Edit: The nvram commands don't see to be working. Perhaps I need to clarify, I'm trying to get the information from the AC86U running WireGuard Session Manager.

 

[ZebMcKayhan]

Thanks for the prompt reply! The "old" router is still up and running while I'm setting up the AX88U so easy to grab the values. An old AC1900P has been providing 2.4 GHz for the last few weeks.

Edit: The nvram commands don't see to be working. Perhaps I need to clarify, I'm trying to get the information from the AC86U running WireGuard Session Manager.
View attachment 54429

ooh, sorry... I didnt read your post properly. so you cant get the keys that way then.

I dont remember how much you could get the keys from the CLI/GUI but all config files should be in /opt/etc/wireguard.d/ both wg21.conf and your client configs.

in wg21.conf [interface] section you should find the PrivateKey= directive. this would be your [wgs1_priv]
in wg21.conf [Peer] section you should find each PublicKey= directive (for each peer). this would be your [wgs1_cX_pub]
in wg21.conf [Peer] section you should find each PresharedKey= directive (for each peer). this would be your [wgs1_cX_psk]

for the rest of the keys, they are actually not needed on your server, only needed if you ever need to generate new config files... but I would recommend to update these as well.

in the same folder you should find all client configs that wgm have created, so you need to open each one.

on i.e. peer1.conf [interface] section you should find the PrivateKey= directive. this would be your [wgs1_c1_priv]
in peer1.conf [Peer] section you should find PublicKey= directive (for wgs1). this would be your [wgs1_pub] (this would be same for all peers, so no need fetch for all)

on i.e. peer2.conf [interface] section you should find the PrivateKey= directive. this would be your [wgs1_c2_priv]

continue like this until you have collected all keys needed... then you can update the keys on your new router, using "nvram set ..." commands from post #1.

 

[doczenith1]

ooh, sorry... I didnt read your post properly. so you cant get the keys that way then.


in wg21.conf [Peer] section you should find each PublicKey= directive (for each peer). this would be your [wgs1_cX_pub]

in peer1.conf [Peer] section you should find PublicKey= directive (for wgs1). this would be your [wgs1_pub] (this would be same for all peers, so no need fetch for all)

I think this is where my confusion lies. When I view wg21.conf the pub key shown for each client peer is different than the pub key show for the same client peer in the client peer's conf file. In the client peer conf files the pub keys are all the same as expected. In the wg21.conf file the pub keys are all different which is where I am confused.

I have created the text file per post #1 with all the client peers entered using the data from the peer's conf file. If I'm understanding correctly I will use the value from the wg21.conf for the [nvram set wgs1_priv=] value. And then do I use the common pub key for [nvram set wgs1_pub=] value?

Edit: I just re read your post. For each [nvram set wgs1_cx_pub] I will use the unique pub key from wg21.conf and for [nvram set wgs1_pub=] I will use the common value found in the peer conf?

 

[ZebMcKayhan]

I think this is where my confusion lies. When I view wg21.conf the pub key shown for each client peer is different than the pub key show for the same client peer in the client peer's conf file. In the client peer conf files the pub keys are all the same as expected. In the wg21.conf file the pub keys are all different which is where I am confused.

That's because they are different. Each peer has its own private and public key pairs but only uses its own private key in its own config. In each client config file, the server public key will be in the peer section. So each peer config contains its own private key and each connecting peers public keys. I know, It's confusing.

I have created the text file per post #1 with all the client peers entered using the data from the peer's conf file. If I'm understanding correctly I will use the value from the wg21.conf for the [nvram set wgs1_priv=] value. And then do I use the common pub key for [nvram set wgs1_pub=] value?

Yep, that's correct. Commun pub key from client configs.

Edit: I just re read your post. For each [nvram set wgs1_cx_pub] I will use the unique pub key from wg21.conf and for [nvram set wgs1_pub=] I will use the common value found in the peer conf?

That's right!

I probably suck at explaining this, reading my own texts makes me confused as well... It would be great if some script writer would create an import/export script that does this for you, but luckily its a one time thing.

 

[ZebMcKayhan]

@doczenith1 did you manage to grab all keys and update you server? Did everything work as intended?

 

[doczenith1]

@doczenith1 did you manage to grab all keys and update you server? Did everything work as intended?

Been meaning to provide an update but have been sick with a chest cold.

I did get a "test" client working. But...then realized that it was going to be more effort to transfer my settings than start from scratch. Also, adding new clients in the future would be much easier by starting from scratch. Details below.

My current config had 8 client peers and peers 1-4 are no longer needed. To not have to touch existing client configs to change their IP addresses this would require creating 4 "dummy" configs on the new router. I suppose I could have manipulated the configs on the router but that could make things messy for future client configs.

WireGuard Session Manager was using 10.50.1.x vs 10.6.1.x on the 88U. This meant changing those values for existing clients 5-8 and then remembering to change it for future clients.

I appreciate all your help and have increased my knowledge of WireGuard along the way.