Edgerouter wireguard performance

Found that somebody did it manually but …. Because …. For this …. How …. I had to remove Pi-hole from the Raspberry Pi just to use resources for something else. As i have a ESXi host, i just need a …. For multiple locations we decided to use this model because if very cheap and powerful. First we had to decide to use between Zerotier and Wireguard …. As i got this for free from Cisco and i had to get rid of the firmware and license, OpenWRT is what we actually need.

All tutorials are with static routing where wireguard is included. First i tried to add …. Blog Posts. Continue Reading. How to resize a added new disk to a current running partition in Ubuntu In Linux January 26, 88 Views Leave a comment paulierco.

How to configure VyOS as a home router. Best OS for Homebridge and how to install it. Script to install WireGuard on Ubiquiti. In Networking January 11, 48 Views Leave a comment paulierco. Kernel panic to a bricked EdgeRouter X. OpenWrt to Meraki MR In Linux December 24, Views 1 Comment paulierco. How to disable Wireguard static routing. In Uncategorized September 28, Views Leave a comment paulierco.

Sliding Sidebar Search for:.It aims to be fastersimplerleaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. If you'd like a general conceptual overview of what WireGuard is about, read onward here. You then may progress to installation and reading the quickstart instructions on how to use it. If you're interested in the internal inner workings, you might be interested in the brief summary of the protocolor go more in depth by reading the technical whitepaperwhich goes into more detail on the protocol, cryptography, and fundamentals.

If you intend to implement WireGuard for a new platform, please read the cross-platform notes. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN.

In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface.

WireGuard works by adding a network interface or multiplelike eth0 or wlan0called wg0 or wg1wg2wg3etc. This network interface can then be configured normally using ifconfig 8 or ip-address 8with routes for it added and removed using route 8 or ip-route 8and so on with all the ordinary networking utilities. The specific WireGuard aspects of the interface are configured using the wg 8 tool. This interface acts as a tunnel interface. WireGuard associates tunnel IP addresses with public keys and remote endpoints.

When the interface sends a packet to a peer, it does the following:. Behind the scenes there is much happening to provide proper privacy, authenticity, and perfect forward secrecy, using state-of-the-art cryptography. At the heart of WireGuard is a concept called Cryptokey Routingwhich works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. Each network interface has a private key and a list of peers.

Each peer has a public key.My favorite VPN provider, AzireVPN referral linkalready has support for it as well and at the moment has even opened up the WireGuard connections for free to test the load and performance. That means that, for now, you should be able to get this all up and running for free. To complete this example you will have to be familiar with the EdgeRouter SSH command line interface and know something about the configuration you already have up and running.

You should also feel comfortable to install packages. Here you can download a zip file with configuration for the different VPN endpoints that they own. Choose one location, like azirevpn-es1. The route-allowed-ips false will make sure that we have to set up routing by hand, which we are going to use to manually route only insecure traffic we want over the VPN later.

For this we start a new routing table with the default route over the wg0 interface. Next up, we make sure that any traffic that is sent out of the wg0 interface is masqueraded to the ip of the interface.

For this example, we are going to only route some of the traffic over the VPN and leave the rest to run outside of the VPN. Then we create a modify firewall rule set that will change the routing behavior of matched traffic to use the wg0 routing table we created earlier.

This will match anything that is not considered a secure TCP port and apply the routing table we defined earlier 22 to that traffic. To apply this rule to traffic on a given interface, we need to hook up the firewall rule. I've bonded together the local ports into a switch0 configuration so for me it's.

That's it for the basic connection, use compare to see what you add and use commit to apply the current configuration. But we are not done yet, we need a firewall on the wg0 interface. These probably fit in with your current wan facing firewall and therefore I'm just giving a bare-minimal example for completeness here. Also the connections from outside to wg0 should be protected, but keep in mind that the connection for WireGuard itself should still be allowed.

Here we can use the firewall mark that the WireGuard driver adds. An example is:. The VPN connection may still be leaky if the route goes down, so this is by far a complete solution.

Also, I still have to figure out the IPv6 support. Powered by haskell. Configuration Now it's time to start configuring the interface and the routing. Happy hacking! Please note that Google uses cookies to track you on this site.They provide 1 Ethernet jack per person per room. I have multiple wired devices, so at the very least I needed a switch, but I also wanted all the devices to be able to talk to everything back on my home network.

The best way to do this is with a site to site VPN. This lets devices on each end of the VPN tunnel communicate with each other as if they were directly on the same network. Originally I was going to use a Cisco Meraki MX64 firewall get one for free here at my dorm as my router, but the functionality is somewhat limited for my uses and I prefer the EdgeRouters, so I got a cheap EdgeRouter X off of eBay college budget life and went to work.

Both EdgeRouters have hardware offloading for the encryption used in typical IPSEC configurations, so this seemed like a good high performance option. Finally, Plan C was to use WireGuard. The details on how to set it up in on my hardware though were somewhat lacking, and it took quite a few hours to get it actually functional.

Find the download URL for your router and copy and paste it on line 3. Generate public and private keys on each router. Copy and paste the output into a text file for convenience.

Ubiquiti EdgeRouter Best Practices 1

Top line of output is the private key, the bottom line is the public key. Configure the home router. I used Set up the other router peer on each router. Skip line 2 on the side with port forwarding only useful on the side that can reach out to the other side with port forwardingor run it on both sides if there is. Must be run on at least one side.

Edit the ruleset configuration and add a new rule. You should also see a new wg0 interface in the dashboard, possibly with traffic going over it already. This is so that your routers know about the networks on the other end and can direct traffic accordingly. This should do the trick, on each end type this with the relevant info:. Try pinging a device on the other end, from either end. If it comes back with a response, you should be all done! Assuming all went well, that should be it.WireGuard is still poorly supported on Windows, however.

There are third-party clients, but as of writing these have not been audited and the WireGuard authors caution against their use. There are various other guides for configuring WireGuard on EdgeRouters, and a very active thread on the Ubiquiti forums. Most writeups seem to be router-to-router or aimed at configuring the router as a VPN server to remotely access devices on the home network. You should also have a working UniFi controller.

The next steps will be easier as root, so su up:. This should have created two files, priv. The private key should be readable only by root. Save and exit. Go to the vyatta-wireguard GitHub pageidentify which version you need, and download the latest. Now on the router, type configure to get into configuration mode.

Do the following, adjusted as needed for your network.

Wireguard vs Zerotier throughput performance

Substitute your public key from the server in the two peer lines. Back to the server to finish configuration. Now get WireGuard running as an automatic service, using the wg-quick systemd unit :. At this point there should be a working WireGuard connection between router and server.

You can check with wg show :. We need to do some configuration on the router to start directing clients over the VPN. Connected clients will get an IP within the chosen subnet in my case First, create a new WiFi network. Choose reasonable security settings and a good password.

Again, any number except 1 will work. Next, add a corresponding Network. Most of the defaults are fine. The address and subnet should match what you configured on the access point. At this point, any device with an IP in Create a routing table to deal with packets destined for the VPN.

This takes any packets caught by that firewall rule and, for any destination 0. The blackhole line prevents traffic from falling back to the default route out through the cable modem in case the tunnel is unavailable. Next create a firewall rule to modify incoming packets with the table we just created. This will match any packets coming from devices on Add the firewall rule to the virtual interface.

Finally, do the following. I suspect this is an issue with path MTU discovery. This will be persistent.I thought a good place to start would be to compare how well these different models perform in terms of IPsec throughput and overall CPU usage at the same time. Part of my lab setup will involve provisioning a couple of IPsec tunnels between the lab and my home network. The routers themselves are initially at the factory default settings other than rudimentary interface configs, some static routes, hardware offloading more on that later and the configuration components needed to establish an encrypted GRE tunnel using IPsec.

I may explore this in the future once I have something that can push more data than these devices are capable of, which should allow me to measure them independently. Each device was rebooted when any change to its hardware offload settings were made, just to ensure it loaded correctly. For each of the tests, regardless of router configuration, I will be useing iperf to measure throughput between servers and will keep the settings at basically default — run via TCP, for 30s and display output every 1s In CSV format so I can compile the results.

Once I had the initial test plan sorted out, I made sure that all relevant hardware offloading was enabled and started by measuring if the devices can actually forward traffic at 1 Gbps. Just pure packet forwarding via static routes.

The routers are ordered from left to right; Most expensive to least expensive. EdgeRouter 4, EdgeRouter Lite and EdgRouter X respectively and thankfully, it seems that all routers are more than capable of forwarding packets at basically line rate See image to the left.

What is more interesting about this first test seems to lie with the CPU usage of the devices whilst pushing packets. Whilst this is certainly an interesting point to see this early on, I would be curious as to how the CPU in the X performs with other tasks that cant really be offloaded as easily. As mentioned previously; I am testing between just these two devices and I cant tell if the performance I see in my results is due to hitting a ceiling on encryption or decryption, so for the remainder of this article I will assume both figures are the same for the ER4.

As you might expect, throughput was a little less when using AES due to the increase in computation required.

Conceptual Overview

I decided to stick with AES as the primary choice for the remainder of the tests. As you can see, the EdgeRouter 4 performs pretty well in this test. It would only manifest every 1 in 10 tests or so and apply consistently for that flow. Because I was consistently getting around Mbps however, I went with an average of those results as the value for the ER4. Another curious observation came about when playing around with the different hardware offload modes.

To me, this result is somewhat unexpected. I would have thought that offloading as much as possible to the offload engine would give better results but that does not appear to be the case. I am only speculating but I think this may be to do with packets going back and forth from the co-processor unit in the Cavium chip. For example, A packet may come into the device for forwarding — get offloaded and then need to come back out of the offload engine to be processed further before being GRE encapsulated and offloaded and then ultimately encrypted again, IPsec offloaded?

I am curious to see how this behaviour would affect overall performance of the device when its doing other CPU related tasks and not just IPsec encryption. Now that we have some figures for the EdgeRouter 4, I can move on to testing one of the other models.

The logic here is that the EdgeRouter 4 is the more capable device by far, so by putting one of the in theory less powerful devices in place of one of the EdgeRouter 4s, the result I get would be capped by the performance of that device, and thus we measure its performance. Using this logic, I can push traffic through the EdgeRouter Lite as the first hop, thus testing its encryption performance, and vice versa, having the EdgeRouter Lite as the last hop, testing its decryption performance.

Given the result observed earlier for the raw throughput test of the EdgeRouter X, I was very interested to see how this one would turn out. This particular model of EdgeRouter is based on a different SoC manufacturer than the other two devices MediaTek, vs Cavium respectively so has a different hardware offload engine.

This even more apparent in the configuration of the router and how you enable hardware offloading. So, using the same IPsec configuration settings for the EdgeRouter 4 and EdgeRouter Lite tests detailed abovethis router performed surprisingly well — Better than I had initially expected.First tests were done between Timisoara and Deva.

Whole-Home VPN with WireGuard and Ubiquiti

OS: ubuntu Advantages of Wireguard: 1. Wireguard is in the kernel already. Very simple to configure. Because is in the kernel, is actually very fast. Disadvantages of Wireguard: 1.

Ubiquiti EdgeRouter IPsec performance

Not that simple to configure if you have routing i will explain in the next article why 3. Advantages of Zerotier: 1.

Simple through NAT 2. No port forwarding but if you have firewall, you need to unblock the Zerotier UDP port. Very cool web portal access with free devices. Also, very cheap a premium account. Disadvantages of Zerotier: 1. Slower than Wireguard. Not easy for troubleshooting as everything is in the cloud. Hurting the CPU comparable with Zerotier. Conclusion: We can definitely see that Wireguard is faster than Zerotier on the same hardware.

Hello, thank you for this test. Hurting the CPU comparable with Wireguard. Save my name, email, and website in this browser for the next time I comment. Wireguard vs Zerotier throughput performance.

Post Navigation. Next Post: How to install Wireguard to Synology. Related Posts:.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *