ASUS GT-AXE16000 CPU usage with VPN on lan machine

[ZebMcKayhan]

echo "del 1337 either" >> /proc/blog/skip_wireguard_port
echo "del 1443 either" >> /proc/blog/skip_wireguard_port

This appears to fixed the high cpu consumption like immediately. I ran these in the middle of the execution of a speed test. It immediately dropped CPU usage to near 0 and the speed test went from around 450 megabits to full line speed. Interesting..

Great news! Atleast now we know that these ports existence in blog bypass is the reason for your issues.

Just need to figure out why these port are excluded from your nat hw acceleration. Perhaps this could give some hint:

nvram show | grep 1337
nvram show | grep 1443

 

[Jerky_san]

Great news! Atleast now we know that these ports existence in blog bypass is the reason for your issues.

Just need to figure out why these port are excluded from your nat hw acceleration. Perhaps this could give some hint:

nvram show | grep 1337
nvram show | grep 1443

The thing using it is a wireguard client I have on the router itself that is connecting similarly. That is for domain based routing that I have running and removing those ports doesn't seem to have broken anything so hopefully I'll have no consequences for doing that. (at least that I can tell is broken)..

 

[ZebMcKayhan]

The thing using it is a wireguard client I have on the router itself that is connecting similarly. That is for domain based routing that I have running and removing those ports doesn't seem to have broken anything so hopefully I'll have no consequences for doing that. (at least that I can tell is broken)..

To my defense, I did ask this specifically in #15...
Alright, so now we know. I guess there are 2 ways to go about this:
1. Make a wgclient-start script that automatically remove these entries everytime these clients are started/restarted and keep hoping it continue to work and not create issues.
2. If you have the opportunity to setup another server instance on the server machine that uses a different port which you can connect to from your router so you don't have to use the same ports and suffer from the blog bypass on your pc.

 

[Jerky_san]

To my defense, I did ask this specifically in #15...
Alright, so now we know. I guess there are 2 ways to go about this:
1. Make a wgclient-start script that automatically remove these entries everytime these clients are started/restarted and keep hoping it continue to work and not create issues.
2. If you have the opportunity to setup another server instance on the server machine that uses a different port which you can connect to from your router so you don't have to use the same ports and suffer from the blog bypass on your pc.

To my defense, I did ask this specifically in #15...

Right I assumed though if I didn't use the ports on the wireguard server that we are talking about that wouldn't affect it. Guess my assumption was wrong though.

I guess I also assumed the client running on the router to the VPN service wouldn't affect anything though I can't change the port I'm connecting to since it's just a paid VPN service. To my knowledge none of them run on "unstandard" wire guard ports so I guess I'm kind of in a rock and hard place on both sides of that coin. I'l just have to make the script do that and hope for no consequences on it.

 

[ZebMcKayhan]

I guess I'm kind of in a rock and hard place on both sides of that coin. I'l just have to make the script do that and hope for no consequences on it.

There are always other ways, but I believe this is the simplest way (if it works).

I wonder of it would change anything if the destination port was changed in the firewall. So you setup wg client to some bogus Port you make up, then change it using dnat in output chain to the correct one.

Otherwise, the tunnel itself could be moved to I.e an rpi or similar. You could make it in such way so you still handling domain routing in your router.

Here is probably how I would have made the script, if it's of any use to you:

nano /jffs/scripts/wgclient-start

#!/bin/sh

if [ "$1" -eq "2" ]; then # only for wgc2
   echo "del 1337 either" >> /proc/blog/skip_wireguard_port
   logger -t $(basename $0) "Port 1337 removed from blog bypass"
fi

if [ "$1" -eq "3" ]; then # only for wgc3
   echo "del 1443 either" >> /proc/blog/skip_wireguard_port
   logger -t $(basename $0) "Port 1443 removed from blog bypass"
fi

chmod +x /jffs/scripts/wgclient-start

 

[Jerky_san]

There are always other ways, but I believe this is the simplest way (if it works).

I wonder of it would change anything if the destination port was changed in the firewall. So you setup wg client to some bogus Port you make up, then change it using dnat in output chain to the correct one.

Otherwise, the tunnel itself could be moved to I.e an rpi or similar. You could make it in such way so you still handling domain routing in your router.

Here is probably how I would have made the script, if it's of any use to you:

nano /jffs/scripts/wgclient-start

#!/bin/sh

if [ "$1" -eq "2" ]; then # only for wgc2
   echo "del 1337 either" >> /proc/blog/skip_wireguard_port
   logger -t $(basename $0) "Port 1337 removed from blog bypass"
fi

if [ "$1" -eq "3" ]; then # only for wgc3
   echo "del 1443 either" >> /proc/blog/skip_wireguard_port
   logger -t $(basename $0) "Port 1443 removed from blog bypass"
fi

chmod +x /jffs/scripts/wgclient-start

Thank you a lot for the code.. I really do appreciate that as I'm not fantastic at writing it lol