Asuswrt-Merlin 388.1 - Wireguard site-to-site on 2xAX88U

[ZebMcKayhan]

TOP

The issue is that Wireguard is incompatible with broadcom nat hw accelleration and before the latest firmware release enabling wireguard completally turned off nat hw accelleration crippling all data to ~500Mbit, even to wan.
Asus/Broadcom developed this bypass that merlin ported in so only clients that uses wireguard would be crippled.
The problem is that it only works on lan source addresses, so if you are using destination based rules it may apply to all.

I dont even know if this is nessisary since you have turned off nat.

How is your vpn director rule? Did you put in source 192.168.2.0/24 there?

We could make a script that removes this entry automatically, but Im not sure we should. Or atleast you should test this extensively before we do it so there are no side effects.

 

[Enrico85]

Yes it works. Thanks
You can see the results in the last attachment

I put this rule (see attachment)

So the cap that you said before about 500 Mbit/s can be related to my VPN speed? (same value about 500 Mbit/s)
Is the Broadcom chipset the problem?

I'll test this change in the next days

Thanks

 

[ZebMcKayhan]

I put this rule (see attachment)

What if you leave the local IP blank? It should not make any difference for your rule.

Is the Broadcom chipset the problem?

Yes.

 

[Enrico85]

without the local ip (see attachment) same upload problem

I removed the rule with the command:
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network

 

[ZebMcKayhan]

without the local ip (see attachment) same upload problem

I removed the rule with the command:
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network

Alright, altough you could keep your rule without the local ip, it is the proper way imo.

Except from general router stability, up/download speed, keep an extra eye on the syslog in the gui. Lookout if it gets flooded with error about blog or similar. Try to provoke by sending/recieving large files over Wireguard.

Let me know when/if you are confident enough to make this entry removed on wg start.

 

[Enrico85]

Alright, altough you could keep your rule without the local ip, it is the proper way imo.

Except from general router stability, up/download speed, keep an extra eye on the syslog in the gui. Lookout if it gets flooded with error about blog or similar. Try to provoke by sending/recieving large files over Wireguard.

Let me know when/if you are confident enough to make this entry removed on wg start.

yes I'm ready. what should I do?
thanks

 

[ZebMcKayhan]

yes I'm ready. what should I do?
thanks

nano /jffs/scripts/wgclient-start

Populate with:

#!/bin/sh
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network

Save & exit.

Make it executable:

chmod +x /jffs/scripts/wgclient-start

And you should be all set! Now the entry are removed each time any wg client starts, but beware, if you ever create more wg clients this entry is needed and you will get issues.

Just out of curiosity, what speeds are you reaching over vpn?

 

[Enrico85]

Just out of curiosity, what speeds are you reaching over vpn?

thanks!
the speed over WG vpn is about 500 mbit/s. the exact value of the broadcom limit
do you think it will improve with future updates?

Iperf result:

VPN OpenVpn [Router server - Router client] (Site to site)
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 188 MBytes 158 Mbits/sec sender
[ 4] 0.00-10.00 sec 187 MBytes 157 Mbits/sec receiver

VPN WireGuard [Router server - win 10 software client]
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 2.27 GBytes 650 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.27 GBytes 650 Mbits/sec receiver

VPN WireGuard [Router server - Router client] (Site to site)
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 1.60 GBytes 458 Mbits/sec
[ 4] 0.00-30.00 sec 1.60 GBytes 458 Mbits/sec

LAN (external web) no VPN
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 3.24 GBytes 927 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.24 GBytes 927 Mbits/sec receiver

 

[ZebMcKayhan]

do you think it will improve with future updates?

Honestly... no...

 

[Enrico85]

Honestly... no...

I see the all the top Asus router mount a Broadcom chipset.
Is the problem present on all models?

thanks

 

[ZebMcKayhan]

I see the all the top Asus router mount a Broadcom chipset.
Is the problem present on all models?

thanks

As the root issue is in hardware, Broadcom may update the hardware for future chipsets but for the current models we are stuck with this. Altough, how the bypass work may change in software and improve in order to isolate Wireguard communication better. This means our "fix" may be obsolete or need further tweaking whenever there is an firmware update.

I know that the nat hw acceleration have some different variations. it used to be called Archer on the older models, now it's FlowCache and Runner but I dont know how it differs between all router models but I know that the symptoms of this incompatibility ranges from log errors and poor speeds to craches or random reboots on different routers models.

https://github.com/ZebMcKayhan/WireguardManager#disable-flowcache