Enabling WireGuard on RT-AX86U Pro reduces other clients' WireGuard bandwidth

[SDF07S]

On 750Mbps fiber connection my PC download speed is about 650Mbps using WireGuard NT, which is the official kernel space WireGuard client for Windows, or OpenVPN with Data Channel Offload, which also runs in kernel space. Enabling WireGuard VPN Fusion on ASUS RT-AX86U Pro (stock 3.0.0.6 firmware) for any VLAN results in my main PC download speed being reduced to about 450Mbps regardless of whether I use WireGuard NT or OpenVPN-DCO. That happens even if nobody is connected to the router except for my main PC. Is that normal?

If I route my PC through ASUS router's WireGuard tunnel (instead of using WireGuard for Windows), then I get about 500Mbps for download speed, but OpenVPN bandwidth maxes out at 200Mbps. My guess is that official stock firmware does not use DCO for OpenVPN.

Running bandwidth tests does show that router's CPU Core 1 reaches 100% utilization. Other 3 cores stat at 1% during those tests. Is this router simply not optimized to run WireGuard in kernel space?

EDIT: It looks like its some kind of port saturation issue. If I use OpenVPN-DCO via non-default port 51820 (same as default WireGuard port) then my PC bandwidth is reduced to 450Mbps when WireGuard is enabled for any client on this router, but if I switch my PC to use OpenVPN-DCO via port 1194, then my bandwidth goes back up to 650Mbps, even when WireGuard is enabled on router for other clients. Why would outbound port affect bandwidth?

 

[GetToTheChopper!]

On 750Mbps fiber connection my PC download speed is about 650Mbps using WireGuard NT, which is the official kernel space WireGuard client for Windows, or OpenVPN with Data Channel Offload, which also runs in kernel space. Enabling WireGuard VPN Fusion on ASUS RT-AX86U Pro (stock 3.0.0.6 firmware) for any VLAN results in my main PC download speed being reduced to about 450Mbps regardless of whether I use WireGuard NT or OpenVPN-DCO. That happens even if nobody is connected to the router except for my main PC. Is that normal?

If I route my PC through ASUS router's WireGuard tunnel (instead of using WireGuard for Windows), then I get about 500Mbps for download speed, but OpenVPN bandwidth maxes out at 200Mbps. My guess is that official stock firmware does not use DCO for OpenVPN.

Running bandwidth tests does show that router's CPU Core 1 reaches 100% utilization. Other 3 cores stat at 1% during those tests. Is this router simply not optimized to run WireGuard in kernel space?

EDIT: It looks like its some kind of port saturation issue. If I use OpenVPN-DCO via non-default port 51820 (same as default WireGuard port) then my PC bandwidth is reduced to 450Mbps when WireGuard is enabled for any client on this router, but if I switch my PC to use OpenVPN-DCO via port 1194, then my bandwidth goes back up to 650Mbps, even when WireGuard is enabled on router for other clients. Why would outbound port affect bandwidth?

If you get to the bottom of thsi please post.... I have this router and have found that it tends to make up it's own mind on stuff too often.

 

[bennor]

If you get to the bottom of thsi please post.... I have this router and have found that it tends to make up it's own mind on stuff too often.

You appear to be running one or more add-ons. As a troubleshooting step if you haven't done so already, remove all addons and test. Sometimes add-ons can introduce the oddball issue.
Ideally when one is having strange issues; is to troubleshot by performing a hard factory reset, then a basic initial manual configuration without restoring a saved router.cfg file and without installing any add-on scripts or USB drives.

 

[ZebMcKayhan]

Running bandwidth tests does show that router's CPU Core 1 reaches 100% utilization. Other 3 cores stat at 1% during those tests. Is this router simply not optimized to run WireGuard in kernel space?

It is due to broadcom nat hw acceleration is not compatible with Wireguard kernel implementation. Thus nat has to be done in software for the Wireguard port and source ip used. So when core 1 maxes out its due to sw nat and not wireguard (wireguard is multi core)

Why would outbound port affect bandwidth?

Asus/broadcom flowcache bypass (nat hw bypass) is set on Wireguard port and source ip. Other data using these will be affected as well.

You could check bypass via ssh if you want:

cat /proc/blog/skip_wireguard_port
cat /proc/blog/skip_wireguard_network

Edit: saw that this thread was not new after writing but leaving info here if someone needs it.