Turning on Wireguard on RT-AX88U slows all local download speeds

[RS61]

My home setup is a gigabit fibre connection into a bridged modem into my RT-AX88U which is set up as the main router in an AiMesh with 3x AX82U nodes, all with Cat6a wired backhauls. It's rock solid, and normally I get my gigabit up and down. Everything runs the latest up to date Asus own firmware.

Recently I decided to up my security and turn off a bunch of port forwarding and remote access. So I turned on the Wireguard server (not client) in the Asus router settings. Suddenly I get at most 400Mbps down and up. My downloads max at about 40 MBps on Steam, vs the 80+ that I get with Wireguard turned off. I don't actually have anyone connected to my VPN at any point - it's only for the rare occasion when I need to log in from out of the house. So there's some CPU usage from it but not a huge amount.

Having a look at the CPU, when I start downloading something, one of the four CPU cores maxes out to 100%, then another one does, and so on. The difference is that when Wireguard is turned off, it's one core that goes to 100% and then stays at 100%, no jumping around.

Is this normal behaviour. Does turning on the VPN server on this router basically limit you to a max throughput of about 400 Mbps because of a lack of processing power, etc? Has anyone been able to run gigabit up and down on an AX88U with a VPN server for remote access?

 

[ColinTaylor]

This is a known problem when enabling Wireguard. It's a hardware limitation rather than a bug or configuration error.

 

[Tech9]

Does turning on the VPN server on this router basically limit you to a max throughput of about 400 Mbps because of a lack of processing power, etc?

WireGuard is incompatible with NAT acceleration, Flow Cache. You get faster VPN speeds in exchange of entire network speed penalty. The subject was discussed here:

Please suggest best VPN to use that has a Wireguard config file on GT-AXE11000 w/388 firmware

I currently have Nord VPN and it has no config file for the wireguard protocol. I know there is a work around but I am not experienced enough to attempt it. I am looking for suggestions, I see Proton and Mullvad as viable options. Which would be better for speed and security? CC

www.snbforums.com

About 350-400Mbps is what your CPU can process with no NAT acceleration. Home routers rely heavily on different NAT hacks to achieve higher WAN-LAN transfer speeds.

 

[RS61]

Thank you both, that's exactly what I was after.

In my situation, where maybe once a month I need to log into my network remotely and the VPN speed isn't that important but local network speed and overall security is, would you suggest running Wireguard on my QNAP instead, or running one of the other protocols on the Asus router (assuming one of the others is compatible with NAT acceleration)?

 

[doczenith1]

Thank you both, that's exactly what I was after.

In my situation, where maybe once a month I need to log into my network remotely and the VPN speed isn't that important but local network speed and overall security is, would you suggest running Wireguard on my QNAP instead, or running one of the other protocols on the Asus router (assuming one of the others is compatible with NAT acceleration)?

Looks like I was a few days late with my response on reddit.

Your AX88U should have no problem reaching ~250 Mbps using OpenVNP which does not disable NAT acceleration. Give that a try if WireGuard on the QNAP does not work out.

 

[RS61]

Thank you. Weirdly running OpenVPN on my router did still reduce my speeds to about 700 Mbps. In the end I've got WireGuard set up on QNAP with the one port forwarded to it. Doesn't feel quite as safe, but I can't think of any specific risks, and the performance is great all round.

 

[Tech9]

Weirdly running OpenVPN on my router did still reduce my speeds to about 700 Mbps.

It depends on what else is running on this router and now many VPN clients you have. AiProtection enabled and you may not reach Gigabit ever. Home routers have hardware tuned for power efficiency. They are weaker than RPi and have very limited RAM. They all rely heavily on NAT acceleration. No home router can do Gigabit with CPU processing. Think about true 100-400Mbps capable hardware (depending on the model) with some hacks applied to allow higher speeds and in some cases only. Many users don't know Bandwidth Limiter on Guest Network will have a huge performance impact on the entire network, for example.

 

[RS61]

Oh wow I definitely didn't know that. Is there a post somewhere that outlines which features on an Asus router has the biggest impact on local performance?

 

[Tech9]

Here:

I dont have Nat Acceleration (ASUS RT-AX82U)

My setting where it would be is Bonding/ Link aggregation instead of Nat Acceleration.

www.snbforums.com

NAT acceleration disabled has the biggest performance impact, but on WAN-LAN traffic. Local traffic is switched, not routed. LAN-LAN performance has to remain the same, but WLAN-LAN... it depends on what router model we are talking about.

 

[DroidST]

Looks like I was a few days late with my response on reddit.

Your AX88U should have no problem reaching ~250 Mbps using OpenVNP which does not disable NAT acceleration. Give that a try if WireGuard on the QNAP does not work out.

I need to dig into this on my AX86U and do more testing.. perhaps I'll stick with OpenVNP if results are like the AX88U

 

[Tech9]

I'll stick with OpenVNP if results are like the AX88U

Both routers are the same CPU/RAM/Radios hardware.

 

[maxbraketorque]

Interesting to see confirmation of the network speed reduction with WG. Its too bad because it seems to be the future. There shouldn't be a network slow-down with OVPN. I have OVPN server and client running on my AC86U, and I get full gigabit speed.

 

[princi]

Interesting to see confirmation of the network speed reduction with WG. It’s too bad because it seems to be the future. There shouldn't be a network slow-down with OVPN. I have OVPN server and client running on my AC86U, and I get full gigabit speed.

Where is the confirmation?

He said he needs to investigate further, and if the results are the same, etc.

We know the AX88U has h/w limitations, the AX86U is a similar beast.

I’m more interested in testing on the new models, the PRO models for instance.

 

[Tech9]

the PRO models for instance

We need someone to test on currently available GT-AX6000. It has the same CPU as upcoming Pro models. What I expect to see is the same NAT acceleration disabled limitation or around 400Mbps for this particular model. Some Qualcomm based home routers with lower CPU clock rate can do up to 500Mbps, but different hardware with different software. No direct comparison possible.

 

[princi]

Not only currently available hardware, 388 firmware for the router is also needed.

Looking like a long wait.

 

[cc666]

It slows down on the GT-AXE 11000 all connections on .388 firmware.

CC

 

[cc666]

From my post in another thread:

I did some testing, had WireGuard with Proton VPN. I did NOT have all devices under the VPN only a handful.

I ran the following speed tests:

1 - Laptop - NOT on VPN but VPN was switched ON d/l speed was averaging around 400
2 - Laptop - NOT on VPN but VPN was switched OFF d/l speed was averaging around 520
3 - Laptop - ON VPN and VPN was ON d/l speed was around 290

Laptop in same exact location using OoKla. I am convinced that the NAT is off for all clients if the VPN is switched on. Really affects the speed of clients NOT under the VPN. The 290 was faster than Nord Not using wireguard but UDP. Nord was around 225.

Feel free to run these of your setup and report back.

CC

 

[DroidST]

From my post in another thread:

I did some testing, had WireGuard with Proton VPN. I did NOT have all devices under the VPN only a handful.

I ran the following speed tests:

1 - Laptop - NOT on VPN but VPN was switched ON d/l speed was averaging around 400
2 - Laptop - NOT on VPN but VPN was switched OFF d/l speed was averaging around 520
3 - Laptop - ON VPN and VPN was ON d/l speed was around 290

Laptop in same exact location using OoKla. I am convinced that the NAT is off for all clients if the VPN is switched on. Really affects the speed of clients NOT under the VPN. The 290 was faster than Nord Not using wireguard but UDP. Nord was around 225.

Feel free to run these of your setup and report back.

CC

essentially similiar results here, most likely I will be disable Wireguard and stick with OpenVPN in the router.

Right now, I'm testing 388/386 with 2 AiMesh nodes, VPN changes will have to wait.

 

[CodyPredy]

Running the latest 3.0.0.4.388_21709 firmware on my AX86U and getting full speed with Wireguard VPN Server turned on and remote client connected.
I'm guessing they fixed the issue. Can anyone else confirm this.

Configuration:
Desktop Ethernet -> No VPN
Macbook Pro -> WireGuard VPN Client (connected remotely)
AC68U Mesh node
AX86U (main router)

Getting aprox. 900Mbps which is close to my max ISP speed.

 

[Tech9]

What is your ISP line up/down at the WireGuard Server side?