Wireguard and NordVPN?

[Stardust]

Hey all.
Is it possible to install and use Wireguard on my AX86U with NordVPN?
If yes, how?
For now I am using NordVPN on the router the "normal" way.

I am using Merlins 386.4.
regards

 

[Tech Junky]

I haven't seen it mentioned but, if you're willing to build your own DIY setup I can confirm Nordlynx performs at line speed vs the 40-50% reduction using OVPN.

There are some off the shelf options you could setup Nord WG with though but, there's still some potential limitations of the CPU being the bottleneck.

 

[Stardust]

OK I will search for possible solutions. And maybe wait for GUI for Wireguard.

 

[RMerlin]

Unless that has changed since last time I checked, NordVPN does not provide configuration information. You are stuck with their proprietary client for the time being.

 

[Tech Junky]

NordVPN does not provide configuration information.

There are ways to hack something together based on the config from the proprietary app. The issue is being able to port it to something like an Asus router.

 

[treefu]

Unless that has changed since last time I checked, NordVPN does not provide configuration information. You are stuck with their proprietary client for the time being.

Yup. The pip package openpyn developer confirms precisely this here and no, it's not changed.

 

[chongnt]

I follow this guide to extract the necessary configuration and it is running fine with @Martineau wireguard session manager.

[Instruction] Config NordVPN wireguard (Nordlynx) on OpenWrt

As you guys may know NordVPN supports wireguard for over a year now and unfortunately they're not planning to release configuration files anytime soon. I thought sharing this tutorial here so people can at least enjoy the performance of wireguard. All you need is linux machine or if you don't...

forum.openwrt.org

 

[Stardust]

WOW - thanks a lot to all
I will see if I can make this work

 

[RMerlin]

Note that there is little benefits to using Wireguard instead of OpenVPN from your router when the provider supports both. Your router will need to disable NAT acceleration to support Wireguard, which means you will end up losing performance rather than gaining any versus using OpenVPN. Unless you were already disabling NAT acceleration because you were using Traditional QoS for example.

 

[Tech Junky]

there is little benefits to using Wireguard instead of OpenVPN from your router when the provider supports both.

Double the speed with wire guard would be the main benefit.

 

[RMerlin]

Double the speed with wire guard would be the main benefit.

Benchmarks run by Asus showed a 50% speed increase in Wireguard vs OpenVPN. And then that speed gets capped at 300 Mbps even when not going through the tunnel due to lack of NAT acceleration. Not a good tradeoff if you have a connection faster than 400 Mbps.

 

[Tech Junky]

Well, with my 1gbps connection on a DIY system I get line speed and then some with a LACP lag to hit ~1400mbps with WG enabled.

Now, if the HW in the Asus can't handle the light encryption method of WG properly I can see that being an issue with speeds. The user should have a choice though if it can be built into the OS on the router. The decreased HW needs for WG should yield better speeds than you're saying since it essentially multithreads the encryption tasks with lower overhead on the CPU.

For an idle connection I usually see a couple of PID's running the encryption and when there's a load placed on the connection it expands to ~20 threads to keep up with the data needs.

 

[RMerlin]

The user should have a choice though if it can be built into the OS on the router. The decreased HW needs for WG should yield better speeds than you're saying since it essentially multithreads the encryption tasks with lower overhead on the CPU.

The bottleneck becomes the added CPU load for NAT/routing once you drop NAT acceleration. That caps NAT throughput to around 350 Mbps, which means your WG tunnel traffic would probably cap at around 300 Mbps once you factor everything (such as having one CPU core fully loaded by the NAT software processing).

At those speeds, you are better off using OpenVPN on a router, or running WG on an x86 system.

 

[Tech Junky]

CPU load for NAT/routing

Well, Nord specifically NAT's the connection prior to any egress into 10.5.0.2 as its GW to the VPN server IP. It's transparent to the PC/devices as it's routing entries in the routing table that force the traffic to take the tunnel path. OPVN creates considerable overhead that will peg a router CPU and result in slower speeds / need for additional cooling.

would probably cap at around 300 Mbps

Have you actually tested it on a device that uses your SW?

Ehh....consumer gear is so hobbled by the lack of horsepower when it comes to anything beyond FB / Twitter users. If you want to move considerable amounts of data and not be choked out with OVPN speeds you either need to step up to SMB or DIY to get the bandwidth you're paying for.

It really doesn't surprise me that even with your slimmed down FW these Asus boxes can't handle the VPN side. I had an Asus laying around and subbed it in when I upgraded to GIG and it fell on its face and couldn't hit the speeds a direct connection could so it got tossed aside for something that could. I figure most people don't realize they're getting shotty HW unless they venture into a decent speed to actually push it a little bit to see if it actually works or not. I figure hooking up a GIG WAN connection and GIGI LAN it should be able to hit speeds similar to a direct connect to a PC but it only hit about 25% of the line speed w/o anything enabled on the Asus that would have caused the slow speeds / performance.

 

[RMerlin]

Well, Nord specifically NAT's the connection prior to any egress into 10.5.0.2 as its GW to the VPN server IP.

What goes inside the tunnel is irrelevant here. Your encapsulated packets are still sent NATed to your ISP, which then routes them to the remote WG server. So, you still have NAT being done by the router.

Have you actually tested it on a device that uses your SW?

Asus engineers tested it when they started working on WG support last spring, they shared their test results with me back then. Those results would be nearly identical with both stock firmware or my firmware. I might have a slight edge on OpenVPN due to the amount of optimizations I've done over the years to my OpenSSL and OpenVPN implementation, but even these are getting closer to being similar these days as I've shared my optimizations with them over the years. With WG I doubt there's anything I could optimize there, except maybe look at possibly improving CPU affinity allocation (which was one of the ways I've improved OpenVPN performance).

It really doesn't surprise me that even with your slimmed down FW these Asus boxes can't handle the VPN side.

It's pretty much the same with virtually any router you can buy out there, outside of high-end enterprise devices, core networking devices, or homegrown x86 devices. Look at business class routers, they generally document the packet throughput in their specs sheet, and they ain't breaking any speed records either.

I figure hooking up a GIG WAN connection and GIGI LAN it should be able to hit speeds similar to a direct connect to a PC but it only hit about 25% of the line speed w/o anything enabled on the Asus that would have caused the slow speeds / performance.

Asus routers are quite capable of handling 900+ Mbps of NAT traffic. You can see quite a few users posting speed test results reporting those speeds here, in addition to @thiggins's own reviews. 25% of line speed tells me you had hardware NAT disabled, as this will drop NAT throughput to around 250-350 Mbps depending on the router model. You will get fairly similar throughput with prosummer products from Ubiquity or Mikrotik as well.

Routing/NATing that kind of throughput simply requires either quite beefy hardware, or that you cut corners using CTF/FE/flow caching/etc... techniques.

 

[Tech Junky]

This is the card I'm using https://www.qnap.com/en-us/product/qxg-5g4t-111c/specs/hardware/QXG-5G4T-111C.pdf
Here are the specs on the AQ controller - https://www.marvell.com/content/dam...rollers-aqtion-aqc111c-112c-product-brief.pdf

lspci
00:00.0 Host bridge: Intel Corporation Device 4668 (rev 02)
00:02.0 VGA compatible controller: Intel Corporation AlderLake-S GT1 (rev 0c)
00:06.0 PCI bridge: Intel Corporation Device 464d (rev 02)
00:08.0 System peripheral: Intel Corporation Device 464f (rev 02)
00:14.0 USB controller: Intel Corporation Device 7ae0 (rev 11)
00:14.2 RAM memory: Intel Corporation Device 7aa7 (rev 11)
00:15.0 Serial bus controller [0c80]: Intel Corporation Device 7acc (rev 11)
00:16.0 Communication controller: Intel Corporation Device 7ae8 (rev 11)
00:17.0 SATA controller: Intel Corporation Device 7ae2 (rev 11)
00:1a.0 PCI bridge: Intel Corporation Device 7ac8 (rev 11)
00:1c.0 PCI bridge: Intel Corporation Device 7aba (rev 11)
00:1c.3 PCI bridge: Intel Corporation Device 7abb (rev 11)
00:1d.0 PCI bridge: Intel Corporation Device 7ab0 (rev 11)
00:1f.0 ISA bridge: Intel Corporation Device 7a84 (rev 11)
00:1f.3 Audio device: Intel Corporation Device 7ad0 (rev 11)
00:1f.4 SMBus: Intel Corporation Device 7aa3 (rev 11)
00:1f.5 Serial bus controller [0c80]: Intel Corporation Device 7aa4 (rev 11)
01:00.0 Non-Volatile memory controller: Sandisk Corp WD Black SN850 (rev 01)
02:00.0 Non-Volatile memory controller: Sandisk Corp WD Black SN850 (rev 01)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller (rev 05)
04:00.0 Network controller: Intel Corporation Wi-Fi 6 AX210/AX211/AX411 160MHz (rev 1a)
05:00.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:00.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:02.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:03.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:08.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:0a.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
06:0b.0 PCI bridge: ASMedia Technology Inc. Device 2812 (rev 01)
08:00.0 Ethernet controller: Aquantia Corp. AQC111 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] (rev 02)
09:00.0 Ethernet controller: Aquantia Corp. AQC111 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] (rev 02)
0b:00.0 Ethernet controller: Aquantia Corp. AQC111 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] (rev 02)
0c:00.0 Ethernet controller: Aquantia Corp. AQC111 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] (rev 02)

sudo inxi -F
System:    Host: server Kernel: 5.17.0-051700rc5-lowlatency x86_64 bits: 64 Console: tty pts/1
           Distro: Ubuntu 21.10 (Impish Indri)
Machine:   Type: Desktop Mobo: ASRock model: Z690 Steel Legend serial: HQ0210001702488 UEFI: American Megatrends LLC. v: 2.02
           date: 10/01/2021
CPU:       Info: 10-Core model: 12th Gen Intel Core i7-12700K bits: 64 type: MT MCP cache: L2: 25 MiB
           Speed: 600 MHz min/max: 800/6300 MHz Core speeds (MHz): 1: 600 2: 600 3: 599 4: 601 5: 1655 6: 4151 7: 803 8: 2606
           9: 800 10: 800 11: 800 12: 802 13: 618 14: 894 15: 939 16: 601 17: 1032 18: 801 19: 609 20: 600
Graphics:  Device-1: Intel AlderLake-S GT1 driver: i915 v: kernel
           Display: server: X.org 1.20.13 driver: loaded: fbdev unloaded: modesetting,vesa tty: 202x55
           Message: Advanced graphics data unavailable in console for root.
Audio:     Device-1: Intel driver: snd_hda_intel
           Sound Server-1: ALSA v: k5.17.0-051700rc5-lowlatency running: yes
           Sound Server-2: PulseAudio v: 15.0 running: yes
           Sound Server-3: PipeWire v: 0.3.32 running: yes
Network:   Device-1: Realtek RTL8125 2.5GbE driver: r8169
           IF: enp3s0 state: down mac: a8:a1:59:7a:82:f0
           Device-2: Intel Wi-Fi 6 AX210/AX211/AX411 160MHz driver: iwlwifi
           IF: wlp4s0 state: down mac: d8:f8:83:d8:8e:c0
           Device-3: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
           IF: enp8s0 state: up speed: 100 Mbps duplex: full mac: 24:5e:be:4d:c4:53
           Device-4: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
           IF: enp9s0 state: up speed: 2500 Mbps duplex: full mac: 24:5e:be:4d:c4:54
           Device-5: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
           IF: enp11s0 state: up speed: 1000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
           Device-6: Aquantia AQC111 NBase-T/IEEE 802.3bz Ethernet [AQtion] driver: atlantic
           IF: enp12s0 state: up speed: 1000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
           IF-ID-1: bo0 state: up speed: 2000 Mbps duplex: full mac: 06:7e:4e:62:3b:e3
           IF-ID-2: bonding_masters state: N/A speed: N/A duplex: N/A mac: N/A
           IF-ID-3: br0 state: up speed: 2500 Mbps duplex: unknown mac: 5a:ea:69:a9:d9:fb
           IF-ID-4: nordlynx state: unknown speed: N/A duplex: N/A mac: N/A
Bluetooth: Device-1: Intel type: USB driver: btusb
           Report: hciconfig ID: hci0 state: up address: D8:F8:83:D8:8E:C4 bt-v: 3.0
RAID:      Device-1: md0 type: mdraid level: raid-10 status: active size: 18.19 TiB report: 5/5 UUUUU
           Components: Online: 2: sdb1 3: sdd1 4: sda1 5: sde1 6: sdc1
Drives:    Local Storage: total: raw: 38.21 TiB usable: 20.01 TiB used: 8.2 TiB (41.0%)
           ID-1: /dev/nvme0n1 vendor: Western Digital model: WDS100T1X0E-00AFY0 size: 931.51 GiB
           ID-2: /dev/nvme1n1 vendor: Western Digital model: WDS100T1X0E-00AFY0 size: 931.51 GiB
           ID-3: /dev/sda vendor: Western Digital model: WD80EZAZ-11TDBA0 size: 7.28 TiB
           ID-4: /dev/sdb vendor: Western Digital model: WD80EZAZ-11TDBA0 size: 7.28 TiB
           ID-5: /dev/sdc vendor: Western Digital model: WD80EZAZ-11TDBA0 size: 7.28 TiB
           ID-6: /dev/sdd vendor: Western Digital model: WD80EZAZ-11TDBA0 size: 7.28 TiB
           ID-7: /dev/sde vendor: Western Digital model: WD80EZAZ-11TDBA0 size: 7.28 TiB
Partition: ID-1: / size: 915.77 GiB used: 107.56 GiB (11.7%) fs: ext4 dev: /dev/nvme0n1p2
Swap:      Alert: No swap data was found.
Sensors:   System Temperatures: cpu: 33.0 C mobo: 38.5 C
           Fan Speeds (RPM): fan-1: 770 fan-2: 838 fan-3: 0 fan-4: 780 fan-5: 0 fan-6: 0 fan-7: 743
Info:      Processes: 473 Uptime: 12h 58m Memory: 15.39 GiB used: 3 GiB (19.5%) Init: systemd runlevel: 5 Shell: Bash
           inxi: 3.3.06

ip r
0.0.0.0/1 via 10.5.0.2 dev nordlynx
default via WAN GW dev bo0 proto dhcp src WAN IP metric 208
WAN CIDR dev bo0 proto dhcp scope link src WAN IP metric 208
128.0.0.0/1 via 10.5.0.2 dev nordlynx
169.254.0.0/16 dev lo scope link metric 1000
172.241.224.41 via WAN GW dev bo0
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1

 

[maddhater]

@Tech Junky @RMerlin - I stumbled upon your discourse and enjoyed it but felt it was unresolved... any updates?

 

[RMerlin]

@Tech Junky @RMerlin - I stumbled upon your discourse and enjoyed it but felt it was unresolved... any updates?

I still stand by my comment in https://www.snbforums.com/threads/wireguard-and-nordvpn.77685/post-748717 . If running it on a router, use OpenVPN (or IPSEC). If running it on a PC, then you may consider WireGuard.

 

[egc]

Because I needed better speed than the 35 Mb/s my Asus AC68U did on OpenVPN, I unfortunately had to switch to other third party firmware to use WireGuard about a year ago, it tripled my speed and with that other third party firmware you could have CTF+FA (hardware NAT) enabled while using WireGuard, WireGuard itsef is not accelerated, but non WireGuard traffic is.

I have also seen users using NordVPN with WireGuard on the router (indeed you have to do some tricks to get the conf file) with good results.

So for low end devices like AC68U it could be beneficial, for higher end devices it is different as they have much better OpenVPN speed

 

[archiel]

I switched to using WireGuard simply because if fully supports dual stack, no need to disable IPv6 on client devices using VPN. I dropped NordVPN for the same reason - IPv6 support had been 'coming soon' for over 5 years, until it wasn't.

However, my ISP (and all available competitors in my area) are still maxing out at 80/20 Mbs. Once faster speeds become available (500Mbs and 1Gbs symmetric 'promised' for some time next year) then I will look for a different solution - probably buying / building a pfsense box and using my Asus devices as APs.