Reply
New Member
Posts: 24
Registered: ‎02-11-2018
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@karog wrote:

 

@aaomidi wrote:

Does anyone have a writeup of putting the entire internet traffic through Wireguard? For example if I've purchased a package from Mullvad.

 


Set the AllowedIPs for the peer (MULVAD) to 0.0.0.0/0


If you care about IPv6 too:

AllowedIPs = 0.0.0.0/0, ::/0

For example I found that on T-Mobile LTE some traffic will bypass the VPN because they use IPv6 by default if you don't mess with the APN settings to set it to IPv4.

Member
Posts: 164
Registered: ‎01-30-2014
Kudos: 97
Solutions: 3

Re: Release: WireGuard for EdgeRouter

OK ! On 1.10.8 !

Factory defaulted,

flashed older FW,

fixed eth0 ip to not conflict (i'll use me er-lite as a wireguard server inside my LAN, port forwarded from my USG, to route VPN to the LAN)

Did a static route to 0.0.0.0/0 next hop 192.168.1.1 to tell the ERlite where to go for internet.

Set system nameserver

ping is working fine.

 

 

sudo apt-get update
...
sudo apt-get install wget
...
wget https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20181007-1/wireguard-e100-0.0.20181007-1.deb
...
sudo dpkg -i wireguard-e100-0.0.20181007-1.deb
...
Setting up wireguard (0.0.20181007-1) ...

 

So, here I am now. Any pointers on my next step ?

 

 

@ubnt:~$ show configuration
interfaces {
    ethernet eth0 {
        address 192.168.1.225/24
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.1 {
            }
        }
    }
}
@ubnt:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         192.168.1.225/24                  u/u
eth1         -                                 u/D
eth2         -                                 u/D
lo           127.0.0.1/8                       u/u
             ::1/128

 

So all looks shiny clean.

 

 

set interfaces wireguard
Possible completions:
  <wgN>         WireGuard interface name

 

Command is there Man Happy

 

Now what ? XD

 

Essentially, I have a cellphone (Official App) and a laptop (Windows 10, Ill use Tunsafe, I know the TAP stuff and not official, but as long as the Go Project ain't done ...)

 

I want to, wherever I am on whatever IP on the net, be able to VPN inside my LAN and route to stuff as If I was on my LAN (ALL traffic going trough the VPN Except for the Local LAN where my client is.

 

I get (Ibelieve) that I need to create de WG interface a bit like that (mydomainresolvingtomyerlite.ip being my dynamic DNS service), so the endpoint ... but when I look at : https://www.wireguard.com/quickstart/ Heh... it doesn't look like the commands I have on EdgeOS XD

 

Help Man Very Happy

 

 

configure

set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 peer privatekey1= endpoint mydomainresolvingtomyerlite.ip:29922
set interfaces wireguard wg0 peer privatekey1= allowed-ips 0.0.0.0/0

commit

 

New Member
Posts: 22
Registered: ‎05-20-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

my replies gets somehow deleted ??
why??

 

trying again:

 

@zx2c4 Hey man, I hope you are well!

@Lochnair 

 

I've recently updated my tunnel between my two houses, both endpoints with dynamic IPs and found a peculiar intermittent problem.

First, about my setup:

got my domain with two A records endpoint-A.domain.ro and endpoint-B.domain.ro served up by afraid dyndns and setup on both locations using the integrated dynamic dns clients in EdgeOS

 

so on endpoint B I have :

dns {
     dynamic {
         interface pppoe0 {
             service afraid {
                 host-name endpoint-B.domain.ro
                 login <user>
                 password <pass>
                 protocol dyndns2
             }
         }
     }

and on endpoint-A I have the same but with the hostname changed to endpoint-A.domain.ro obviously. 

 

And this works rather well. Both records are updated when the routers connect or the pppoe resets/changes IP addresses.

 

the wireguard interface is setup on both endpoints like this:

 

 wireguard wg0 {
     address 10.30.0.2/24
     description Tunn
     listen-port 51820
     mtu 1420
     peer <PubPeerKeyfForEndPointA> {
         allowed-ips 10.0.0.0/8
         endpoint endpointA.domain.ro:51820
         persistent-keepalive 25
     }
     private-key <PrivKeyForEndPointB>
     route-allowed-ips true
 }

And all this usually works ok but a few circumstances.

 

-->> 1st, I noticed that if both endpoints changes IP address at the same time (more or less) the tunnel never gets updated 

sudo wg show  command would show both endpoints trying to connect to the older IP addresses of the endpoints even though the hostnames are properly updated and points to the new IP addresses (doesn't keepalive have a function to re resolve the endpoint hostname to IP ?)

 

-->> 2nd, and this is much more important, there are times (40-50% of the times) when one endpoint comes online (for example manually rebooted) and it's wireguard interface misses the endpoint hostname : port entirely. and it actually looks like this :

 

 wireguard wg0 {
     address 10.30.0.2/24
     description Tunn
     listen-port 51820
     mtu 1420
     peer <PubPeerKeyfForEndPointA> {
         allowed-ips 10.0.0.0/8
         persistent-keepalive 25
     }
     private-key <PrivKeyForEndPointB>
     route-allowed-ips true
 }

 

and needless to say I have to issue a

set interface wireguard wg0 peer <peer> endpoint endpointX.domain.ro:51820 

commit

before the tunnel works again. 

I have no clue why this is but my first guess would be that the pppoe interface sometimes takes a bit longer to connect and the set interface wg0.... endpoint command fails if the param hostname is not resolvable ?? 

 

Thank you! 

Best regards,

Bogdan Dumitru

 

P.S. Thanks for the stickers! 

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

I'm working on a site-to-site implementation of wireguard between an ER Pro-8 and an ERX.  ERX is on a 250/250 connection and ER Pro-8 is on a 1G/1G connection.  IPSEC maxes out around 110Mbps so I'm looking to see if Wireguard on this hardware can get me more.

I've followed a few guides online and the hardware appears to connect but no data is passing.  I'm hoping someone can give me a quick pointer on what I missed so I can get up and running.  Thanks!

ER 8 Port configuration:

    wireguard wg0 {
        address 10.100.100.1/24
        listen-port 51820
        mtu 1492
        peer bvs= {
            allowed-ips 10.0.0.0/8
            endpoint A.B.C.D:51820
            persistent-keepalive 15
        }
        private-key ****************
        route-allowed-ips true
    }


And for the ERX:

    wireguard wg0 {
        address 10.100.100.2/24
        listen-port 51820
        mtu 1492
        peer V4k= {
            allowed-ips 10.0.0.0/8
            endpoint A.B.C.D:51820
            persistent-keepalive 15
        }
        private-key ****************
        route-allowed-ips true
    }


sudo wg on the er8

interface: wg0
  public key: V4k=
  private key: (hidden)
  listening port: 51820

peer: bvs=
  endpoint: A.B.C.D:51820
  allowed ips: 10.0.0.0/8
  transfer: 2.61 KiB received, 6.56 KiB sent
  persistent keepalive: every 15 seconds

and sudo wg on the erx

interface: wg0
  public key: bvs=
  private key: (hidden)
  listening port: 51820

peer: V4k=
  endpoint: A.B.C.D:51820
  allowed ips: 10.0.0.0/8
  latest handshake: 58 seconds ago
  transfer: 5.71 KiB received, 2.91 KiB sent
  persistent keepalive: every 15 seconds


The local network on the ER8 is 10.0.1.0/24 and on the ERX it's 10.1.1.0/24

What am I missing?

Thanks!

New Member
Posts: 7
Registered: ‎02-20-2016

Re: Release: WireGuard for EdgeRouter


@@Lanthade wrote:


The local network on the ER8 is 10.0.1.0/24 and on the ERX it's 10.1.1.0/24

What am I missing?

Thanks!


Do you have firewall rule sets in place to allow traffic from wg0 IN so that it will be able to talk to things on each end? That's the first thing that popped into my head. I think you need at leasts a firewall_IN bound to each wg0 interface, with etiher a default allow, or default drop with rules to allow what ever traffic/ports you want to allow.

 

You're trying to allow the entire private class A between the two sites? I'm trying to convince myselef, becuase I'm not sure, that you can have the end points think they are in the same class C subnet the way you do, or if that's going to confuse the heck out of them because they both think 10.100.100.0/24 is their own local subnet.

Established Member
Posts: 1,620
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lanthade@JasonColeman

 

At first I thought the AllowedIPs would be the problem but maybe not. In any case, though they might work in your case, it is not the best choice.

 

First, it is important to understand what AllowedIPs is doing. First and formost, it is a filter on what packets it will accept by requiring any received packets to have a source address that is subsumed by AllowedIPs, otherwise the packet is dropped. Given your local nets, this should be true. Optionally, AllowedIPs creates routing rules to route any packets with desitnation address subsumed by AllowedIPs to be directed over the wg interface. On the ERs, the route-allowed-ips controls this option. Again, in your case, that should route all 10..0/8 over but not the local subnet since that is handled by layer 2 and never sees the router.

 

If it were me, I would set the AllowedIPs as

 

ER8: 10.100.100.2/32,10.1.1.0/24

ERX: 10.100.100.1/32,10.0.1.0/24

 

As @JasonColeman remarks, make sure any firewalls let appropriate traffic for the endpoint address available but on WAN_LOCAL, not _IN.

New Member
Posts: 33
Registered: ‎11-18-2016
Kudos: 11
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Do you have firewall rules on your WAN port to allow port 51820 IN?  Though based on your output of the wg command it appears like the erx side does as it's seen the handshake, you might want to double check the firewall rules on the ER8 side.

 

Similar to @Lanthade, do you have appropriate firewall rules for the wg interface on both ends.  If you use the zone based firewall, the wg interface needs to be added to the same zone as your LAN, or you need a new zone for wg and rules to allow it to talk with your LAN zone (and others you want to allow it to).

 

If you're not using zone based firewall, then you might need to look at your firewall rules to be sure you don't have one blocking traffic to your LAN.

 

Your config in general looks good to me, and should work. (I'm assuming your peer public keys are obfuscated and not really only 4 chars long.)

 

One other thing to check is the routing table on both ends to be sure the route-allowed-ips actually setup the routes correctly.

 

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@JasonColeman@karog @evildog

 

Thanks for your quick replies.  You're probably on to something with the firewall.  I've spent very little time learning how EdgeOS firewall rule sets really work and have mostly just followed other people's writeups.  Here's the firewall section of my ER8:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Plex remote access"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 32400
            }
            log disable
            protocol tcp_udp
            source {
                group {
                }
                port 32400
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 40 {
            action accept
            description "Allow Wireguard"
            destination {
                port 51820
            }
            log disable
            protocol udp
            source {
                port 51820
            }
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}


The ERX is identical. 

As far as the allowed ips - that's just from following a set of instructions on edgeos site-to-site wireguard.  I'll tweak it as you suggest.  I was just trying to follow what was there exactly to get it working before tweaking it to be more precise.

@evildog Yeah, the keys (as well as public addresses) are obfuscated, they are NOT that short.  Man Happy

Established Member
Posts: 1,620
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lanthade

 

Remove the source clause in rule 40 of WAN_LOCAL.

 

Also, in WAN_IN, your rule 30 should precede rule 20. Do the invalid check first. Don't put rules before est/rel and invalid unless you have a very good reason.

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@karog

Done, still no change in functionality. I'm tesing by running iperf from the er8 side to a server on the erx side and by trying to web browse from the erx side to a server on the er8 side. Neither work.

Thanks.
Established Member
Posts: 1,620
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

@Lanthade


@Lanthade wrote:
@karog

Done, still no change in functionality. I'm tesing by running iperf from the er8 side to a server on the erx side and by trying to web browse from the erx side to a server on the er8 side. Neither work.

Thanks.

Yes, I was just in the process of editing my post as I relaized since you define the ports at both ends, that source clause is probably ok. In most cases, you don't know the source port so generally do not include it. In this case, you do.

 

Looking back at your post 264, it seems your firewall is ok as both ends have tx and rx data.

 

Do you have other local subnets from which you are running these tests? Do they overlap between the two sides? The info you have provided so far looks ok. The problem might lie in someting you have not told us.

 

What about pings from router to router using their wg addresses?

 

You should probably try tcpdump to see what is happening.

 

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@karog

I did just try pings from the ER8. I can successfully ping the 10.100.100.2, 10.1.1.1, and 10.1.1.101 so ping traffic from the ER8 is getting to the other side. Interestingly from the ERX I can ping 10.100.100.1 but not 10.0.1.1. That's probably something right there. Routing tables look right but I'm probably just missing something when I look.

I'll post up the interfaces part of my config and the routing tables ASAP. Gotta go spend some time with my overworked wife now.

Thanks again!
New Member
Posts: 33
Registered: ‎11-18-2016
Kudos: 11
Solutions: 1

Re: Release: WireGuard for EdgeRouter

In your original post you just say traffic is not passing, but you did not say how you were testing it.  Did you try pinging from router to router? Or was it host to host, or host to remote router?

 

Try pinging from one router to the other router's wg interface address. If this works, then wireguard is setup and it's something with the routing table.

 

"Have you tried turning it off an back on again?"  I've been in a place in the past where everything appeard correct, but it didn't work. After rebooting the router it started working just fine.  This was in the earlier days of the wireguard package for ER, so it might not help you.

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@karoghere's the additional info I promised earlier.

 

@evildogPlease see the messages I posted above which detail my testing methods.  It is looking like a routing issue at this time, I'm just not sure what exactly the issue is.

Show interfaces from ER8

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         A.B.C.D/24                        u/u  Internet                    
eth1         -                                 u/u  eth1                        
eth1.2       10.0.1.1/24                       u/u  General_Access              
eth2         192.168.1.1/24                    u/D  Service                     
eth3         -                                 u/D                              
eth4         -                                 u/D                              
eth5         -                                 u/D                              
eth6         -                                 u/D                              
eth7         -                                 u/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
wg0          10.100.100.1/24                   u/u   


Show Interfaces from ERX

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         A.B.C.D/24                        u/u  Internet                    
eth1         -                                 u/u  Local                       
eth2         -                                 u/u  Local                       
eth3         -                                 u/D  Local                       
eth4         -                                 u/D  Local                       
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
switch0      10.1.1.1/24                       u/u  Local                       
wg0          10.100.100.2/24                   u/u  


Show IP route table all from ER8

0.0.0.0/24 dev wg0  proto kernel  scope link 
default via A.B.C.1 dev eth0  proto zebra 
10.0.1.0/24 dev eth1.2  proto kernel  scope link  src 10.0.1.1 
10.1.1.0/24 dev wg0  scope link 
10.100.100.0/24 dev wg0  proto kernel  scope link  src 10.100.100.1 
A.B.C.0/24 dev eth0  proto kernel  scope link  src A.B.C.D 
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1 
broadcast 10.0.1.0 dev eth1.2  table local  proto kernel  scope link  src 10.0.1.1 
local 10.0.1.1 dev eth1.2  table local  proto kernel  scope host  src 10.0.1.1 
broadcast 10.0.1.255 dev eth1.2  table local  proto kernel  scope link  src 10.0.1.1 
broadcast 10.100.100.0 dev wg0  table local  proto kernel  scope link  src 10.100.100.1 
local 10.100.100.1 dev wg0  table local  proto kernel  scope host  src 10.100.100.1 
broadcast 10.100.100.255 dev wg0  table local  proto kernel  scope link  src 10.100.100.1 
broadcast A.B.C.0 dev eth0  table local  proto kernel  scope link  src A.B.C.D 
local A.B.C.D dev eth0  table local  proto kernel  scope host  src A.B.C.D 
broadcast A.B.C.255 dev eth0  table local  proto kernel  scope link  src A.B.C.D 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev eth2  table local  proto kernel  scope link  src 192.168.1.1 
local 192.168.1.1 dev eth2  table local  proto kernel  scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev eth2  table local  proto kernel  scope link  src 192.168.1.1 
unreachable default dev lo  proto kernel  metric 4294967295  error -128
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth1  proto kernel  metric 256 
fe80::/64 dev eth1.2  proto kernel  metric 256 
unreachable default dev lo  proto kernel  metric 4294967295  error -128
local ::1 dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80::822a:a8ff:fe4d:9df2 dev lo  table local  proto none  metric 0 
local fe80::822a:a8ff:fe4d:9df3 dev lo  table local  proto none  metric 0 
local fe80::822a:a8ff:fe4d:9df3 dev lo  table local  proto none  metric 0 
ff00::/8 dev eth0  table local  metric 256 
ff00::/8 dev eth1  table local  metric 256 
ff00::/8 dev eth1.2  table local  metric 256 
unreachable default dev lo  proto kernel  metric 4294967295  error -128


Show ip route table all from ERX

10.0.1.0/24 via A.B.C.1 dev eth0  table 220  proto static  src 10.1.1.1 
0.0.0.0/24 dev wg0  proto kernel  scope link 
default via A.B.C.1 dev eth0  proto zebra 
10.0.1.0/24 dev wg0  scope link 
10.1.1.0/24 dev switch0  proto kernel  scope link  src 10.1.1.1 
10.100.100.0/24 dev wg0  proto kernel  scope link  src 10.100.100.2 
10.100.100.1 dev wg0  scope link 
A.B.C.0/24 dev eth0  proto kernel  scope link  src A.B.C.D 
broadcast 10.1.1.0 dev switch0  table local  proto kernel  scope link  src 10.1.1.1 
local 10.1.1.1 dev switch0  table local  proto kernel  scope host  src 10.1.1.1 
broadcast 10.1.1.255 dev switch0  table local  proto kernel  scope link  src 10.1.1.1 
broadcast 10.100.100.0 dev wg0  table local  proto kernel  scope link  src 10.100.100.2 
local 10.100.100.2 dev wg0  table local  proto kernel  scope host  src 10.100.100.2 
broadcast 10.100.100.255 dev wg0  table local  proto kernel  scope link  src 10.100.100.2 
broadcast A.B.C.0 dev eth0  table local  proto kernel  scope link  src A.B.C.D 
local A.B.C.D dev eth0  table local  proto kernel  scope host  src A.B.C.D 
broadcast A.B.C.255 dev eth0  table local  proto kernel  scope link  src A.B.C.D 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
unreachable default dev lo  proto kernel  metric 4294967295  error -128
fe80::/64 dev switch0  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth1  proto kernel  metric 256 
fe80::/64 dev eth2  proto kernel  metric 256 
unreachable default dev lo  proto kernel  metric 4294967295  error -128
local ::1 dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80:: dev lo  table local  proto none  metric 0 
local fe80::feec:daff:fe7e:280e dev lo  table local  proto none  metric 0 
local fe80::feec:daff:fe7e:280f dev lo  table local  proto none  metric 0 
local fe80::feec:daff:fe7e:2810 dev lo  table local  proto none  metric 0 
local fe80::feec:daff:fe7e:2813 dev lo  table local  proto none  metric 0 
ff00::/8 dev switch0  table local  metric 256 
ff00::/8 dev eth0  table local  metric 256 
ff00::/8 dev eth1  table local  metric 256 
ff00::/8 dev eth2  table local  metric 256 
unreachable default dev lo  proto kernel  metric 4294967295  error -128


I'm still sorting through those routing tables but maybe one of youre more experienced eyes will catch something out of place.

Thanks

Established Member
Posts: 1,620
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

@Lanthade

 

Try showing your entire config in a spolier then code tag. And show routing on both devices with route -n (the colunns really make it more readable). Your table all on show ip route shows way too much that is needlessly confusing.

New Member
Posts: 7
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@karog  Yeah, that routing table output is tough, I didn't know the better command - thanks for that.

I did find the problem when sanitizing the configurations.  It was a stupid error on my part.  I deleted the IPSEC VPN on the ER8 but I didn't do the same on the ERX.  The ERX was trying to route 10.0.1.0/24 via the route from the IPSEC VPN.  Deleted that and wham everything works.  Thanks for being patient with me, sorry for not getting there sooner.

This leads me to a second question though.  I was motivated to try out wireguard because it's supposed to be higher performance.  I just ran iperf across the wireguard tunnel and I'm seeing a performance drop of about 10mbps vs IPSEC (100mbps vs 110mbps).  I was hoping to get a performance bump.  This is logged out of the gui on both sides.  My guess is this may just be limited by the hardware but my google-fu has so far failed to confirm/deny that.  Any thoughts?

 

Established Member
Posts: 1,620
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

@Lanthade

 

This is why I always advise full config rather than parts. When a problem is hard with the given info, it is generally the case that the problem resides in the unseen info. And if one can't solve their own problem, they probably aren't so good at knowing which parts of the config are fully relevant.

 

As for speed, I don't even run wireguard on my router. Instead I use a separate always on linux server SBC (single board computer). In my case that is an old Pogoplug v2 running Arch linux with a 4.4 kernel. Very low energy usage. I don't have a speed test on that.

 

I also have a commercial vpn privateinternetaccess.com where I run OpenVPN as a client on an odroid_xu4 also running Arch with a 4.14 kernel and I have hit over 100 Mbps sustained (I have gig FiOS). I am waiting for them to provide wireguard access which should be much faster. PIA has been the biggest donor financially to wireguard but has not accepted its use yet, waiting for some sort of certification. So I believe in some other machine much more suited for running vpn than the router itself.

 

Glad you found your problem.

New Member
Posts: 23
Registered: ‎03-31-2008
Kudos: 1

Re: Release: WireGuard for EdgeRouter

I get about 500 Mbps between an EdgeRouter Infinity (XG) and a WRT32X running openWRT on a 1Gbps link, so think the problem may be with the EdgeRouter X. I retired my EdgeRouter X, so I’ve never used it with WireGuard.

The WRT32X are 2 cores @ 1.8GHz and are pretty cheap. I use them for remote sites (ski, grandparents, etc.)

I’m pretty sure WireGuard is single thread for the EdgeRouter and openWRT (please correct me if I’m wrong), so the single thread performance is the limitation. The EdgeRouter X is dual core 880MHz, so naively I’d expect at most 150 Mbps.

 

On a related subject, is anyone still maintaining WireGuard for the EdgeRouter? It’s several generations behind the latest release.

Mike Farmwald
New Member
Posts: 18
Registered: ‎01-22-2015
Kudos: 7
Solutions: 2

Re: Release: WireGuard for EdgeRouter


@farmwald wrote:

On a related subject, is anyone still maintaining WireGuard for the EdgeRouter? It’s several generations behind the latest release.


I am wondering the same thing. Last release in October

Reply