Reply
New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

Hi guys!

 

We've tested wireguard-octeon-0.0.20170421-2.deb between two ERPro via gigabit link today.

Here are iperf3 results

 

andreyk@ubuntu:/$ iperf3 -c 192.168.1.10
Connecting to host 192.168.1.10, port 5201
[  4] local 192.168.2.10 port 41036 connected to 192.168.1.10 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  18.0 MBytes   151 Mbits/sec   34    152 KBytes      
[  4]   1.00-2.00   sec  20.1 MBytes   169 Mbits/sec    0    223 KBytes      
[  4]   2.00-3.00   sec  20.3 MBytes   171 Mbits/sec    0    278 KBytes      
[  4]   3.00-4.00   sec  20.0 MBytes   168 Mbits/sec   44    319 KBytes      
[  4]   4.00-5.00   sec  20.5 MBytes   172 Mbits/sec    0    358 KBytes      
[  4]   5.00-6.00   sec  20.6 MBytes   173 Mbits/sec    0    395 KBytes      
[  4]   6.00-7.00   sec  20.5 MBytes   172 Mbits/sec    0    425 KBytes      
[  4]   7.00-8.00   sec  20.0 MBytes   168 Mbits/sec    0    457 KBytes      
[  4]   8.00-9.00   sec  20.7 MBytes   173 Mbits/sec    0    486 KBytes      
[  4]   9.00-10.00  sec  20.8 MBytes   175 Mbits/sec    0    513 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   202 MBytes   169 Mbits/sec   78             sender
[  4]   0.00-10.00  sec   200 MBytes   168 Mbits/sec                  receiver

 

Cheers,

Sergey

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Hey Sergey,

 

Thanks for those results. Is this better or worse than what you get with OpenVPN?

 

One thing that would be helpful from UBNT is if they'd turn on CONFIG_PADATA/CONFIG_CRYPTO_PCRYPT
in their kernels, which would allow it to benefit from the multicores of the ERPro.

 

Jason

Emerging Member
Posts: 61
Registered: ‎12-05-2016
Kudos: 1
Solutions: 1

Re: Release: WireGuard for EdgeRouter

This seems pretty awesome, thank you!  I´ve always thought that VPN is way too complicated ...

 

Does this work with the latest firmware release or does it have to be 1.9.1 rather than 1.9.1.1?

 

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

Here are openvpn test results

 

Connecting to host 192.168.2.50, port 5201
[  4] local 192.168.1.100 port 58086 connected to 192.168.2.50 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  5.10 MBytes  42.8 Mbits/sec    1    116 KBytes      
[  4]   1.00-2.00   sec  4.91 MBytes  41.2 Mbits/sec    1    100 KBytes      
[  4]   2.00-3.00   sec  4.91 MBytes  41.2 Mbits/sec    0    129 KBytes      
[  4]   3.00-4.00   sec  5.05 MBytes  42.3 Mbits/sec    2    116 KBytes      
[  4]   4.00-5.00   sec  5.06 MBytes  42.4 Mbits/sec    1    100 KBytes      
[  4]   5.00-6.00   sec  4.87 MBytes  40.8 Mbits/sec    0    129 KBytes      
[  4]   6.00-7.00   sec  5.04 MBytes  42.3 Mbits/sec    1    115 KBytes      
[  4]   7.00-8.00   sec  4.88 MBytes  40.9 Mbits/sec    1   99.1 KBytes      
[  4]   8.00-9.00   sec  4.92 MBytes  41.3 Mbits/sec    0    128 KBytes      
[  4]   9.00-10.00  sec  4.97 MBytes  41.7 Mbits/sec    1    114 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  49.7 MBytes  41.7 Mbits/sec    8             sender
[  4]   0.00-10.00  sec  49.6 MBytes  41.6 Mbits/sec                  receiver

iperf Done.

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.20170517-1. Everybody should upgrade to this latest release.

 

https://github.com/Lochnair/vyatta-wireguard/releases

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

here are the results for EdgeOS 1.9.1.1 and WG wireguard-octeon-0.0.20170517-1.deb

 

andreyk@ubuntu:~/.ssh$ iperf3 -c 192.168.1.55
Connecting to host 192.168.1.55, port 5201
[  4] local 192.168.15.100 port 32972 connected to 192.168.1.55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  22.8 MBytes   191 Mbits/sec   37    167 KBytes      
[  4]   1.00-2.00   sec  24.4 MBytes   205 Mbits/sec    0    236 KBytes      
[  4]   2.00-3.00   sec  23.7 MBytes   198 Mbits/sec    0    286 KBytes      
[  4]   3.00-4.00   sec  25.1 MBytes   211 Mbits/sec    0    335 KBytes      
[  4]   4.00-5.00   sec  25.1 MBytes   211 Mbits/sec    0    382 KBytes      
[  4]   5.00-6.00   sec  24.8 MBytes   208 Mbits/sec    0    425 KBytes      
[  4]   6.00-7.00   sec  25.7 MBytes   215 Mbits/sec    0    464 KBytes      
[  4]   7.00-8.00   sec  25.1 MBytes   211 Mbits/sec    0    500 KBytes      
[  4]   8.00-9.00   sec  24.9 MBytes   209 Mbits/sec    0    532 KBytes      
[  4]   9.00-10.00  sec  24.9 MBytes   209 Mbits/sec    0    561 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   247 MBytes   207 Mbits/sec   37             sender
[  4]   0.00-10.00  sec   245 MBytes   206 Mbits/sec                  receiver

iperf Done.

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

Hi Jason,

 

Hardware is the same as all previous tests -  2x EdgeRouter Pro connected via gigabit link.

WG is approximately 5 times faster than OpenVPN.

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Hey @svschwartz,

 

While I'm waiting for UBNT to do something about https://community.ubnt.com/t5/EdgeMAX/Enable-Parallel-Crypto-in-Kernels/m-p/1937956#U1937956 , I decided to compile this code directly into the WireGuard module as compat code.

 

On my EdgeRouter Lite I saw big performance improvements.

 

Could you redownload the release on https://github.com/Lochnair/vyatta-wireguard/releases, install it, reboot your EdgeRouter, confirm that you have this in your dmesg:

 

zx2c4@martino:~$ dmesg|grep wireguard
wireguard: WireGuard 0.0.20170517-6-gfb49f5e loaded. See www.wireguard.io for information.

And then rerun the speed test? Make sure both ends are running -6-gfb49f5e. I suspect the results will be quite promising...

 

Thanks,

Jason

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

@zx2c4

 

here is what we have after reloading the deb file and rebooting the router

 

root@R1:/home/ubnt# dmesg|grep wireguard
wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information.
wireguard: Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@svschwartz *Redownload* the .deb from that webpage. I uploaded it on top of the previous file that was there, so you'll need to redownload and then install it.

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

@zx2c4

 

this is exactly what we did - redownloaded from release page and reinstalling the deb package and rebooting the router. could you please confirm sha1 checksum I've got here

 

6c2d3bc5a20d2be3f9ca41a06a3705309a525989  wireguard-octeon-0.0.20170517-1.deb

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

@svschwartz That checksum is correct. Please make sure you're using that precise file when you run `dpkg -i filename`. You might alternatively try removing it first.

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

@zx2c4

 

here is what we have now, please confirm the module version is correct

 

root@R2:~# modinfo wireguard
filename:       /lib/modules/3.10.20-UBNT/kernel/net/wireguard.ko
alias:          rtnl-link-wireguard
version:        0.0.20170517-6-gfb49f5e
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    Fast, secure, and modern VPN tunnel
license:        GPL v2
srcversion:     A1E01BB66135325D9484439
depends:        ipv6,ip_tunnel,x_tables
vermagic:       3.10.20-UBNT SMP mod_unload OCTEON 64BIT

 

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

@svschwartzLooks correct. dmesg|grep wireguard should now show the proper module as well. If not, restart the system, or just run `rmmod wireguard && modprobe wireguard`.

New Member
Posts: 13
Registered: ‎08-15-2016
Kudos: 2

Re: Release: WireGuard for EdgeRouter

Jason,

 

Here is our latest test result for WireGuard 0.0.20170517-6-gfb49f5e

 

root@ubuntu:~# iperf3 -c 192.168.1.55
Connecting to host 192.168.1.55, port 5201
[  4] local 192.168.2.100 port 46754 connected to 192.168.1.55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  36.3 MBytes   305 Mbits/sec    1    227 KBytes      
[  4]   1.00-2.00   sec  36.9 MBytes   310 Mbits/sec    0    322 KBytes      
[  4]   2.00-3.00   sec  37.9 MBytes   318 Mbits/sec    0    394 KBytes      
[  4]   3.00-4.00   sec  35.8 MBytes   300 Mbits/sec    0    450 KBytes      
[  4]   4.00-5.00   sec  35.9 MBytes   301 Mbits/sec    0    504 KBytes      
[  4]   5.00-6.00   sec  38.2 MBytes   320 Mbits/sec    0    550 KBytes      
[  4]   6.00-7.00   sec  36.4 MBytes   305 Mbits/sec    0    594 KBytes      
[  4]   7.00-8.00   sec  37.0 MBytes   310 Mbits/sec    0    635 KBytes      
[  4]   8.00-9.00   sec  37.5 MBytes   314 Mbits/sec    0    672 KBytes      
[  4]   9.00-10.00  sec  37.0 MBytes   311 Mbits/sec    0    707 KBytes      
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   369 MBytes   309 Mbits/sec    1             sender
[  4]   0.00-10.00  sec   367 MBytes   308 Mbits/sec                  receiver

 

We also ran a test for 20 mins to take a look at cpu load.

Load average was about 3 and 1 core had 75% and 2 core had 50% of sy load.

 

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Hey @svschwartz

 

Thanks for the benchmarks. So there's about a 100mbps improvement over the last one. Great. This will only improve as we tweak the multi-core packet scheduling in future releases.

 

Jason

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.20170531-1. Everybody should upgrade to this latest release.

 

Download here: https://github.com/Lochnair/vyatta-wireguard/releases

 

Release notes are here: https://lists.zx2c4.com/pipermail/wireguard/2017-May/001408.html

 

The package contains the performance improvements @svschwartz tested earlier in this forum thread.

New Member
Posts: 15
Registered: ‎03-12-2015
Kudos: 1
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Tank you very much!

 

Unfortunately I can't get the new version to run on my EdgeRouter PoE (Octeon). The kernel module is not loaded after a reboot; trying to load it manually results in the message "wireguard: Unknown symbol __crypto_memneq (err 0)" (dmesg).

 

Any ideas? I had the previous version installed and removed it (dpkg -P wireguard).

 

Thanks for your work.

 

Best Regards

julez

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@julez

Which firmware version are your running? The new WireGuard version will only work with v1.9.1.1.

New Member
Posts: 15
Registered: ‎03-12-2015
Kudos: 1
Solutions: 1

Re: Release: WireGuard for EdgeRouter

@Lochnair Thank you very much - that was indeed the problem; I didn't notice that there was a new minor minor version Man Wink

 

Now it's working great, thanks!

Reply