[uvz123a]

Netgear XR500
DD-WRT v3.0-r53339 std (08/01/23)

Aprox. 43/7 Mbps is the max speed without WG client enabled on either side and it is the speed that xDSL line can hold on side where WG client is located.
All measurements have been made with speedtest.net running on PC (Windows 10) and on the same speedtest server. Tests can be repeated with the same results.

When WG client is enabled on router (and disabled on PC), the speed is only 31.57 / 6.80 Mbps.
When WG client is enabled on PC (and disabled on router) with the same configuration keys as on router, then speedtest can take all bandwidth speed 42.90 / 7.05 Mbps.
Load Average on router while it was WG Client was around 4% -< 0.08, 0.12, 0.04

Is there any explanation why WG client running on router manages 25% lower DL speed? I configured client on router following "DDWRT WireGuard Client setup guide v36.pdf"

[uvz123a]

While I was trying to find out why speed difference between WG client running on router vs. PC I have found another strange behavior.

I was sending TCP and UDP packets to my home internet IP address where also WG server is running. My current location is outside my home.
If I running WG client on PC or on router https://www.dnsleaktest.com/ always shows my home IP address and also DNSes I set in static field. To this point is everything as expected.

As I mentioned I did a test with TCP & UDP packets to port 51820. WG server is running on different port and there is no active service on port 51820. FW should block packets and logged this incident.

Tests:
* If WG client is active on PC then firewall at home blocks packet from internal IP of FTTH ISP modem+router (192.168.64.1). WG server is running on 192.168.64.5, 192.168.64.2 is another router behind modem to where port 51820 is forwarded by a rule inside modem's router.
* If WG client is active on router then firewall blocks packet from internet IP where I am located (93.x.x.x) even that https://www.dnsleaktest.com/ shows home IP internet address.

I made a screenshot from FW log to prove what I am talking about. Do anybody understand what is going on with WG client on router and why home router's FW gets packet from internet address and not from internal address?

[uvz123a]

Did another test and sent TCP & UDP packets to internal address 192.168.64.2 and in both cases of WG clients (PC, router) the FW gets/blocks packets from internal IP address where WG Server is running (192.168.64.5). This is not arguable and it is expected.

Still remains a question why difference if packets are send to internet address and WG client is running on PC vs. the router.

[uvz123a]

I had corrupted keys on routers WG client which broke VPN connection. Nothing worked (no internet sites were accessible) except remote desktop connection to my home computer was still working.

@egc, is it possible, that WG client does not routing traffic via VPN if the destination IP is the same as VPN's Endpoint Address? No PBR is set.
This is the only explanation that RDC was still working if VPN is enabled and not connected and also explains strange behavior of routed packets where home router's FW blocked source internet IP address from my current location (93.x.x.x) and not internal WG Servers address (192.168.64.5) - see previous two posts!?

[egc]

I have not seen your configs, but it could be that you are doing asymmetric routing.

Those packets are flagged as invalid and blocked.

Performance/throughput testing can be done with a client on your LAN running an iperf3 server and a client connected on the WAN side with a WG client connecting to your routers WG server. That client also runs the iperf client.
Of course connected wired.

Both iperf server and especially the iperf client, as it also runs the WG client, have to be multicore e.g. a modern PC's

You cannot test from within e.g. with NAT redirect and you cannot test with running iperf3 on the router as iperf3 is CPU intensive it will skew results when iperf3 is running on the router.

[uvz123a]

These are my all configs from server and client. All other settings have default values. Sensitive data are deleted.
I did not experimented, all settings got on this forum (by questioning or by guides).
Please check if there might be an error somewhere after all.

WG Server – Linksys WRT3200ACM

Setup:
- Basic Setup:
o WAN Setup:
• Connection Type: Static IP
• WAN IP Address: 192.168.64.5/24
• Gateway: 192.168.64.1
• Static DNS: x.x.x.x, y.y.y.y, z.z.z.z
o Network Setup:
• Local IP Address: 10.1.0.1/24
• Start IP Address: 10.1.0.100
• Maximum DHCP Users: 100
• Use DNSMasq for DNS: Unchecked
- Tunnels:
• Tunnel: Enable (Server configuration)
• Protocol Type: WireGuard
• CVE-2019-14899 Mitigation: Unchecked
• NAT via Tunnel: Unchecked
• Listen Port: xxxxx
• Firewall Inbound: Unchecked
• Kill Switch: Unchecked
• Advanced Settings: Enable
• Local Private Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• Allow Clients WAN Access: Checked
• Bypass LAN Same-Origin Policy: Checked
• Source Routing (Policy Based Routing): Route All Sources via VPN
• Destination Routing: Route All Destinations via Default Route
• Add Peer:
• Peer Name: Netgear
• Endpoint: Disable
• Allowed IPs: 10.10.0.6/32
• Route Allowed IPs via Tunnel: Checked
• Persistent Keepalive: 25
• Peer Public Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• Use Pre-shared Key: Enable
• Pre-Shared Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• IP Addresses / Netmask (CIDR): 10.10.0.1/24
Wireless:
- Basic Settings:
o Wireless Interface wlan0 [5 GHz/802.11ac] - MWL88W8964 802.11ac - Max Vaps(16)
• Radio Mode: AP
• Network Mode: Mixed
• Channel Width: VHT80 (80 MHz)
• Channel: 48 – 5240 MHz
• Service Set Identifier (SSID): xxxxxx
• SSID Broadcast: Disable
• Advanced Settings: Checked
• Domain: xxxxxx
o Wireless Interface wlan1 [2.4 GHz] - MWL88W8964 802.11ac - Max Vaps(16)
• Radio Mode: AP
• Network Mode: Mixed
• Channel Width: Wide HT40 (40 MHz)
• Channel: 13 – 2472 MHz
• Service Set Identifier (SSID): xxxxxxx
• SSID Broadcast: Disable
o Wireless Interface wlan2 [2.4GHz/5 GHz/802.11ac] - MWLSD8887 802.11ac - Max Vaps(
• Network Mode: Disabled
- Wireless Security:
o Security Mode: WPA
o Network Authentication: WPA2 Personal
o WPA Algorithms: COMP-128 (AES)
o WPA Shared Key: xxxxxxxxxxxxxxxxxxxxxxxxx
Services:
- Services:
o DHCP Server Setup:
• Static Leases: Some static leases
o SSH – Enable Daemon: Enable
o Password Login: Disable
o Replace Existing Key(s): Enable
o Authorized Keys: xxxxxxxxxxxxxxxxxx
o Syslogd: Enable
o Telnet – Enable Server: Disable
o ttraff Daemon: Disable
Security:
- Firewall:
o Limit SSH Access: Checked
o Limit Telnet Access: Checked
o Limit PPTP Server Access: Checked
o Limit FTP Server Access: Checked
o Firewall Log: Enable
o Log Level: High
o Dropped: Enable
o Rejected: Enable
- VPN Passthrough:
o IPSec Passthrough: Disable
o PPTP Passthrough: Disable
o L2TP Passthrough: Disable
Administration:
- Management:
o Router Username: xxxxxxxxxxxxxxxxxxx
o Router Password: xxxxxxxxxxxxxxxxxxxx
o Protocol: √ HTTP, √ HTTPS
o Info Site Password Protection: Enabled
o Info Site MAC Masking: Disable
o Show Features: Disable

Firewall Commands:
Protocol=udp
SourceIPs='x.x.x.x/x, y.y.y.y/y, z.z.z.z.z/z etc'

##### WOL Network Broadcast
WolIp=10.1.0.254
WolMac=FF:FF:FF:FF:FF:FF
WolPort=xxxxx
arp -s $WolIp $WolMac
iptables -I FORWARD -p $Protocol -s $SourceIPs -d $WolIp --dport $WolPort -j ACCEPT
iptables -t nat -I PREROUTING -p $Protocol -s $SourceIPs -d $(nvram get wan_ipaddr) --dport $WolPort -j DNAT --to-d $WolIp:$WolPort

##### PC Port Forwarding
LocalIp=10.1.0.102
Ports='xxxxx yyyyy zzzzz'
for Port in $Ports
do
iptables -I FORWARD -p $Protocol -s $SourceIPs -d $LocalIp --dport $Port -j ACCEPT
iptables -t nat -I PREROUTING -p $Protocol -s $SourceIPs -d $(nvram get wan_ipaddr) --dport $Port -j DNAT --to-d $LocalIp:$Port
done

##### WG Server (accept connection only from desired IP ranges)
Ports='xxxxx'
for Port in $Ports
do
iptables -I INPUT -i $(get_wanface) -p $Protocol --dport $Port -j DROP
iptables -I INPUT -i $(get_wanface) -p $Protocol --dport $Port -s $SourceIPs -j ACCEPT
done
--------------------------------------------------------------------------------------------------
WG Client – Netgear Nighthawk XR500

Setup:
- Basic Setup:
o Network Setup:
• Local IP Address: 10.2.0.1/24
• Start IP Address: 10.2.0.100
• Maximum DHCP Users: 100
• Static DNS: 8.8.8.8, 8.8.4.4
• Use DNSMasq for DNS: Unchecked
- Tunnels:
• Tunnel: Enable (Client configuration)
• Protocol Type: WireGuard
• CVE-2019-14899 Mitigation: Unchecked
• NAT via Tunnel: Checked
• Tunnel Obfuscation: Disable
• Listen Port: xxxxxx
• DNS Servers via Tunnel: empty
• Firewall Inbound: Unchecked
• Kill Switch: Unchecked
• Advanced Settings: Enable
• Local Private Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• Allow Clients WAN Access: Unchecked
• Bypass LAN Same-Origin Policy: Unchecked
• Source Routing (Policy Based Routing): Route All Sources via VPN
• Destination Routing: Route All Destinations via Default Route
• Add Peer:
• Peer Name: Linksys
• Client Config File: Disable
• Endpoint: Enable
• Endpoint Address: x.x.x.x:yyyyy
• Allowed IPs: 0.0.0.0/1, 128.0.0.0/1, ::/0
• Route Allowed IPs via Tunnel: Checked
• Persistent Keepalive: 25
• Peer Public Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• Use Pre-shared Key: Enable
• Pre-Shared Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• IP Addresses / Netmask (CIDR): 10.10.0.6/24
Wireless:
- Basic Settings:
o Wireless Interface wlan0 [5 GHz/802.11ac] - QCA9984 802.11ac - Max Vaps(16)
• Radio Mode: AP
• Network Mode: Mixed
• Channel Width: VHT80 (80 MHz)
• Channel: 48 – 5240 MHz
• Service Set Identifier (SSID): xxxxx
• SSID Broadcast: Disable
• Advanced Settings: Checked
• Domain: xxxxxxx
o Wireless Interface wlan1 [2.4 GHz] - QCA9984 802.11ac - Max Vaps(16)
• Radio Mode: AP
• Network Mode: Mixed
• Channel Width: Wide HT40 (40 MHz)
• Channel: 13 – 2472 MHz
• Service Set Identifier (SSID): xxxxx
• SSID Broadcast: Disable
- Wireless Security:
o Security Mode: WPA
o Network Authentication: WPA2 Personal , WPA3 Personal / SAE
o WPA Algorithms: COMP-128 (AES), CCMP-256, GCMP, GCMP-256
o WPA Shared Key: sssssssssssssssss
Services:
- Services:
o SSH – Enable Daemon: Enable
o Password Login: Disable
o Replace Existing Key(s): Enable
o Authorized Keys: xxxxxxxxxxxxxxxxxxx
o Syslogd: Enable
o Telnet – Enable Server: Disable
o ttraff Daemon: Disable
Security:
- Firewall:
o Limit SSH Access: Checked
o Limit Telnet Access: Checked
o Limit PPTP Server Access: Checked
o Limit FTP Server Access: Checked
o Firewall Log: Enable
o Log Level: High
o Dropped: Enable
o Rejected: Enable
- VPN Passthrough:
o IPSec Passthrough: Disable
o PPTP Passthrough: Disable
o L2TP Passthrough: Disable
Administration:
- Management:
o Router Username: xxxxxxxxxxxxxx
o Router Password: xxxxxxxxxxxxxxxxx
o Protocol: √ HTTP, √ HTTPS
o Info Site Password Protection: Enabled
o Info Site MAC Masking: Disable
o Show Features: Disable

[ho1Aetoo]

Your WLAN security settings are wrong.
WPA3 personal SAE does not support 256bit authentication.
This is only supported by WPA3 enterprise.

WPA3 personal SAE uses AES-CCMP 128

[Alozaros]

[uvz123a]

[ho1Aetoo]

here is a small reference

WPA2 personal + WPA3 personal transition mode

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#WPA3Personaltransitionmode

general

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#Clientinteroperabilitymatrix

[uvz123a]

Nobody pointed if there is a WG configuration problem... probably not because I was following the guide.

In the mean time I have switched from WG to OpenVPN protocol and was testing it for about a week.
Results...

WG Client on the router:
* about 25% lower DL speed and 10% lower UL speed against WG Client on the PC (or max xDSL line speed)
* if I use services on the same internet IP address as WG Server, this traffic bypasses the WG VPN. Kill switch doesn't seem to work for this issue. If I use private IP address for this service, the traffic goes through WG VPN (logically).
* on the Client side I am on xDSL network where IP address is changing every day. When this happen, the connection Server-Client is lost. The solution is to change "Listen Port" on WG Client or reset xDSL modem or disable WG client for some time that (probably) "Active IP Connection" on xDSL modem is "timeouted". I do not understand why WG protocol confuses the xDSL modem and do not want to open a new connection (or use the same) when IP is changed. I do not have access to the modem to investigate that. Server side is on static internet IP.

OpenVPN Client on the router:
* almost the same (max) speed as xDSL line can provide
* if the kill switch is used, nothing bypasses VPN. Services on the same internet IP address as WG server are not accessible, private IP must be used to access them. If the kill switch is not used, the services on the same IP bypassing VPN (same as on WG Client).
* when internet IP address on the modem is changed, the OpenVPN connection drops for about 2-3 minutes and then automatically re-establishes itself. Looks like the xDSL modem does not have issue with OpenVPN protocol.

[ho1Aetoo]

No one has answered the WG problem because you have not posted all the settings.

On the WG client you need to enable and configure the watchdog then WG will restart when the WAN IP changes.

and the reduced speed sounds like wrong MTU settings.

Both settings you have not posted.

[uvz123a]

All setting were posted... what is not posted have the default value.

[ho1Aetoo]

[uvz123a]