[COMPLETED] WireGuard beta testing available

[Daniel15 14]

In the WireGuard config, does it really need to be a CIDR range?

Address = 10.135.xxx.xxx/10

I already have an internal network with IPs in the 10.128.0.0/10 range. Can I change that to 10.135.xxx.xxx/32? AFAIK, since we're just accessing the internet via the VPN, rather than other hosts on the same VPN, the whole 10.128.0.0/10 range doesn't have to be routed.

Also, does port forwarding work with WireGuard?

[Jacker@ 6]

7 hours ago, Daniel15 said:

In the WireGuard config, does it really need to be a CIDR range?

Address = 10.135.xxx.xxx/10

I already have an internal network with IPs in the 10.128.0.0/10 range. Can I change that to 10.135.xxx.xxx/32? AFAIK, since we're just accessing the internet via the VPN, rather than other hosts on the same VPN, the whole 10.128.0.0/10 range doesn't have to be routed.

Also, does port forwarding work with WireGuard?

Yes, I have changed mine to /32. No problem.

[securvark 16]

I am very interested in server cpu load and utilisation statistics. For clients with 1 (and max 5) connections it doesn't really matter and wireguard is very well optimised. On a server with several hundreds of connections it might be a different story since OpenVPN encryption can use hardware accelerated cryptography.

Is this something you can share?

[Daniel15 14]

6 hours ago, securvark said:

I am very interested in server cpu load and utilisation statistics. For clients with 1 (and max 5) connections it doesn't really matter and wireguard is very well optimised. On a server with several hundreds of connections it might be a different story since OpenVPN encryption can use hardware accelerated cryptography.

Is this something you can share?

I'd love to know this too. With OpenVPN you get hardware accelerated algorithms, but it runs entirely in userland so there's a lot more context switching. WireGuard is not hardware-accelerated, however it's in kernel code so there's less switching between userland and kernel mode. With a large number of connections, I'm curious as to whether the reduction in context switching offsets the lack of hardware acceleration for the encryption algorithms.

[Staff 9950]

13 hours ago, Daniel15 said:

I'd love to know this too. With OpenVPN you get hardware accelerated algorithms, but it runs entirely in userland so there's a lot more context switching. WireGuard is not hardware-accelerated, however it's in kernel code so there's less switching between userland and kernel mode. With a large number of connections, I'm curious as to whether the reduction in context switching offsets the lack of hardware acceleration for the encryption algorithms.

Hello!

You are correct. Furthermore, OpenVPN runs in a single thread of a single core, so we need to run multiple instances (one per virtual CPU) to get more performance at server level (of course a client remains connected to the same instance during the whole session life), while WireGuard scales well. We will not publish at the moment meaningful statistics, unfortunately, because our servers run at the same time multiple OpenVPN instances and WireGuard, and clients connect in a wide mixture of modes. Any data set would not have relevance or reliability.

Kind regards
 

[inc 3]

Well at last it is working, last night I followed Debian instructions and created an /etc/wireguard/ folder and put the Airvpn .conf file there and it all worked as intended. More confusingly this morning it also works using the Airvpn.conf file from userspace despite trying to get wireguard working of and on for over a week.

[inc 3]

Another mystery, using either Wireguard or Hummingbird I can check using IP/DNS that I am connected to Airvpn but when I go to Ookla speed test it shows my real IP and ISP (Three uk) is this right It never used to show that it used to show  ISP: M247 Ltd has some thing changed or have I changed a setting somewhere over the last week trying to get Wireguard working.

[Staff 9950]

31 minutes ago, inc said:

Another mystery, using either Wireguard or Hummingbird I can check using IP/DNS that I am connected to Airvpn but when I go to Ookla speed test it shows my real IP and ISP (Three uk) is this right It never used to show that it used to show  ISP: M247 Ltd has some thing changed or have I changed a setting somewhere over the last week trying to get Wireguard working.

Hello!

It doesn't sound right but from your description it might be some cached page. Hummingbird enables Network Lock by default so everything should be fine (provided you did not disable Network Lock manually) but to stay on the safe side please open a ticket for a cross-check (it's off topic here).

Kind regards
 

[inc 3]

Sorted, works OK now using wireguard or Hummingbird  it looks like it was my resolv.conf. now Ookia shows M247 which is Airvpn.
 

[pnnl 0]

Hey, Wireguard beta is working great. Will we get the option of different connection ports once we're approaching stable?

Is there a timeline/ETA?

[Staff 9950]

@pnnl

Hello!

You can now connect to port 47107 too, on all servers. WireGuard testing on server side can be considered successfully complete. We will probably advertise WireGuard support as a stable one when Eddie 2.21 is released (currently it's in beta testing).

Kind regards
 

[pnnl 0]

Thank you! I'm guessing it's not listed in the config generator yet, as I only see 1637 in there.

[pfolk 6]

deleted, figured it out

[Daniel15 14]

I just tried this out and I'm seeing much better performance compared to OpenVPN. I was seeing ~110-130Mbps with OpenVPN, but I'm getting effectively full speed (~500Mbps, so ~1000Mbps on the VPN server) with Wireguard.

AirVPN Server: Merope (Los Angeles)
Client system:

• VPS with 3 vCores, Intel Xeon E5-2680 v2 processor (fair share CPU usage, not dedicated)
• Located in Los Angeles, ~0.6ms ping from client system to VPN server
• VPN client is running in Docker: dperson/openvpn-client for OpenVPN, linuxserver/wireguard for Wireguard.

Tested using Speedtest.net CLI (https://www.speedtest.net/apps/cli)

OpenVPN:

     Server: Cox - Wichita - Wichita, KS (id = 16623)
        ISP: HugeServer Networks, LLC
    Latency:    42.60 ms   (0.21 ms jitter)
   Download:   111.92 Mbps (data used: 189.0 MB )
     Upload:   124.83 Mbps (data used: 221.8 MB )
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/d2c0f532-2013-4e90-ae96-796f813dd7b8

WireGuard:

     Server: Cox - Wichita - Wichita, KS (id = 16623)
        ISP: HugeServer Networks, LLC
    Latency:    42.22 ms   (0.22 ms jitter)
   Download:   493.41 Mbps (data used: 794.9 MB )
     Upload:   395.14 Mbps (data used: 492.3 MB )
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/f0668420-b38d-468e-9220-516b6d6cbbab

I haven't tried with one of the 10Gbps servers yet, but I do have a VPS in Switzerland so I might try that out and see what speeds I can achieve

[Strongduck 1]

This is a great feature. Port 123 could be a good addition as that port might be open on most hotspots. 😉

[maxhawk 2]

I use an Ubuntu VM as my AirVPN client tunnel. In my router I use policy based rules to route a particular subnet to this Ubuntu VM so internet requests go through AirVPN. I've used this method with OpenVPN for over 2 years and it's been rock solid.

Since OpenVPN is very CPU intensive, I decided to try Wireguard to see if speeds increased. Using the same server, I went from 300/80 Mbps via OpenVPN to ~800/500 Mbps with Wireguard. 

However using Wireguard vs OpenVPN seems to prevent access to a server that uses an API key. Using:

curl --include --request GET https://websitename/api?t=caps&apikey=myapikey

it works when OpenVPN is used but I get an error with Wireguard:

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to websitename:443

Here is a dump of systemctl status wg-quick@tun0

● wg-quick@tun0.service - WireGuard via wg-quick(8) for tun0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2021-11-26 11:52:25 EST; 10min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 1253 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=0/SUCCESS)
 Main PID: 1253 (code=exited, status=0/SUCCESS)

Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 route add ::/0 dev tun0 table 51820
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip6tables-restore -n
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 route add 0.0.0.0/0 dev tun0 table 51820
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] iptables-restore -n
Nov 26 11:52:25 OpenVPN-Client systemd[1]: Started WireGuard via wg-quick(8) for tun0.

I called my config tun0 because that's the default name of the OpenVPN tunnel and required no changes to my iptables config in rc.local.

Is there anything in inherently different between OpenVPN and Wireguard connections that might cause this?

One important detail is that from the client tunnel VM the curl command works, but is broken when applied from a machine that's being routed to this VM. Normally this would point to an issue with firewall rules (either in my router or Ubuntu machines) but I've changed nothing except the VPN protocol. Thanks for any suggestions.
 

Update:

The issue is that OpenVPN uses an MTU=1500 while Wireguard uses MTU=1420. Dropped packets were preventing the proper SSL handshake. My fix is to manually force an MTU=1392 in the machine that's having trouble. The long term fix is to have any machine that connects to this subnet use an MTU of 1392, but that's an issue outside of Wireguard and AirVPN.

 

Edited ... by maxhawk
found the issue

[Oblivion 2013 8]

Ubuntu 21.10 here, Wireguard DNS adblocking is perfectly working which I tested over many days. As you can see the advertisement domains are blocked towards 127.0.0.1 ( the computer itself) and in microseconds instead of milliseconds. Good work!
 

ubuntu@ubuntu:~$ ping doubleclick.net 
PING doubleclick.net (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.073 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.063 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.057 ms
^C
--- doubleclick.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.032/0.056/0.073/0.015 ms

 

[Unknown User 2]

Is there an How-to to setup WG in PfSense?

Update: See answer below

Edited ... by Unknown User

[Jacker@ 6]

39 minutes ago, Unknown User said:

Is there an How-to to setup WG in PfSense?

  If you youtube 'Christian Mcdonald', he explains everything in his series of videos. He's also overseeing the wireguard package for netgate, and talks about the whole process and where he wants to take it in the future.

[Staff 9950]

14 minutes ago, Jacker@ said:

57 minutes ago, Unknown User said:

Is there an How-to to setup WG in PfSense?

  If you youtube 'Christian Mcdonald', he explains everything in his series of videos. He's also overseeing the wireguard package for netgate, and talks about the whole process and where he wants to take it in the future.

Hello!

Speaking of netgate.com, we found this article on it which looks good: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html

In order to fit it to AirVPN, please generate a configuration file for WireGuard and the server or country you wish from the Configuration Generator. It's a text file inside which you can find the settings/values you need.

Kind regards
 

[Jacker@ 6]

Here is the link to his channel.
https://m.youtube.com/watch?v=bCNnP8FDSNA


It's saves a lot of head scratching 😁

[Unknown User 2]

It works GREAT, Thanks AirVPN for adding Wireguard and Jacker for the link.

My setup:
 
Home:                               WireGuard AirVPN  --> AdBlocker PfBlockerNG --> AirVPN DNS --> END
Outside the House:         WireGuard Remote --> WireGuard AirVPN  --> AdBlocker PfBlockerNG --> AirVPN DNS --> END

Edited ... by Unknown User

[Duck1 2]

Some *killer* speeds with Wireguard:
 

     Server: Clouvider Ltd - Los Angeles, CA (id = 35056)
        ISP: HugeServer Networks, LLC
    Latency:    12.48 ms   (0.81 ms jitter)
   Download:   688.44 Mbps (data used: 904.8 MB )                               
     Upload:    35.42 Mbps (data used: 44.7 MB )                               
Packet Loss:     0.0%

[Unknown User 2]

     Server: Clouvider Ltd - Los Angeles, CA (id = 35056)
        ISP: HugeServer Networks, LLC
    Latency:    12.48 ms   (0.81 ms jitter)
   Download:   688.44 Mbps (data used: 904.8 MB )                               
     Upload:    35.42 Mbps (data used: 44.7 MB )                               
Packet Loss:     0.0%


What speedtest site you used to convert it in text?

Edited ... by Unknown User

[maxhawk 2]

1 hour ago, Unknown User said:

What speedtest site you used to convert it in text?

Looks like speedtest run from LInux CLI:  https://www.speedtest.net/apps/cli

FWIW here's what I'm getting with 4 cores dedicated to my VPN VM. I've seen higher numbers with different servers.

     Server: Cox - Wichita - Wichita, KS (id = 16623)
        ISP: Quintex Alliance Consulting
    Latency:    25.00 ms   (0.32 ms jitter)
   Download:   635.78 Mbps (data used: 698.7 MB )
     Upload:   570.65 Mbps (data used: 577.7 MB )
Packet Loss:     0.0%