Daniel15 14 Posted ... In the WireGuard config, does it really need to be a CIDR range? Address = 10.135.xxx.xxx/10 I already have an internal network with IPs in the 10.128.0.0/10 range. Can I change that to 10.135.xxx.xxx/32? AFAIK, since we're just accessing the internet via the VPN, rather than other hosts on the same VPN, the whole 10.128.0.0/10 range doesn't have to be routed. Also, does port forwarding work with WireGuard? Quote Share this post Link to post
Jacker@ 6 Posted ... 7 hours ago, Daniel15 said: In the WireGuard config, does it really need to be a CIDR range? Address = 10.135.xxx.xxx/10 I already have an internal network with IPs in the 10.128.0.0/10 range. Can I change that to 10.135.xxx.xxx/32? AFAIK, since we're just accessing the internet via the VPN, rather than other hosts on the same VPN, the whole 10.128.0.0/10 range doesn't have to be routed. Also, does port forwarding work with WireGuard? Yes, I have changed mine to /32. No problem. 1 Daniel15 reacted to this Quote Share this post Link to post
securvark 16 Posted ... I am very interested in server cpu load and utilisation statistics. For clients with 1 (and max 5) connections it doesn't really matter and wireguard is very well optimised. On a server with several hundreds of connections it might be a different story since OpenVPN encryption can use hardware accelerated cryptography. Is this something you can share? 1 Daniel15 reacted to this Quote Share this post Link to post
Daniel15 14 Posted ... 6 hours ago, securvark said: I am very interested in server cpu load and utilisation statistics. For clients with 1 (and max 5) connections it doesn't really matter and wireguard is very well optimised. On a server with several hundreds of connections it might be a different story since OpenVPN encryption can use hardware accelerated cryptography. Is this something you can share? I'd love to know this too. With OpenVPN you get hardware accelerated algorithms, but it runs entirely in userland so there's a lot more context switching. WireGuard is not hardware-accelerated, however it's in kernel code so there's less switching between userland and kernel mode. With a large number of connections, I'm curious as to whether the reduction in context switching offsets the lack of hardware acceleration for the encryption algorithms. Quote Share this post Link to post
Staff 9950 Posted ... 13 hours ago, Daniel15 said: I'd love to know this too. With OpenVPN you get hardware accelerated algorithms, but it runs entirely in userland so there's a lot more context switching. WireGuard is not hardware-accelerated, however it's in kernel code so there's less switching between userland and kernel mode. With a large number of connections, I'm curious as to whether the reduction in context switching offsets the lack of hardware acceleration for the encryption algorithms. Hello! You are correct. Furthermore, OpenVPN runs in a single thread of a single core, so we need to run multiple instances (one per virtual CPU) to get more performance at server level (of course a client remains connected to the same instance during the whole session life), while WireGuard scales well. We will not publish at the moment meaningful statistics, unfortunately, because our servers run at the same time multiple OpenVPN instances and WireGuard, and clients connect in a wide mixture of modes. Any data set would not have relevance or reliability. Kind regards Quote Share this post Link to post
inc 3 Posted ... Well at last it is working, last night I followed Debian instructions and created an /etc/wireguard/ folder and put the Airvpn .conf file there and it all worked as intended. More confusingly this morning it also works using the Airvpn.conf file from userspace despite trying to get wireguard working of and on for over a week. Quote Share this post Link to post
inc 3 Posted ... Another mystery, using either Wireguard or Hummingbird I can check using IP/DNS that I am connected to Airvpn but when I go to Ookla speed test it shows my real IP and ISP (Three uk) is this right It never used to show that it used to show ISP: M247 Ltd has some thing changed or have I changed a setting somewhere over the last week trying to get Wireguard working. Quote Share this post Link to post
Staff 9950 Posted ... 31 minutes ago, inc said: Another mystery, using either Wireguard or Hummingbird I can check using IP/DNS that I am connected to Airvpn but when I go to Ookla speed test it shows my real IP and ISP (Three uk) is this right It never used to show that it used to show ISP: M247 Ltd has some thing changed or have I changed a setting somewhere over the last week trying to get Wireguard working. Hello! It doesn't sound right but from your description it might be some cached page. Hummingbird enables Network Lock by default so everything should be fine (provided you did not disable Network Lock manually) but to stay on the safe side please open a ticket for a cross-check (it's off topic here). Kind regards Quote Share this post Link to post
inc 3 Posted ... Sorted, works OK now using wireguard or Hummingbird it looks like it was my resolv.conf. now Ookia shows M247 which is Airvpn. Quote Share this post Link to post
pnnl 0 Posted ... Hey, Wireguard beta is working great. Will we get the option of different connection ports once we're approaching stable? Is there a timeline/ETA? Quote Share this post Link to post
Staff 9950 Posted ... @pnnl Hello! You can now connect to port 47107 too, on all servers. WireGuard testing on server side can be considered successfully complete. We will probably advertise WireGuard support as a stable one when Eddie 2.21 is released (currently it's in beta testing). Kind regards Quote Share this post Link to post
pnnl 0 Posted ... Thank you! I'm guessing it's not listed in the config generator yet, as I only see 1637 in there. Quote Share this post Link to post
Daniel15 14 Posted ... I just tried this out and I'm seeing much better performance compared to OpenVPN. I was seeing ~110-130Mbps with OpenVPN, but I'm getting effectively full speed (~500Mbps, so ~1000Mbps on the VPN server) with Wireguard. AirVPN Server: Merope (Los Angeles) Client system: VPS with 3 vCores, Intel Xeon E5-2680 v2 processor (fair share CPU usage, not dedicated) Located in Los Angeles, ~0.6ms ping from client system to VPN server VPN client is running in Docker: dperson/openvpn-client for OpenVPN, linuxserver/wireguard for Wireguard. Tested using Speedtest.net CLI (https://www.speedtest.net/apps/cli) OpenVPN: Server: Cox - Wichita - Wichita, KS (id = 16623) ISP: HugeServer Networks, LLC Latency: 42.60 ms (0.21 ms jitter) Download: 111.92 Mbps (data used: 189.0 MB ) Upload: 124.83 Mbps (data used: 221.8 MB ) Packet Loss: 0.0% Result URL: https://www.speedtest.net/result/c/d2c0f532-2013-4e90-ae96-796f813dd7b8 WireGuard: Server: Cox - Wichita - Wichita, KS (id = 16623) ISP: HugeServer Networks, LLC Latency: 42.22 ms (0.22 ms jitter) Download: 493.41 Mbps (data used: 794.9 MB ) Upload: 395.14 Mbps (data used: 492.3 MB ) Packet Loss: 0.0% Result URL: https://www.speedtest.net/result/c/f0668420-b38d-468e-9220-516b6d6cbbab I haven't tried with one of the 10Gbps servers yet, but I do have a VPS in Switzerland so I might try that out and see what speeds I can achieve 1 Staff reacted to this Quote Share this post Link to post
Strongduck 1 Posted ... This is a great feature. Port 123 could be a good addition as that port might be open on most hotspots. 😉 Quote Share this post Link to post
maxhawk 2 Posted ... (edited) I use an Ubuntu VM as my AirVPN client tunnel. In my router I use policy based rules to route a particular subnet to this Ubuntu VM so internet requests go through AirVPN. I've used this method with OpenVPN for over 2 years and it's been rock solid. Since OpenVPN is very CPU intensive, I decided to try Wireguard to see if speeds increased. Using the same server, I went from 300/80 Mbps via OpenVPN to ~800/500 Mbps with Wireguard. However using Wireguard vs OpenVPN seems to prevent access to a server that uses an API key. Using: curl --include --request GET https://websitename/api?t=caps&apikey=myapikey it works when OpenVPN is used but I get an error with Wireguard: curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to websitename:443 Here is a dump of systemctl status wg-quick@tun0 ● wg-quick@tun0.service - WireGuard via wg-quick(8) for tun0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2021-11-26 11:52:25 EST; 10min ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 1253 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=0/SUCCESS) Main PID: 1253 (code=exited, status=0/SUCCESS) Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 route add ::/0 dev tun0 table 51820 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 rule add not fwmark 51820 table 51820 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -6 rule add table main suppress_prefixlength 0 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip6tables-restore -n Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 route add 0.0.0.0/0 dev tun0 table 51820 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 rule add not fwmark 51820 table 51820 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] ip -4 rule add table main suppress_prefixlength 0 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 Nov 26 11:52:25 OpenVPN-Client wg-quick[1253]: [#] iptables-restore -n Nov 26 11:52:25 OpenVPN-Client systemd[1]: Started WireGuard via wg-quick(8) for tun0. I called my config tun0 because that's the default name of the OpenVPN tunnel and required no changes to my iptables config in rc.local.Is there anything in inherently different between OpenVPN and Wireguard connections that might cause this? One important detail is that from the client tunnel VM the curl command works, but is broken when applied from a machine that's being routed to this VM. Normally this would point to an issue with firewall rules (either in my router or Ubuntu machines) but I've changed nothing except the VPN protocol. Thanks for any suggestions. Update: The issue is that OpenVPN uses an MTU=1500 while Wireguard uses MTU=1420. Dropped packets were preventing the proper SSL handshake. My fix is to manually force an MTU=1392 in the machine that's having trouble. The long term fix is to have any machine that connects to this subnet use an MTU of 1392, but that's an issue outside of Wireguard and AirVPN. Edited ... by maxhawk found the issue 1 Lee47 reacted to this Quote Share this post Link to post
Oblivion 2013 8 Posted ... Ubuntu 21.10 here, Wireguard DNS adblocking is perfectly working which I tested over many days. As you can see the advertisement domains are blocked towards 127.0.0.1 ( the computer itself) and in microseconds instead of milliseconds. Good work! ubuntu@ubuntu:~$ ping doubleclick.net PING doubleclick.net (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.073 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.032 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.063 ms 64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.057 ms ^C --- doubleclick.net ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3056ms rtt min/avg/max/mdev = 0.032/0.056/0.073/0.015 ms 1 Staff reacted to this Quote Share this post Link to post
Unknown User 2 Posted ... (edited) Is there an How-to to setup WG in PfSense? Update: See answer below Edited ... by Unknown User Quote Share this post Link to post
Jacker@ 6 Posted ... 39 minutes ago, Unknown User said: Is there an How-to to setup WG in PfSense? If you youtube 'Christian Mcdonald', he explains everything in his series of videos. He's also overseeing the wireguard package for netgate, and talks about the whole process and where he wants to take it in the future. 1 Unknown User reacted to this Quote Share this post Link to post
Staff 9950 Posted ... 14 minutes ago, Jacker@ said: 57 minutes ago, Unknown User said: Is there an How-to to setup WG in PfSense? If you youtube 'Christian Mcdonald', he explains everything in his series of videos. He's also overseeing the wireguard package for netgate, and talks about the whole process and where he wants to take it in the future. Hello! Speaking of netgate.com, we found this article on it which looks good: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html In order to fit it to AirVPN, please generate a configuration file for WireGuard and the server or country you wish from the Configuration Generator. It's a text file inside which you can find the settings/values you need. Kind regards 3 1 Lee47, Air4141841, Jacker@ and 1 other reacted to this Quote Share this post Link to post
Jacker@ 6 Posted ... Here is the link to his channel.https://m.youtube.com/watch?v=bCNnP8FDSNA It's saves a lot of head scratching 😁 2 Unknown User and Staff reacted to this Quote Share this post Link to post
Unknown User 2 Posted ... (edited) It works GREAT, Thanks AirVPN for adding Wireguard and Jacker for the link.My setup: Home: WireGuard AirVPN --> AdBlocker PfBlockerNG --> AirVPN DNS --> ENDOutside the House: WireGuard Remote --> WireGuard AirVPN --> AdBlocker PfBlockerNG --> AirVPN DNS --> END Edited ... by Unknown User 1 Staff reacted to this Quote Share this post Link to post
Duck1 2 Posted ... Some *killer* speeds with Wireguard: Server: Clouvider Ltd - Los Angeles, CA (id = 35056) ISP: HugeServer Networks, LLC Latency: 12.48 ms (0.81 ms jitter) Download: 688.44 Mbps (data used: 904.8 MB ) Upload: 35.42 Mbps (data used: 44.7 MB ) Packet Loss: 0.0% 1 1 Unknown User and Staff reacted to this Quote Share this post Link to post
Unknown User 2 Posted ... (edited) Server: Clouvider Ltd - Los Angeles, CA (id = 35056) ISP: HugeServer Networks, LLC Latency: 12.48 ms (0.81 ms jitter) Download: 688.44 Mbps (data used: 904.8 MB ) Upload: 35.42 Mbps (data used: 44.7 MB ) Packet Loss: 0.0% What speedtest site you used to convert it in text? Edited ... by Unknown User Quote Share this post Link to post
maxhawk 2 Posted ... 1 hour ago, Unknown User said: What speedtest site you used to convert it in text? Looks like speedtest run from LInux CLI: https://www.speedtest.net/apps/cli FWIW here's what I'm getting with 4 cores dedicated to my VPN VM. I've seen higher numbers with different servers. Server: Cox - Wichita - Wichita, KS (id = 16623) ISP: Quintex Alliance Consulting Latency: 25.00 ms (0.32 ms jitter) Download: 635.78 Mbps (data used: 698.7 MB ) Upload: 570.65 Mbps (data used: 577.7 MB ) Packet Loss: 0.0% 1 Unknown User reacted to this Quote Share this post Link to post