For anyone else wanting to set this up at home, I’d recommend installing the vyatta-wireguard module [1] on an EdgeRouter X instead. It costs about the same as a Raspberry Pi, and you get a reliable network appliance with four gigabit ports and PoE, rather than a general purpose Linux box with graphics and USB. I’ve found the WireGuard module to be fast enough to keep up with my 100/40 Mbps internet connection, and now when my Linux server goes down, the network it’s connected to stays up.
I upgraded from an ER-X to an ER-4 because the X can’t do full 1000 Mbit with PPPoE fiber without hardware offload. With hardware offload turned on there’s a bug in the hardware that causes some sites, most notably Netflix, to not route at all.
The ER-4 has been great with the Cavium hardware. No hardware offload issues like this.
Edit: The ER-X tops out around 500 Mbit with hardware offload turned off.
I had an ER Lite, and hardware offload was re-validating packets. Things would come in as error, and come out the other side still invalid, but validated. And at the time my ISP was sending me a lot of uncorrectable errors. So a lot of services would refuse to run with hardware offload on, because the errors weren't being handled. (with it off, the errors were identified as errors and handled. slow, but accurate).
Then the pole outside my house got hit by lightning and fried the thing, and I replaced it with something from mikrotik.
I have this router and set up the wg interface but got stuck at how to route all my home traffic through wg. Any recommendations on how to troubleshoot this part?
I believe you can do this with policy based routing rules. Effectively you create a second routing table where the default route goes through your wireguard device and then you create firewall modify rules that assign traffic to that routing table by source, your local LAN range and interface in this case.
The following article has an example of using policy based routing. Your setup isn't all that different, you don't need to have more than one default route in each routing table is all and you also might only need one additional route table.
Be careful with this module, lots of the `set` and `delete` commands aren't quite working right yet, leading to some commit failed errors for me. I was trying to get something working and ended up with an ERX that couldn't pass traffic last night. Luckily I had a serial-to-USB cable so I could fix it.
That's partially my fault. I wrote a lot of the configuration command stuff for that module and there are a couple of bugs when it comes to validation for setting and deleting items so you can get yourself in a bad position. Plus there are some issues with EdgeOS which this seems to trigger.
I migrated from Wireguard to ipsec quite a long time ago because it was less complicated for my particular needs. It has probably been close to 2 years. No one else seems to have taken up resolving the lingering problems with the configuration issues.
I'm running the latest 2.x firmware so I wasn't sure where to point fingers :)
I'll give it another shot at some point, but it was more just to try out. I've also got ipsec set up on that router and that continues to work just fine.
I may dust my personal ER-X off soon and take a look at addressing the issues. I would have more enthusiasm about it if it didn't involve writing perl scripts.
If you do attempt it again there are "generate" commands which will generate they keys needed and place them in the proper area in the file system. Most of the guides to configuring Wireguard on edgeos seem unaware these exist and have people using the "wg" command directly instead to generate keys.
I think part of my issue is just that I need to do some more reading around what IPs should be what. It's usually clear what's going on in WireGuard-land, but not clear how that interacts with the other interfaces or the networks on either side.
Cool project - if you're looking to set up a secure VPN in a quick, no-nonsense way, be sure to look at [Algo](https://github.com/trailofbits/algo). Does WireGuard (and IPSec if you want), only secure, sane defaults, and nothing more. Hands down the easiest, most secure way to setup a modern VPN in a few minutes. Far better than using some random anonymous VPN service running out of some random person's closet that's.
The major advantage to using Streisand instead of Algo is that it comes with lots of obfuscation goodies to help get around restrictive firewalls, like shadowsocks.
Also, if you're on a restrictive firewall and you need to quickly assess what ports are even open for egress, you can do `nmap --open allports.exposed` to find them. Then use one of streissand's VPN options and connect.
I do this (with OpenVPN / Android, but same idea) and the main factor that limits my own performance is the poor upload speeds of my residential cable subscription. For many residential services, you're looking at asymmetrical up/down speeds, and they usually advertise the higher download number only.
This is normally fine since you most people download way more than they upload and don't run servers in their homes, but when you route everything through your home, you may be limited by upload speeds.
If you want all your network traffic to go via your home network instead of normally over the internet, you will experience degraded network performance and it'll mostly depend on how fast your home network is & how far it is network-topologically from your phone.
Some bandwidth and latency downgrade seems certain. Google, Netflix, and others invest a lot to cache content closer to your phone. A VPN circumvents that approach. The experience, though, is individual enough, that nothing other than trying it would tell if it it's "good enough" for you.
You don't have to route all your traffic through the VPN (though it's unclear from the question whether or not that's the goal). If he only wants access to resources on his home network, it's entirely feasible to set that up while still routing other traffic out through the public internet via your ISP/carrier.
I do this fairly often with an Algo vpn. Sometimes the initial connection setup suffers, but there can be a gain from adblocking if you use PiHole.
I’ve had to turn it off a few times when some apps do geo-ip lookup and give me errors about not knowing whether I’m in the US. Otherwise the main drawback is battery usage.
Yeah I should have mentioned above but one of the reasons I want to do this is for pihole on the go. How much more battery usage would you estimate your setup causes?
This question gets asked a lot. Someone did a test and determined that always-on VPN (OpenVPN or Wireguard) on an iPhone consumes an extra 1% battery life compared to not using a VPN. Google may help find a source.
I dont think you can express Wireguard's battery usage by that %.
Imagine these 2 use cases:
#1. You do not use/touch your iPhone for 24 hours. Wireguard will now show 40% of the total battery that was used.
#2. You play the game Tetris for 24 hours. Wireguard will now show less than 1% of the total battery that was used. Because Tetris used the other 99,9%.
I have beeen looking at setting up a vpn to be able to hook up my pc to the office network. I don't know a whole lot about it but I ended up trying out Softether for the job just this weekend. It's a free and opensource project from the University of Tsukuba, Japan. It promises that it can achieve speeds far higher than Openvpn.
It was really just a click next, next type setup both on client and server which was the reason I went for it over openvpn which seemed more complicated and would require me to handle DNS stuff etc.
I was impressed that I was able to get it up and run a desktop application designed for a local network with a minimal increase in lagginess.
I'd value the opinions of people more knowledgeable than I who may have tried it.
It looks like softether is just a management GUI / framework that handles a bunch of different underlying VPN products/standards? The README says the following are supported "SSL-VPN, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP by the single SoftEther VPN Server program." Looking at the documentation for client setup it looks like you just setup an IPSEC client.
Certainly not an expert but I switched from openvpn to softether for personal use back in 2015-16 out of curiosity, saw substantially lower latency. I see openvpn as the samba of vpn servers. Huge hassle to configure for performance, so much history that searching when you have issues is difficult.
Glad to hear of someone using it for a while and who's impressed with it. I've only used it a very little bit but I was very impressed, I think I'm going to dive into it deeper now.
I set my Pi4 up with wireguard+pihole recently. I think pihole does nothing 99.99% of the time, so I can’t speak to how performance is in worst case scenarios, but wireguard seems fine. I get about 25 Mbps up/down (speedtest.net with a single client, so assume it’s 25 Mbps aggregate. Not a lot for hefty file transfers but comfy enough for VNC to multiple hosts. The big win is in decreased latency. I don’t have good quantifications of this beyond speedtest.net run from my work. 5 ms with no VPN. 82 ms using my router’s OpenVPN. 24 ms using Pi4 wireguard. These were just single runs so the strong law of small numbers may apply. I know iperf is more scientific, but I wanted a quick, empirical full internet test. My home internet is 550 Mbps down / 36 Mbps up.
All three runs were on work wifi. There is some bottleneck in between my work and apartment since my apartment connection is 550 / 36. It isn’t a test of raw wireguard performance, but rather a realistic best case scenario for full internet tunneling on the go.
Been using the Pi1 for a couple years now with OpenVPN and Pihole, never had problems (though the only one using the VPN is me, at any time), so I'd say the Pi4 should be more than capable :-)
Yep! This is how I started out (I run it one a VPS now so I'm not tied to my home network) and it works fine. The only limit you're likely to run into is your blocklists filling RAM. I have a 5M+ long blocklist and it won't fit into 1GB, so you might want to spec up a little bit in that area, depending on how block-happy you are.
I run mine as both a OpenHAB and as PiHole server. I dont see why not. Of course a VPN might be slightly more involved. I am thinking of splitting it up and doing a VPN with PiHole though so I can get access to my internal network to manage OpenHAB remotely. I want my OpenHAB Pi to be stand alone.
> commercial license is only needed if you want to offer a paid network management service or embed it into a proprietary device or app.
A cursory look suggests that it's open source, with restrictions that they clearly list on their site here[0]. I get your point, but I personally don't mind if a business open sources their software and allows free use of it for non commercial cases.
That's not open source. They make the source available but open source does not restrict what you can do with it other than sometimes requiring that you share the source for your binaries.
>Open source just means you have or can get access to the source.
No, that is "source-code available". "Open source" was defined over 20 years ago by this document and that is still how most software people still use the term: https://opensource.org/osd
RMS has basically single handedly tried to push "Open source can be proprietary, only free software is good" Every other orgs definition has had Open source mean the actual license is open.
"Free software" is also an absolutely awful term because for 99.9% of the population "free" means it didn't cost them any money. This will never change no matter how hard RMS tries because its a very common and understood word.
>Open source implies nearly unlimited rights for the developer, like BSD, MIT, or Apache.
Wrong: the GPL for example is defined as open-source by the Open Source Initiative (source: https://opensource.org/licenses) -- a fact that has not changed since the coining of the term "open source" over 20 years ago.
> FOSS implies restrictions on the developer in the service of end-user freedom
No it doesn't. You're thinking of copyleft licenses. FOSS is not synonymous with copyleft; many FOSS licenses (recognized as such by RMS and the FSF) are not copyleft.
Whoa, you’re right. I definitely remember reading a tirade against permissive licenses that I thought was FSF’s position, but I see they do explicitly recognize permissive licenses as Free Software.
Thats RMS's fringe definition of OS but the widely accepted OSI definition is that open source software does not restrict your rights to commercial use.
Your parent's comment didn't even mention the open source issue here. Stop harassing startups with open source products just because you make 6 figure merely doing nothing all year.
I'm trying to set it up on a RPI4 as an 802.11ac wireless router, to verify this. If it manages 100mbps+ then it'll be a cheap replacement for my current router.
I don't know, but you get the extra limitation of USB2 being half duplex. USB2 is something like 480mbps. Add half duplex limitations and just general overhead compared to theoretical max. I can see how some network protocols become limited to 60mbps.
True. It does depend what else you are doing with the pi. Something like a USB hard drive could account for that poor performance, especially if you were upload from/downloading to it.
I’ve been using a pi3 for about a year as a full time VPN on my cell phone and laptops.
3 is only 100mbit eth, but I’ve had almost no issues with it. Connects fast, no problem streaming HD video or cloning huge git repos. Maybe when I get home today I’ll take some measurements.... But my biggest issue is the trash Powerline Ethernet between my router and rest of my network.
I have issues with my wireless signal just crapping out from out of nowhere from time to time. Usually in specific spots in my home. I setup a repeater (thinking a mesh network might be the better choice, but this was a much cheaper temporary solution) but it still sometimes happens. The ethernet is fine on the other hand.
I run OpenHAB and Pi-Hole all on a RPi3 on ethernet, no issues so far.
That's for a Raspberry Pi 4, which should have a pretty drastic performance difference from the Raspberry Pi 3 mentioned in the article since only one of those has proper gigabit Ethernet.
It does seem pretty good though. I'm having trouble getting past 25 Mb/s in, 100 Mb/s out on my Edgerouter X.
Sure but that article was about using it on a LTE connection and the GP was asking about Pi in general. In the articles setup it's going to be bottlenecked on the cellular network anyway.
(The Pi 3 also is 4 years old now and you wouldn't want to buy it today)
Does WireGuard require a kernel module or a specific kernel? (I saw a day or two ago it was in linus' tree). Can I run WireGuard on a digitalocean droplet?
Ironically this looks considerably simpler than trying to get wireguard working on my OpenWRT router (and with much less collateral damage should I mess up).
I've been running a WireGuard VPN on my OpenWrt router for quite a while with no issues whatsoever. Rock solid since I set it up, only has a 4 or 5 peers, but it's been excellent and I highly suggest it versus adding yet another single purpose device.
Not sure why the RPi is so lauded for this and Pi-Hole (which is just a fancy DNS blocklist) when OpenWrt is just as simple and powerful for both (and more) tasks.
My main issue with doing this with OpenWRT is that it is loaded with abstractions. Network, interfaces, firewall zones, bridged zones, etc. When they all work, it's nice and almost magical.
But when setting up new custom zones from scratch (like this VPN subnet/zone), I never feel quite as home as I do with the traditional Linux command-line and iptables.
Basically OpenWRTs abstractions don't map cleanly to the underlying Linux-primitives I know fairly well. The impedance mismatch there is what make me consider the RPi-based solution more preferable, because I understand how and why it works.
I think there's some issues in the config. First of all, at least one of the CIDRs is wrong ("Address = 10.200.200.2/24"). Also by setting AllowedIPs to to 10.200.200.0/24 in the client, only traffic to that subnet will actually go through the VPN, not all traffic.
Isn't there also some missing host/RPI system so that the 10.200.200.0/24 can route to the public internet?
If someone has an example of a full VPN configuration I'd love to see them so I can try it out.
> First of all, at least one of the CIDRs is wrong ("Address = 10.200.200.2/24"). Also by setting AllowedIPs to to 10.200.200.0/24 in the client, only traffic to that subnet will actually go through the VPN, not all traffic.
Not sure what your issue is with the address line.
As for the AllowedIPs, that's intentional. From the first lines of the article:
> An Linux Laptop that should use the VPN only accessing network services that are exposed to the VPN
VPNs aren't just for routing your public traffic through some trusted host.
I've also thought about this. But basically it will be re-packaging a modern linux kernel, giving some support w/ key management and packaging it in a nice case.
The VPN gives you monthly recurring revenue versus the one-time hardware revenue. Maybe a subscription that includes an up-to-date DNS blacklist for the pi-hole?
[1]: https://github.com/Lochnair/vyatta-wireguard