WiFi 7 routers with high VPN server speed

[tsammyc]

For those who use their WiFi routers as VPN Server e.g., TP-Link and Asus routers, what is the highest speed in Mbps that you have gotten with your WiFi 7 router? Note that VPN Server is not the same as using your router as a VPN Client to access a VPN service (e.g., NordVPN). A VPN Server, is where the router accepts connections over the Internet for a remote client to access your home network. The speed of a VPN Server depends on the router's CPU speed and memory. How do you test the speed? While you are on a fast network outside your home, connect to your home VPN server and run any Speed Test.

So far on my low end TP-Link BE230, I'm able to get consistently about 310+ Mbps when connecting a remote Mac using WireGuard over a 5G Singtel connection to my home network. My iPhone 13 mini is much slower, but I think that is due to the iPhone's much lower CPU power.

 

[tsammyc]

The GL-iNET Flint 2 is a WiFi 6 router with 2.5 Gbps ports and can do 900Mbps Wireguard. It has a Mediatek Quad Core CPU at 2Ghz and 1GB of RAM

Flint 2

The Flint 3 is a WiFi 7 router. Specs unknown incoming 1H25

Flint 3

 

[xiaofan]

Wired router is a strong competitor in this case, like Intel N100 CPU based mini PCs, should have no issues with >1Gbps wireguard speed. Then you can add a WiFi 7 AP after the mini PC based router, for example, the cheap TP-Link HB710 for Starhub users, or other cost effective WiFi 7 APs.

Theoretical benchmark for my virtual OpenWRT router (two virtual CPU, Proxmox PVE 8.2, Intel N100).
https://github.com/cyyself/wg-bench

root@OpenWrt:~# sh <(wget -O - https://raw.githubusercontent.com/cyyself/wg-bench/master/openwrt-benchmark.sh)
Downloading 'https://raw.githubusercontent.com/cyyself/wg-bench/master/openwrt-benchmark.sh'
Connecting to 2606:50c0:8002::154:443
Writing to stdout
-                    100% |*******************************|  2908   0:00:00 ETA
Download completed (2908 bytes)

Packages:
WireGuard already installed
Iperf3 already installed
Installed ip-full...
Installing ip-full (6.3.0-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/ip-full_6.3.0-1_x86_64.ipk
Installing libelf1 (0.189-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/libelf1_0.189-1_x86_64.ipk
Installing libbpf1 (1.2.2-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/libbpf1_1.2.2-1_x86_64.ipk
Configuring libelf1.
Configuring libbpf1.
Configuring ip-full.
Installed kmod-veth...
Installing kmod-veth (5.15.167-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/packages/kmod-veth_5.15.167-1_x86_64.ipk
Configuring kmod-veth.
Installed psmisc...
Installing psmisc (23.4-2) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/packages/psmisc_23.4-2_x86_64.ipk
Configuring psmisc.

Router details:
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "QEMU Virtual CPU version 2.5+",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
Connecting to host 169.254.200.2, port 4242
[  5] local 169.254.200.1 port 57418 connected to 169.254.200.2 port 4242
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   268 MBytes  2.25 Gbits/sec   72   1.13 MBytes
[  5]   1.00-2.00   sec   271 MBytes  2.28 Gbits/sec    0   1.26 MBytes
[  5]   2.00-3.00   sec   273 MBytes  2.29 Gbits/sec    4   1006 KBytes
[  5]   3.00-4.00   sec   272 MBytes  2.29 Gbits/sec    0   1.13 MBytes
[  5]   4.00-5.00   sec   270 MBytes  2.27 Gbits/sec    0   1.26 MBytes
[  5]   5.00-6.00   sec   274 MBytes  2.30 Gbits/sec   11   1011 KBytes
[  5]   6.00-7.00   sec   274 MBytes  2.30 Gbits/sec    0   1.12 MBytes
[  5]   7.00-8.00   sec   274 MBytes  2.30 Gbits/sec    0   1.25 MBytes
[  5]   8.00-9.00   sec   273 MBytes  2.29 Gbits/sec    9    982 KBytes
[  5]   9.00-10.00  sec   276 MBytes  2.31 Gbits/sec    0   1.09 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.66 GBytes  2.29 Gbits/sec   96             sender
[  5]   0.00-10.01  sec  2.66 GBytes  2.28 Gbits/sec                  receiver

iperf Done.
4242/tcp:            24172

 

[xiaofan]

If you look at the theoretical test, low power Intel CPU beats MediaTek Filogic 880 and Filogic 830 comfortably.
https://github.com/cyyself/wg-bench

Asus TUF-AX4200 / MT7986AV

OpenWRT Snapshot / 6.1.78

936 Mbits/sec

Raspberry Pi 4 / BCM2711*	OpenWRT 23.05.2 / 5.15.137	1.02 Gbits/sec
Intel Atom C3558	Debian bookworm / 6.1.0-13	1.26 Gbits/sec
Banana Pi BPI-R4 / MT7988A	OpenWRT Snapshot / 6.1.77	1.27 Gbits/sec

Intel Celeron(R) J4125

Linux pve / 6.2.16

2.12 Gbits/sec

Intel Celeron N5105*

Debian bookworm / 6.1.38

2.46 Gbits/sec

Intel N100

Debian bookworm / 6.1.76

3.97 Gbits/sec

Intel N100

Debian bookworm / 6.6.13

4.65 Gbits/sec

 

[tsammyc]

Wired router is a strong competitor in this case, like Intel N100 CPU based mini PCs, should have no issues with >1Gbps wireguard speed. Then you can add a WiFi 7 AP after the mini PC based router, for example, the cheap TP-Link HB710 for Starhub users, or other cost effective WiFi 7 APs.

Theoretical benchmark for my virtual OpenWRT router (two virtual CPU, Proxmox PVE 8.2, Intel N100).
https://github.com/cyyself/wg-bench

root@OpenWrt:~# sh <(wget -O - https://raw.githubusercontent.com/cyyself/wg-bench/master/openwrt-benchmark.sh)
Downloading 'https://raw.githubusercontent.com/cyyself/wg-bench/master/openwrt-benchmark.sh'
Connecting to 2606:50c0:8002::154:443
Writing to stdout
-                    100% |*******************************|  2908   0:00:00 ETA
Download completed (2908 bytes)

Packages:
WireGuard already installed
Iperf3 already installed
Installed ip-full...
Installing ip-full (6.3.0-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/ip-full_6.3.0-1_x86_64.ipk
Installing libelf1 (0.189-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/libelf1_0.189-1_x86_64.ipk
Installing libbpf1 (1.2.2-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/base/libbpf1_1.2.2-1_x86_64.ipk
Configuring libelf1.
Configuring libbpf1.
Configuring ip-full.
Installed kmod-veth...
Installing kmod-veth (5.15.167-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/packages/kmod-veth_5.15.167-1_x86_64.ipk
Configuring kmod-veth.
Installed psmisc...
Installing psmisc (23.4-2) to root...
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/x86_64/packages/psmisc_23.4-2_x86_64.ipk
Configuring psmisc.

Router details:
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "QEMU Virtual CPU version 2.5+",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
Connecting to host 169.254.200.2, port 4242
[  5] local 169.254.200.1 port 57418 connected to 169.254.200.2 port 4242
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   268 MBytes  2.25 Gbits/sec   72   1.13 MBytes
[  5]   1.00-2.00   sec   271 MBytes  2.28 Gbits/sec    0   1.26 MBytes
[  5]   2.00-3.00   sec   273 MBytes  2.29 Gbits/sec    4   1006 KBytes
[  5]   3.00-4.00   sec   272 MBytes  2.29 Gbits/sec    0   1.13 MBytes
[  5]   4.00-5.00   sec   270 MBytes  2.27 Gbits/sec    0   1.26 MBytes
[  5]   5.00-6.00   sec   274 MBytes  2.30 Gbits/sec   11   1011 KBytes
[  5]   6.00-7.00   sec   274 MBytes  2.30 Gbits/sec    0   1.12 MBytes
[  5]   7.00-8.00   sec   274 MBytes  2.30 Gbits/sec    0   1.25 MBytes
[  5]   8.00-9.00   sec   273 MBytes  2.29 Gbits/sec    9    982 KBytes
[  5]   9.00-10.00  sec   276 MBytes  2.31 Gbits/sec    0   1.09 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.66 GBytes  2.29 Gbits/sec   96             sender
[  5]   0.00-10.01  sec  2.66 GBytes  2.28 Gbits/sec                  receiver

iperf Done.
4242/tcp:            24172

You are right that the OpenWRT and PFSense mini PC routers allow you to scale CPU power up to any level in order to obtain the highest VPN speeds for a router. These mini PCs are a cheap way to do it and could be somewhat reliable with passive cooling. However, it's a level of set up complexity that I'm not willing to take after pulling my hair out more than a decade ago hacking routers to run DD-WRT.

PC routers also don't typically have WiFi 7 or any WiFi at all and are usually (save one with SFP+) limited with 2.5Gbps ethernet ports. So even if I locate a HB710 as a AP for it, one would not get 10Gbps to test high VPN speeds. Once you head for NUCs or something that can take a PCI card for 6Ghz 320Mhz, you are into major expenditure.

My idea was not to look for the fastest absolute VPN server, but to ask how fast the current crop of consumer WiFi 7 routers are for handling VPN. Since most of them have 10Gbps ports, they must have serious CPU power. VPN Server is also much easier to setup in a consumer router rather than on the enthusiast mini PC with OpenWRT and Pfsense. So I was hoping people would put up numbers for how fast their WiFi 7 routers perform under Wireguard e.g.,

TP-LInk BE230: 315Mbps
Tp-Link HU710: ???Mbps
Asus TUF 6500: ???Mbps
TP-Link BE800:???Mbps
Asus Rog BE-98: ???Mbps
ASUS ZENWiFi BQ16: ???Mbps
TP-Link BE550:???Mbps

The reason for Wireguard speeds is that it is by far the fastest VPN protocol around, secure and is very easy to set up on a commercial Asus or TP-Link router. I do notice the Deco and Aginet series don't have Wireguard yet. Only IPSEC, PPTP and OpenVPN.

 

[tsammyc]

If you look at the theoretical test, low power Intel CPU beats MediaTek Filogic 880 and Filogic 860 comfortably.
https://github.com/cyyself/wg-bench

Asus TUF-AX4200 / MT7986AV

OpenWRT Snapshot / 6.1.78

936 Mbits/sec

Raspberry Pi 4 / BCM2711*	OpenWRT 23.05.2 / 5.15.137	1.02 Gbits/sec
Intel Atom C3558	Debian bookworm / 6.1.0-13	1.26 Gbits/sec
Banana Pi BPI-R4 / MT7988A	OpenWRT Snapshot / 6.1.77	1.27 Gbits/sec

Intel Celeron(R) J4125

Linux pve / 6.2.16

2.12 Gbits/sec

Intel Celeron N5105*

Debian bookworm / 6.1.38

2.46 Gbits/sec

Intel N100

Debian bookworm / 6.1.76

3.97 Gbits/sec

Intel N100

Debian bookworm / 6.6.13

4.65 Gbits/sec

I'm surprised that the Raspberry Pi managed to get 1.27Gbit/sec. I have a 8GB Pi 4 around that I use as a pattern generator. Might repurpose that with OpenWRT, but I doubt it will support dual 2.5G or 10G adapter.

You just gave me an idea to take out a Brume 2 that I once used until 6 months ago as an OpenWRT Wireguard server (stopped after trying Asus VPN Fusion) and see if I can get it to run at 2.5Gbps. It has a 2.5Gbps WAN port but a 1Gbps LAN port so I'm going to try connecting a 2.5Gbps dongle to its USB port. The Gl iNet products like Brume run OpenWRT but have a custom user interface to make them more consumer friendly.

 

[xiaofan]

The difficult part for typical users will be how to test the performance of the wireguard VPN server. As you mention in the first post, the user needs a fast network connection outside the home, connect to the home VPN server and run SpeedTest (eg: OOkla SpeedTest or iperf3).

Most of the users will have only one Fibre Internet line and one or more mobile phones with data. If you set up the wireguard server on the main router, then you probably can only use the mobie phone to carry out the performance testing --> which is subject to the limitation from the mobile service provider and mobile phone.

The following is a work-around to compare relative performance across different platforms (home router, Linux servers, etc). Unfortunately it may not run on typical Wireless routers.
https://github.com/cyyself/wg-bench

Of course you can try to ask another friend with fast Fibre internet connection for testing.

 

[xiaofan]

We can also use the vendor published data and the data from other users over the internet.

GL.iNet:
Flint 2 GL-MT6000, -- MediaTek Filogic 830 chipset (CPU: MT7986AV), 900Mbps wireguard VPN client, Wireguard VPN server may be slower as per the vendor.
https://www.gl-inet.com/products/gl-mt6000/

Flint GL-AX1800, -- Qualcomm IPQ6000 CPU, 500Mbps wireguard VPN client, Wireguard VPN server may be slower as per the vendor.
https://www.gl-inet.com/products/gl-ax1800/

Blume 2 GL-MT1800 -- MediaTek MT7981B (CPU for the Filogic 820 chipset), 355Mbps wireguard VPN client, Wireguard VPN server may be slower as per the vendor.
https://www.gl-inet.com/products/gl-mt2500/#specs

Beryl GL-MT3000 -- MediaTek Filogic 820 chipset (CPU: MT7981B), 300Mbps wireguard VPN client, Wireguard VPN server may be slower as per the vendor.
https://www.gl-inet.com/products/gl-mt3000/

 

[xiaofan]

From what I gathered for Asus routers.

BCM4908 CPU (eg: , RT-AX86U and GT-AX11000) --> about 400Mbps to 500Mbps.
BCM4912 CPU: (eg: RT-AX86U Pro, GT-AX6000, GT-AX11000 Pro and GT-AXE16000) --> 600Mbps to 800Mbps
BCM4916 CPU: (eg: GT-BE98) --> >=1Gbps

 

[xiaofan]

The following is from Malaysia reviewer for some WiFi 7 routers in terms of Wireguard VPN Client performance, not the same as VPN server performance, but it can serve as a good comparison as well.

Filogic 880 chipset --> TP-Link Archer BE805, 850Mbps
Broadcom BCM4916 --> Asus RT-BE88U, >1Gbps


Reference:
https://www.blacktubi.com/review/tp-link-archer-be805/
https://www.blacktubi.com/review/asus-rt-be88u/

 

[tsammyc]

Thanks for the info. Looks like the current crop of WiFi 7 routers with 10Gbps ports have the ability to use Wireguard at 800Mbps-1Gbps, which is good enough for almost anyone accessing LAN remotely.

I did try to connect a 2.5Gbps Ethernet adapter to the Brume 2, but it was disappointing. Compared to the built in 1Gbps port, the USB adapter barely passed 500Mbps. It looks like the CPU in the Brume 2 is not strong enough to drive a 2.5Gbps Ethernet adapter at full speed, let alone with Wireguard running.

 

[tsammyc]

The difficult part for typical users will be how to test the performance of the wireguard VPN server. As you mention in the first post, the user needs a fast network connection outside the home, connect to the home VPN server and run SpeedTest (eg: OOkla SpeedTest or iperf3).

Most of the users will have only one Fibre Internet line and one or more mobile phones with data. If you set up the wireguard server on the main router, then you probably can only use the mobie phone to carry out the performance testing --> which is subject to the limitation from the mobile service provider and mobile phone.

The following is a work-around to compare relative performance across different platforms (home router, Linux servers, etc). Unfortunately it may not run on typical Wireless routers.
https://github.com/cyyself/wg-bench

Of course you can try to ask another friend with fast Fibre internet connection for testing.

For testing the Wireguard server, it is possible to access the Wireguard router within your own LAN if you connect its WAN port to a port on the network. You just have to edit the Wireguard configuration file on the client to point it at the IP address where the Wireguard server is connected. When you access a device, say NAS for OpenSpeedTest, behind the Wireguard router, the packets will be processed by that server and you can measure the Wireguard speed.

 

[xiaofan]

For testing the Wireguard server, it is possible to access the Wireguard router within your own LAN if you connect its WAN port to a port on the network. You just have to edit the Wireguard configuration file on the client to point it at the IP address where the Wireguard server is connected. When you access a device, say NAS for OpenSpeedTest, behind the Wireguard router, the packets will be processed by that server and you can measure the Wireguard speed.

Good point.

This is one of the methods I use to test Wireguard VPN server performance. Basically in this case, the Wireguard VPN Server router is not the main router, but rather function as a secondary router behind the main router (Double NAT). The good thing is that you will be able to test >1Gbps speed if the Wireguard VPN server router has fast CPU and 2.5Gbe or faster WAN/LAN port.

I used to use Singtel ONT and I could split the network into two independent networks using a VLAN capable switch, each has it own public IPv4 address. Then I can use single direction iperf3 to carry out Wireguard VPN server performance (up to 1Gbps only). I can still do it now with bridged ZTE F8648P XGS-PON ONR (for my Singtel 5Gbps plan) by bridging both the 10G LAN port and 1G LAN port (not recommended though). Again the test results will be limited to 1Gbps.

 

[xiaofan]

Test results for Asus TUF-BE6500 (Qualcomm IPQ5322 CPU, quad-core Arm Cortex A53 at 1.5GHz, 1 x NPU at 1.5GHz) Wireguard VPN Server performance -- the speed is higher than what I expected.

With wireguard tunnel connection:
OOkla SpeedTest result: 609.98Mbps download, 839.43Mbps upload
iperf3 test result: 552Mbps download; 732Mbps upload.

So we can say Asus TUF-BE6500 wireguard server speed is roughly about 550-600Mbps download, 730-830Mbps upload.

Wireguard VPN Server on TUF-BE6500, 2.5G WAN port connected to a 10G/2.5G switch's 2.5G LAN port (Double NAT behind my main OpenWRT router, Singtel 5Gbps plan).

Client: Acer Swift 3 early 2021 model (Intel Core i5-1135G7 CPU, 16GB/512GB, Windows 11 24H2) with Ugreen USB to 2.5G network adapter, connected to the same 10G/2.5G switch's 2.5G LAN port.

1. OOkla SpeedTest result
a) Wireguard client VPN OFF on the laptop (2368.22Mbps download, 2369.71Mbps upload).
https://www.speedtest.net/result/d/a2232455-64ec-4864-9107-05aa64d59c28

b) wireguard client VPN ON on the laptop (609.98Mbps download, 839.43Mbps upload).
https://www.speedtest.net/result/d/13eb3655-c102-476e-975a-faf3d1c465f0

2. iperf3 speedtest

iperf3 server --> Linux LxC container connected to the TUF-BE6500 LAN side with virtual Linux bridge (192.168.50.16)
iperf3 client --> the Acer laptop (192.168.18.x)

a) Wireguard client VPN OFF on the laptop-- the laptop cannot connect to the server since no access from the WAN side. This is expected.

PS C:\work\speedtest\iperf-3.16-win64> ping 192.168.50.16

Pinging 192.168.50.16 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.50.16:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

b) wireguard client VPN ON on the laptop-- the laptop can connect to the server because of the wireguard tunnel. This is expected. Download speed: 552Mbps; Upload speed: 732Mbps. A bit lower than the OOkla SpeedTest result, but still pretty high.

PS C:\work\speedtest\iperf-3.16-win64> ping 192.168.50.16

Pinging 192.168.50.16 with 32 bytes of data:
Reply from 192.168.50.16: bytes=32 time=1ms TTL=63
Reply from 192.168.50.16: bytes=32 time=1ms TTL=63
Reply from 192.168.50.16: bytes=32 time=1ms TTL=63
Reply from 192.168.50.16: bytes=32 time=2ms TTL=63

Ping statistics for 192.168.50.16:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

PS C:\work\speedtest\iperf-3.16-win64> .\iperf3.exe -c  192.168.50.16 -R
Connecting to host 192.168.50.16, port 5201
Reverse mode, remote host 192.168.50.16 is sending
[  5] local 10.6.0.2 port 14149 connected to 192.168.50.16 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  57.4 MBytes   480 Mbits/sec
[  5]   1.00-2.00   sec  63.4 MBytes   531 Mbits/sec
[  5]   2.00-3.00   sec  67.2 MBytes   566 Mbits/sec
[  5]   3.00-4.00   sec  64.4 MBytes   540 Mbits/sec
[  5]   4.00-5.00   sec  68.9 MBytes   576 Mbits/sec
[  5]   5.00-6.00   sec  67.8 MBytes   568 Mbits/sec
[  5]   6.00-7.00   sec  66.4 MBytes   556 Mbits/sec
[  5]   7.00-8.00   sec  67.9 MBytes   571 Mbits/sec
[  5]   8.00-9.01   sec  67.6 MBytes   562 Mbits/sec
[  5]   9.01-10.00  sec  67.0 MBytes   566 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   659 MBytes   552 Mbits/sec  578             sender
[  5]   0.00-10.00  sec   658 MBytes   552 Mbits/sec                  receiver

iperf Done.

PS C:\work\speedtest\iperf-3.16-win64> .\iperf3.exe -c  192.168.50.16
Connecting to host 192.168.50.16, port 5201
[  5] local 10.6.0.2 port 14169 connected to 192.168.50.16 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  85.5 MBytes   716 Mbits/sec
[  5]   1.00-2.00   sec  85.2 MBytes   715 Mbits/sec
[  5]   2.00-3.01   sec  97.1 MBytes   809 Mbits/sec
[  5]   3.01-4.00   sec  87.1 MBytes   735 Mbits/sec
[  5]   4.00-5.00   sec  90.4 MBytes   759 Mbits/sec
[  5]   5.00-6.00   sec  79.6 MBytes   667 Mbits/sec
[  5]   6.00-7.00   sec  83.8 MBytes   705 Mbits/sec
[  5]   7.00-8.01   sec  97.0 MBytes   808 Mbits/sec
[  5]   8.01-9.00   sec  82.9 MBytes   699 Mbits/sec
[  5]   9.00-10.01  sec  84.9 MBytes   707 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.01  sec   874 MBytes   732 Mbits/sec                  sender
[  5]   0.00-10.01  sec   872 MBytes   731 Mbits/sec                  receiver

iperf Done.

 

[xiaofan]

The reason for Wireguard speeds is that it is by far the fastest VPN protocol around, secure and is very easy to set up on a commercial Asus or TP-Link router. I do notice the Deco and Aginet series don't have Wireguard yet. Only IPSEC, PPTP and OpenVPN.

Some Deco routers should support Wireguard VPN server/client.

Indeed Aginet routers like EB810v and HB810/HB710 do not have Wireguard support as of now.

Example: Deco BE85 (the website spec does not mention the support but they are supported).
https://forums.hardwarezone.com.sg/threads/asus-zenwifi-bt10-discussion.7067525/page-7

Hi bro, good and bad news.
No support for DoH (DNS over HTTPS) and DoT (DNS over TLS)
Wireguard Support for Client/Server is supported.
Good news, now you are able to set channels/Channel bandwidth manually for Deco BE85. I saw the options available now.

VPN Client

VPN Server

 

[xiaofan]

For those who have the capabilities to test Wireguard VPN server performance, please help to share the results. Thanks.

Popular ones:

With Slower CPU:
TP-Link Archer BE230: about 315Mbps
TP-Link Archer BE550:
TP-Link Deco BE65
Asus TUF-BE6500: about 600Mbps
Asus RT-BE92U
Asus ZenWiFi BT10

With Fast flagship CPU:
TP-Link Archer BE805:
TP-Link Deco BE85:
TP-Link BE800:
TP-Link GE900
Asus RT-BE86U:
Asus RT-BE88U:
Asus ROG GT-BE98:
ASUS ZENWiFi BQ16:

 

[xiaofan]

From what I gathered for Asus routers.

BCM4908 CPU (eg: , RT-AX86U and GT-AX11000) --> about 400Mbps to 500Mbps.
BCM4912 CPU: (eg: RT-AX86U Pro, GT-AX6000, GT-AX11000 Pro and GT-AXE16000) --> 600Mbps to 800Mbps
BCM4916 CPU: (eg: GT-BE98) --> >=1Gbps

Test results for Asus RT-AX86U WiFi 6 router (Broadcom BCM4908 CPU, quad-core Arm Cortex A53 at 1.8GHz) Wireguard VPN Server performance.

With wireguard tunnel connection:
OOkla SpeedTest result: 446.99 Mbps download, 610.61 Mbps upload
iperf3 test result: 538 Mbps download; 690 Mbps upload.

So we can say Asus RT-AX86U wireguard server speed is roughly about 440-540 Mbps download, 610-690 Mbps upload.

Wireguard VPN Server on RT-AX86U router, 1G WAN port connected to a 10G/2.5G switch's 2.5G LAN port (Double NAT behind my main OpenWRT router, Singtel 5Gbps plan).

Client: Acer Swift 3 early 2021 model (Intel Core i5-1135G7 CPU, 16GB/512GB, Windows 11 24H2) with Ugreen USB to 2.5G network adapter, connected to the same 10G/2.5G switch's 2.5G LAN port.

1. OOkla SpeedTest result
a) Wireguard client VPN OFF on the laptop (2368.21 Mbps download, 2366.13 Mbps upload).
https://www.speedtest.net/result/d/d64cda9e-23f1-4796-acbb-7a55eb066ce5

b) wireguard client VPN ON on the laptop (446.99 Mbps download, 610.61 Mbps upload).
https://www.speedtest.net/result/d/7e643435-942c-4ce4-953d-a8135bf2265a

2. iperf3 speedtest

iperf3 server --> Linux LxC container connected to the RT-AX86U 2.5G LAN port with virtual Linux bridge (192.168.250.133)
iperf3 client --> the Acer laptop (192.168.18.x)

a) Wireguard client VPN OFF on the laptop-- the laptop cannot connect to the server since no access from the WAN side. This is expected.

PS C:\work\speedtest\iperf-3.16-win64> ping 192.168.250.133

Pinging 192.168.250.133 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.250.133:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

b) wireguard client VPN ON on the laptop-- the laptop can connect to the server because of the wireguard tunnel. This is expected. Download speed: 538 Mbps; Upload speed: 690 Mbps. This is actually higher than the OOkla SpeedTest result.

PS C:\work\speedtest\iperf-3.16-win64> ping 192.168.250.133

Pinging 192.168.250.133 with 32 bytes of data:
Reply from 192.168.250.133: bytes=32 time=1ms TTL=63
Reply from 192.168.250.133: bytes=32 time=2ms TTL=63
Reply from 192.168.250.133: bytes=32 time=2ms TTL=63
Reply from 192.168.250.133: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.250.133:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

PS C:\work\speedtest\iperf-3.16-win64> .\iperf3.exe -c  192.168.250.133 -R
Connecting to host 192.168.250.133, port 5201
Reverse mode, remote host 192.168.250.133 is sending
[  5] local 10.6.0.2 port 11867 connected to 192.168.250.133 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.01   sec  65.2 MBytes   541 Mbits/sec
[  5]   1.01-2.01   sec  61.6 MBytes   517 Mbits/sec
[  5]   2.01-3.01   sec  62.6 MBytes   525 Mbits/sec
[  5]   3.01-4.01   sec  62.6 MBytes   526 Mbits/sec
[  5]   4.01-5.01   sec  66.2 MBytes   557 Mbits/sec
[  5]   5.01-6.01   sec  65.9 MBytes   550 Mbits/sec
[  5]   6.01-7.01   sec  63.5 MBytes   535 Mbits/sec
[  5]   7.01-8.01   sec  64.8 MBytes   543 Mbits/sec
[  5]   8.01-9.00   sec  64.4 MBytes   545 Mbits/sec
[  5]   9.00-10.01  sec  65.9 MBytes   545 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.02  sec   644 MBytes   539 Mbits/sec  908             sender
[  5]   0.00-10.01  sec   643 MBytes   538 Mbits/sec                  receiver

iperf Done.

PS C:\work\speedtest\iperf-3.16-win64> .\iperf3.exe -c  192.168.250.133
Connecting to host 192.168.250.133, port 5201
[  5] local 10.6.0.2 port 11895 connected to 192.168.250.133 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  70.9 MBytes   593 Mbits/sec
[  5]   1.00-2.00   sec  84.2 MBytes   708 Mbits/sec
[  5]   2.00-3.01   sec  85.9 MBytes   711 Mbits/sec
[  5]   3.01-4.01   sec  83.4 MBytes   701 Mbits/sec
[  5]   4.01-5.01   sec  84.8 MBytes   715 Mbits/sec
[  5]   5.01-6.01   sec  85.5 MBytes   718 Mbits/sec
[  5]   6.01-7.00   sec  86.0 MBytes   723 Mbits/sec
[  5]   7.00-8.00   sec  85.5 MBytes   718 Mbits/sec
[  5]   8.00-9.00   sec  74.8 MBytes   627 Mbits/sec
[  5]   9.00-10.02  sec  83.4 MBytes   689 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.02  sec   824 MBytes   690 Mbits/sec                  sender
[  5]   0.00-10.02  sec   824 MBytes   690 Mbits/sec                  receiver

iperf Done.

 

[xiaofan]

Thanks for the info. Looks like the current crop of WiFi 7 routers with 10Gbps ports have the ability to use Wireguard at 800Mbps-1Gbps, which is good enough for almost anyone accessing LAN remotely.

1. I think the flagship CPUs for the WiFi 7 routers are all pretty strong, all of them should be able to hit above >800Mbps or even >1Gbps Wireguard VPN server speed.

Qualcomm IPQ 9570/9574 CPU with NPU, Arm Cortex A73 Quad-core at 2.2 GHz --> top of the line CPU, CPU used by flagship TP-Link WiFi 7 routers, like TP-Link Archer BE800, GE800, Deco BE85

Qualcomm IPQ 9550/9554 CPU with NPU, Arm Cortex A73 Quad-core CPU 1.5GHz (up to 2.2GHz?)-->Archer BE550

Broadcom BCM4916, Arm Cortex A53 Quad-core at 2.6GHz --> CPU used by flagship Asus routers (ROG GT-BE98 and ZenWiFi BQ16) and Netgear Nighthawk RS700S.

MediaTek Filogic 880 platform MT7988AV CPU, Arm Cortex A73 Quad-core at 1.8GHz --> used by TP-Link Archer BE805 and Banana Pi BPI-R4.

2. Mid-high range CPU but not common yet (other than China WiFi 7 routers which usually do not support Wireguard VPN server).

MediaTek Filogic 860 platform, MT7988DV CPU, Arm Cortex A73 Tri-core at 1.8GHz --> used by Asus RT-BE14000 (not available in Singapore)

3. It is interesting to check out the performance of the mid-range CPUs.

Qualcom IPQ5322, Arm Cortex A53 quad-core at 1.5GHz with NPU --> used by Asus TUF-BE6500

Broadcom BCM6765 CPU, Arm Cortex A53 quad-core at 2.0GHz --> used by Asus ZenWiFi BT10 and RT-BE92U

Broadcom BCM6764 CPU, , Arm Cortex A53 quad-core at 2.0GHz--> TP-Link Archer BE230 and Asus TUF-BE3600

4. Reference WiFi 7 chipset.
https://en.techinfodepot.shoutwiki.com/wiki/List_of_802.11be_Hardware

 

[xiaofan]

Asus RT-BE92U and TP-Link Archer BE550 Wireguard VPN performance here (not clear it is wireguard VPN server of client). German language Youtube Video.

Asus RT-BE92U -- 752 Mbps download, 503 Mbps upload
TP-Link Archer BE550 -- 1682 Mbps download, 1232 Mbps upload.

The author mentions that Asus Wireguard VPN implementation only uses two core of the CPU and not 4-core.

Then Archer BE550 seems to use Qualcomm Network Pro 620 Quad-Core ARM A73 CPU (IPQ 9554) which is much faster than the BCM6755 CPU used in RT-BE92U.
https://www.qualcomm.com/content/da...tworking-Pro-620-product-brief_87-PW328-1.pdf

 

[xiaofan]

More Wireguard VPN performance data here (not clear it is wireguard VPN server of client). German language Youtube Video.

The author mentions that Asus Wireguard VPN implementation only uses two core of the CPU and not 4-core.

Asus ROG GT-BE19000 -- 889 Mbps download, 748 Mbps upload (BCM 4916 CPU)
Asus ROG GT-BE98 -- 1058 Mbps download, 735 Mbps upload (BCM 4916 CPU)
Asus RT-BE88U -- 1134 Mbps download, 677 Mbps upload (BCM 4916 CPU)
Asus RT-BE92U -- 752 Mbps download, 503 Mbps upload (BCM6755/6754 CPU)
TP-Link Archer GE800 -- 2113 Mbps download, 1057 Mbps upload (IPQ9574 CPU)
TP-Link Archer BE800 -- 2114 Mbps download, 1979 Mbps upload (IPQ9574 CPU)
TP-Link Archer BE550 -- 1682 Mbps download, 1232 Mbps upload (IPQ9554 CPU)
TP-Link Archer BE230 -- 865 Mbps download, 814 Mbps upload (BCM6755/6754 CPU)