[HN Gopher] WireGuard Performance with a Pi Zero (2019)
___________________________________________________________________
WireGuard Performance with a Pi Zero (2019)
Author : yamrzou
Score : 63 points
Date : 2024-10-19 17:19 UTC (5 hours ago)
(HTM) web link (oct8l.gitlab.io)
(TXT) w3m dump (oct8l.gitlab.io)
| ThePowerOfFuet wrote:
| Saved you a click:
|
| >As expected, the speed is around 90 megabits per second, as the
| Pi Zero has a USB 2.0 OTG port, and I'm using a 100mb ethernet
| adapter for it.
| ZeKK14 wrote:
| That's the result without wireguard. With wireguard:
|
| > depending on the use case for a Pi Zero WireGuard server, it
| could get the job done with ~30-40 megabits per second speed
| capabilities.
| ThePowerOfFuet wrote:
| Right you are! Was not clear at all at first glance.
| flemhans wrote:
| Anyone got any opinions on max number of tunnels? How does
| performance degrade as you have thousands of simultaneous
| tunnels?
| TomK32 wrote:
| This from 2018 says the max number per interface is 2^20 for
| the kernel module but it can be raised.
| https://news.ycombinator.com/item?id=17093621
| yamrzou wrote:
| Does anyone have suggestions for the smallest physical device
| that can function as a WireGuard server or a Tailscale exit node
| with decent performance?
| twic wrote:
| I run a WireGuard server on my wireless router. The router
| itself is not tiny, the size of a two-inch-thick trade
| paperback. But the marginal size of the WireGuard device is
| zero, because i need the router anyway.
| toomuchtodo wrote:
| I have had great luck with https://www.gl-inet.com/ travel
| routers as line speed Wireguard endpoints. Works on fiber and
| StarLink equally well.
| aborsy wrote:
| They have also Tailscale plug-in. You have to trust the
| company out of China or HK, though.
| dbrueck wrote:
| I agree with this recommendation - they work great with
| Wireguard. And if you're travelling, some of the features
| like handling captive portals are handy.
| yamrzou wrote:
| They are good wireguard _clients_ but not servers
| zekica wrote:
| What's the difference?
| yamrzou wrote:
| On GL.iNet website they state: "OpenVPN and WireGuard
| speeds will be slower when running the device as a
| server. Results above are in client mode."
| dudus wrote:
| The Lenovo Thinkcentre M series tiny or a HP mini are the sweet
| spot for me.
|
| For less than $200 you can get a used one with 16GB of RAM and
| a fast SSD.
|
| For home servers I want low power usage and reliability. Mine
| idle at 5W running proxmox.
| caconym_ wrote:
| This explicitly doesn't answer your question as written, but
| just in case it's relevant to you anyway: you can run something
| like pfSense in a VM on a server or really any machine you have
| available on the network where you want an exit node. At least
| on Linux, the software networking support is good enough to
| make such a VM appear as just another machine on the network
| the VM host is connected to.
|
| My primary home router is a pfSense VM set up as a Wireguard
| peer for tunneling in from various other devices and locations,
| and I'm very happy with it.
| KaiserPro wrote:
| Probably something like an n100 based "NUC" type deal. Its has
| loads of float performance and is much better suited to being a
| "server" than a pi (much as I love the pi)
| zamadatix wrote:
| If the goal is smallest VPN box instead of best for the price
| server then the float performance doesn't really matter much
| and both are probably overkill -> too large. Both the n100
| and the pi 5 can reach multiple gbps of wireguard throughput,
| whatever you can get in the smaller total form factor is more
| ideal than ridiculous throughput.
|
| A table of devices and wg speeds can be found here
| https://forum.openwrt.org/t/a-wireguard-comparison-db/187586.
| There are plenty of interesting tiny options, particularly if
| you don't need a full gig.
| Hamuko wrote:
| I'm currently using my Unifi Cloud Gateway Ultra router as a
| Wireguard server for my home network and it's at least somewhat
| compact with good performance. Before that I used to have a
| Dell WYSE 3040 that's also quite compact but maybe a bit less
| so on the performance side.
| poisonborz wrote:
| GLiNet AR300M Travel router. I don't think you could make a
| smaller one even going DIY (with a case, that is). Perf is 50mb
| with Wireguard officially.
| petepete wrote:
| Maybe not the absolute smallest but Unifi cloud gateways are
| very small.
|
| https://ui.com/us/en/cloud-gateways/compact
| issafram wrote:
| I have a Pi 4 and ran Wireguard/PiHole on it for a few years
| before the SD card died.
|
| I decided to install Ubuntu on a 6 year old Dell XPS computer. I
| now run Wireguard/PiHole strictly on docker and it is incredibly
| fast. Changed my settings to auto start the PC after a power
| loss. I haven't had any downtime for the containers. I'll stick
| to my custom docker compose file forever.
| chao- wrote:
| Would you share said compose file?
| stavros wrote:
| I can't speak to the Compose file itself, but I use Compose
| to run stuff myself on an intel NUC and it has been amazing.
| Orders of magnitude faster than a Pi, super stable, tiny, I
| just love it.
|
| I even wrote a utility to manage the bunch of Compose files
| via git and automatically update them when I push changes to
| the repo: https://harbormaster.readthedocs.io/en/latest/
| disqard wrote:
| Thank You For Making And Sharing :D
| fnord77 wrote:
| Does the XPS use a lot more power than the pi 4?
| ycuser2 wrote:
| The only thing is the higher energy consumption.
| ignoramous wrote:
| WireGuard shouldn't consume energy when idle. Turn off
| _KeepAlive_ , if your network setup allows for it (on most
| platforms, the official WireGuard implementation can _roam_
| just fine).
| abound wrote:
| I think they meant in case of the Pi vs Dell XPS
| irunmyownemail wrote:
| I don't use the expensive Pi devices and like the parent
| commenter, I use an old laptop with a 4 Gig VM, host Ubuntu,
| VM Ubuntu and it runs my kube cluster as well as a separate
| kube cluster on the host itself. If it used much power, my
| wife would be on me about it. PS I don't use Snap.
| doublepg23 wrote:
| Significantly more though? I think people overestimate x86
| idle power draw.
| fnord77 wrote:
| > I'd say that if you're planning on using WireGuard on an iOS
| device with the On-Demand Activation for untrusted wi-fi networks
| when away from the house, this should get the job done to protect
| you on public wi-fi networks. If the goal is permanent, high
| throughput usage, I would recommend a more powerful box to run
| WireGuard.
|
| A zoom meeting on a phone is pretty high throughput...
| PhilipRoman wrote:
| Is it really? For personal use I find that anything except file
| transfers uses a tiny amount of bandwidth (few MBit/s at most).
| That includes stuff like video calls, remote desktop, youtube,
| etc.
| whatevermom wrote:
| Has someone a recommendation for a travel router where I could 1/
| setup a WG VPN to encapsulate all my traffic 2/ connect to a
| Tailscale network?
| abound wrote:
| One of the GL.iNet travel routers [1] would probably work for
| you. They run OpenWRT (or a thin veneer around it), so you can
| SSH in and install packages and whatnot. They explicitly
| advertise Wireguard-based VPN support.
|
| I don't have one of their travel routers, but I have a Flint 2.
|
| [1] https://store.gl-inet.com/collections/travel-ac-router
| EQYV wrote:
| I haven't managed to get the built in tailscale route-
| through-exit-node functionality working on my router. Have
| you / others had success?
| abound wrote:
| Ah I have not. I run a Headscale instance, but my router
| knows nothing about my Tailnet
| tarruda wrote:
| I recommend installing tailscale client on your devices instead
| of carrying an additional device/router
| ssl-3 wrote:
| I'll go ahead and install Tailscale on my PS5, then.
|
| Thanks!
| throw4950sh06 wrote:
| Why would you need it there? Serious question, would love
| the use case inspiration.
| homebrewer wrote:
| PlayStation store is not available in many regions, mine
| included. Not that I personally care, it doesn't make
| sense to support businesses that treat you like a lesser
| being.
| planetafro wrote:
| Also remote play is amazing!
| sweeter wrote:
| Chiaki for the SteamDeck is amazing. I love playing
| Bloodborne on the go.
| amatecha wrote:
| Yeah, GL.iNet GL-AR300M16-Ext is perfect for this purpose, very
| affordable and compact. You can configure the wireguard client,
| and then "Block non-VPN traffic" so it allows ONLY connecting
| through the VPN. Very handy! GL-SFT1200 should be a great
| option as well, currently the cheapest GL.iNet markets for
| their "travel AP" line, and you can run Tailscale on it[0]. I'm
| not sure about the AR300M16.
|
| ("Ext" means it comes with external antennas, version without
| that suffix has internal antenna if you want it to be even more
| compact)
|
| [0] https://forum.gl-inet.com/t/tutorial-tailscale-on-gl-
| sf1200-...
| fragmede wrote:
| Damn that one looks pretty good. Are there any with usb-c so
| I can hook my laptop to it via a usb-c cable and get a usb
| Ethernet gadget device, and can then carry one fewer cat-5
| cable?
| sandreas wrote:
| I'd go for a NanoPI R6S[1]. This thing is a 4 Core beast with
| USB-C Power Supply support. OpenWRT Support via snapshot, see
| ToH[2].
|
| If this is too expensive, you could also go for a NanoPi
| R4S[3], but I wouldn't. The N6S is worth the additional cost.
|
| If you need wifi, there is the R5C[4].
|
| 1:
| https://www.friendlyelec.com/index.php?route=product/product...
|
| 2: https://openwrt.org/toh/views/toh_available_16128
|
| 3:
| https://www.friendlyelec.com/index.php?route=product/product...
|
| 4:
| https://www.friendlyelec.com/index.php?route=product/product...
| danieldk wrote:
| The Rockchip in the R6S is very powerful, though depending on
| what you want to do there may be better options. The R6S
| doesn't have hardware offloading in OpenWrt. Many Mediatek
| Filogic SoCs do, so they can do NAT, routing, PPPoE, etc.
| while the CPU is almost idle. Banana Pi R3/R4 are good
| options or if you want something that is more of a ready-to-
| use product and doesn't requite SFP modules, the GL.iNet
| MT-6000 is really cool: https://www.gl-inet.com/products/gl-
| mt6000/
|
| Runs their fork of OpenWrt with a user-friendly interface
| (though LuCi is also available) and you can also flash
| vanilla OpenWrt. They also have smaller travel models.
|
| Of course if you use stuff that needs to run on the CPU (like
| Cake), then the R6S will be faster.
| sandreas wrote:
| I personally own a Banana Pi R3 as my main router and it's
| awesome. Unfortunately, it is pricey and pretty big for a
| travel router (besides the fact that it must be assembled).
| The MT6000 is even bigger. And you have to carry an extra
| power supply.
|
| For traveling I use a Gl.inet Beryl (GL-MT1300), which is
| nice, but not very powerful. Nowadays I would probably go
| for a GL-MT3000[1], if there wasn't the NanoPi R5C, which
| is small, powerful, supports OpenWRT and has Wifi.
|
| As a note: I thought about having Wifi via USB, but the
| stability and performance of USB-Wifi is nowhere near the
| integrated / miniPCIe stuff. So if wifi is a requirement,
| this might be important.
|
| 1:
| xyst wrote:
| Is the idea of a travel router for the purpose of making sure
| there are no leaks while using a VPN on a publicly accessible
| AP?
|
| Client devices -> "travel router" with WG -> public AP
|
| My preferred way is to enable WG on-demand for devices and
| immediately detect if WiFi or Ethernet is not my home internet.
|
| Client devices (phone, laptop) with WG -> public AP
|
| Or is there some other purpose?
| ssl-3 wrote:
| One advantage of a travel router, to me, is convenience. It's
| pretty great to have my own (portable!) LAN while out and
| about.
|
| I just show up at the hotel and get my router online.
|
| After configuring that singular device, my other stuff all
| works together: My Chromecast, my laptop, my smart speaker,
| whatever gaming system I may have, some ESP32 project or
| other that I've been tinkering with, or whatever -- I just
| turn stuff on and it simply works.
|
| With a travel router that _additionally_ uses VPN to tie my
| travel LAN to my home LAN, then: Whatever other network
| services I have at home are also available to me on the road.
|
| It can be very transparent.
|
| And that all conspires to mean that I can spend more time
| doing whatever it is that I feel like doing instead of
| futzing around with networking.
| spr-alex wrote:
| We (https://supernetworks.org/) have a Tailscale integration
| https://github.com/spr-networks/spr-tailscale and support Site
| destinations for devices. For our hardware products one thing
| we do need is to source a good carrying case for travel.
| mech422 wrote:
| Gotta plug my fav's - odroid h2/3/4's ...
|
| Low power, fairly cheap, x86 based, onboard NIC (sometime 2),
| NVME/Sata and large memory support for lots of containers/etc.
| Also, low power draw! :-) I've been loving my H2+'s and I got
| some H4s in I need to find time to play with...
|
| 1.) https://ameridroid.com/products/odroid-h4-h4-h4-ultra
|
| 2.) https://ameridroid.com/products/odroid-h3 (dual nic)
| Sanzig wrote:
| I have an old Pi 3 installed at my mother-in-law's house running
| Tailscale (which uses WireGuard as its actual VPN layer). It is
| connected to my Tailnet along with my Jellyfin server, and I have
| nginx set up as a reverse proxy to expose the Jellyfin server on
| the LAN IP of the Pi. This way, she and her sons can access my
| Jellyfin server as if it were on their LAN - great option for non
| technical relatives.
|
| This setup has been in place about a year now and just works. The
| Pi can handle about 50 Mbit bidirectional over WireGuard, which
| is suffient even for a couple of 4K media streams. I am planning
| to duplicate this setup at some other relatives' homes.
| yamrzou wrote:
| Is it a Pi 3 B+?
| sweeter wrote:
| any advice setting something like this up? Also, wouldn't that
| get expensive?
| NavinF wrote:
| Why would it be expensive?
| telgareith wrote:
| Because an 8gb rpi4 costs close to $160. You can buy a
| m920q i3 with more compute- and with a similar amount of
| RAM (Conversion losses, Storage, and then Cooling or RAM(a
| few watts per 8gb) are the largest power consumers) and it
| can do a lot more than 50mbit. It might actually use less
| power than the rpi4. And, it could replace whatever is
| powering the TV display.
|
| Of course, choose your power supply badly and both those
| sub 10W machines will be 50W at the wall.
| sweeter wrote:
| I also thought that Tailscale would probably incur some
| type of charges after using it that much, though Im not
| super familiar with their free tier policies and how
| sustainable they are in the long-term.
| NavinF wrote:
| They're not proxying your data. That's why there are no
| usage limits
| NavinF wrote:
| Wat.
|
| - You're replying to a thread about someone using a 1GB
| Pi 3 to stream multiple 4K movies. It's $44 on Amazon
| including fast shipping. Cheaper on eBay if you can wait
| 3 days.
|
| - The 8GB Pi 4 is $75 on canakit, not $160.
|
| Anyway if you want more compute (on an edge device?
| why?), why not grab a AM4 board and CPU for like $80
| each? That's 25W at the wall and gives you a ton of
| flexibility if you later wanna repurpose the machine
| adding GPUs, NVMe, SAS enclosures, etc
| j-krieger wrote:
| > This setup has been in place about a year now and just works
|
| For some reason, even with ram-only fs and all common tricks,
| my Sandisk SD cards keep failing. Do you have any tips?
| vinni2 wrote:
| I had this problem with pi 4 after frying several SD cards I
| found out you can setup read only file system and since then
| no problems for 3 years now. https://core-
| electronics.com.au/guides/read-only-raspberry-p...
___________________________________________________________________
(page generated 2024-10-19 23:01 UTC)