Wireguard on (current | 6.8 and higher )
Page content
Wireguard on OpenBSD
OpenBSD added wg to the Kernel a while ago … why not have a look into and do some speedtests … ?
Setup
CLIENT1 — WireGuard — CLIENT2
and running tcpbench between Client1 and Client2
Fireup VMs
Stage 3 VM’s on my litte Proxmox Server (Intel NUC)
| host | nic | ip | wg nic | ip |
|---|---|---|---|---|
| Client1 | em0 | 192.168.108.7 | wg0 | 10.0.0.1 |
| WireGuard | em0 | 192.168.108.8 | wg0 | 10.0.0.2 |
| Client2 | em0 | 192.168.108.0 | wg0 | 10.0.0.3 |
wg_overlay: 10.0.0.0/24
Upgrade to current
wireguard will be fully implemented on Version 6.8 (Fall 2020). So, you have to go with current and install the latest snapshot
sysupgrade -s
update packages and add wg tools
pkg_add -Vu
pkg_add wireguard-tools--
Server
r=$(openssl rand -base64 32)
cat << EOF > /etc/hostname.wg0
wgkey ${r}
wgport 2222
inet 10.0.0.1/24
up
EOF
sh /etc/netstart wg0
ifconfig wg0
check the line wgpubkey (here: wgpubkey ipt2F1Y1Ue9vOvZS9YxBvThBWV2m589rqCsn1cPoL1k=)
Client 1
add the pubkey here to the “pub” variable. this host will get ip 10.0.0.2
pub="ipt2F1Y1Ue9vOvZS9YxBvThBWV2m589rqCsn1cPoL1k="
wg_server=192.168.109.8
wg_port=2222
myip=10.0.0.2
r=$(openssl rand -base64 32)
cat << EOF > /etc/hostname.wg0
wgkey ${r}
wgpeer ${pub} wgendpoint ${wg_server} ${wg_port} wgaip 0.0.0.0/0
inet ${myip}/24
up
EOF
sh /etc/netstart wg0
ifconfig wg0
Client 2
add the pubkey here to the “pub” variable. this host will get ip 10.0.0.3
pub="ipt2F1Y1Ue9vOvZS9YxBvThBWV2m589rqCsn1cPoL1k="
wg_server=192.168.109.8
wg_port=2222
myip=10.0.0.3
r=$(openssl rand -base64 32)
cat << EOF > /etc/hostname.wg0
wgkey ${r}
wgpeer ${pub} wgendpoint ${wg_server} ${wg_port} wgaip 0.0.0.0/0
inet ${myip}/24
up
EOF
sh /etc/netstart wg0
ifconfig wg0
Add Clients to Server Config
add two lines, one for each client. you get the public key with: ifconfig wg0 on the clients
wgkey wJJkpNL5Ax/Ol0tbEWCvJVxw1T17NdH6wMSR2DV2IcY=
wgport 2222
wgpeer TFd5zJwnm/NyZPWteBL1VdM1YbzGiOCcx6PEQDYMUAs= wgaip 10.0.0.2/32
wgpeer tWLF0TaK8fObpan2hzxIcgndnK+MCFhi2Bb4HdARmHM= wgaip 10.0.0.3/32
inet 10.0.0.1/24
up
enable ip forwarding on server
echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1
disable pf.conf
for our testing, we can disable the packetfilter on all three machines. don’t do this in production !
pfctl -d
run tcpbench
Client2 acting as Server
root@client2 ~# tcpbench -s
elapsed_ms bytes mbps bwidth
Client1 acting as Client
root@client1 ~# tcpbench -t 20 10.0.0.3
elapsed_ms bytes mbps bwidth
1000 25238232 201.906 100.00%
Conn: 1 Mbps: 201.906 Peak Mbps: 201.906 Avg Mbps: 201.906
2000 35085096 280.681 100.00%
Conn: 1 Mbps: 280.681 Peak Mbps: 280.681 Avg Mbps: 280.681
3000 39834792 318.678 100.00%
Conn: 1 Mbps: 318.678 Peak Mbps: 318.678 Avg Mbps: 318.678
4001 43376544 346.666 100.00%
Conn: 1 Mbps: 346.666 Peak Mbps: 346.666 Avg Mbps: 346.666
5003 44985312 359.523 100.00%
Conn: 1 Mbps: 359.523 Peak Mbps: 359.523 Avg Mbps: 359.523
6004 46803384 374.053 100.00%
Conn: 1 Mbps: 374.053 Peak Mbps: 374.053 Avg Mbps: 374.053
7004 47715840 381.727 100.00%
Conn: 1 Mbps: 381.727 Peak Mbps: 381.727 Avg Mbps: 381.727
8004 48947040 391.576 100.00%
Conn: 1 Mbps: 391.576 Peak Mbps: 391.576 Avg Mbps: 391.576
9005 48548952 388.004 100.00%
Conn: 1 Mbps: 388.004 Peak Mbps: 391.576 Avg Mbps: 388.004
10007 49298616 393.995 100.00%
Conn: 1 Mbps: 393.995 Peak Mbps: 393.995 Avg Mbps: 393.995
11007 49911480 399.292 100.00%
Conn: 1 Mbps: 399.292 Peak Mbps: 399.292 Avg Mbps: 399.292
12008 49873176 398.985 100.00%
Conn: 1 Mbps: 398.985 Peak Mbps: 399.292 Avg Mbps: 398.985
13009 51122160 408.569 100.00%
Conn: 1 Mbps: 408.569 Peak Mbps: 408.569 Avg Mbps: 408.569
14010 51388920 410.701 100.00%
Conn: 1 Mbps: 410.701 Peak Mbps: 410.701 Avg Mbps: 410.701
15011 50676192 405.410 100.00%
Conn: 1 Mbps: 405.410 Peak Mbps: 410.701 Avg Mbps: 405.410
16011 51621480 413.385 100.00%
Conn: 1 Mbps: 413.385 Peak Mbps: 413.385 Avg Mbps: 413.385
17013 52637904 420.683 100.00%
Conn: 1 Mbps: 420.683 Peak Mbps: 420.683 Avg Mbps: 420.683
18012 52310952 418.907 100.00%
Conn: 1 Mbps: 418.907 Peak Mbps: 420.683 Avg Mbps: 418.907
19013 53179632 425.012 100.00%
Conn: 1 Mbps: 425.012 Peak Mbps: 425.012 Avg Mbps: 425.012
20015 52215192 417.304 100.00%
Conn: 1 Mbps: 417.304 Peak Mbps: 425.012 Avg Mbps: 417.304
--- 10.0.0.3 tcpbench statistics ---
997016184 bytes sent over 20.999 seconds
bandwidth min/avg/max/std-dev = 201.906/377.753/425.012/53.871 Mbps
Checking WG Server
Forwarding Packets
root@server ~# vnstat -i wg0 -l
Monitoring wg0... (press CTRL-C to stop)
rx: 397.60 Mbit/s 54239 p/s tx: 395.65 Mbit/s 54314 p/s
CPU Load
load averages: 2.71, 1.09, 0.45 server 17:47:06
33 processes: 32 idle, 1 on proc up 0:08
CPU0 states: 0.0% user, 0.0% nice, 76.2% sys, 1.6% spin, 20.6% intr, 1.6% idle
CPU1 states: 0.0% user, 0.0% nice, 79.2% sys, 1.2% spin, 0.0% intr, 19.6% idle
Memory: Real: 26M/657M act/tot Free: 315M Cache: 194M Swap: 0K/1024M
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
1 root 10 0 456K 400K idle wait 0:01 0.00% init
58982 root 2 0 1352K 3844K idle poll 0:01 0.00% sshd
2590 _pflogd 4 0 880K 592K sleep/1 bpf 0:00 0.00% pflogd
29193 root 18 0 1208K 1212K idle pause 0:00 0.00% ksh
62562 stoege 2 0 1324K 2596K sleep/1 select 0:00 0.00% sshd
93334 root 28 0 1128K 2972K onproc/0 - 0:00 0.00% top
25977 _ntp 2 -20 1056K 2912K sleep/0 poll 0:00 0.00% ntpd
52626 _smtpq 2 0 1668K 4136K idle kqread 0:00 0.00% smtpd
68600 stoege 18 0 1052K 1112K idle pause 0:00 0.00% ksh
4338 _smtpd 2 0 1576K 4164K idle kqread 0:00 0.00% smtpd
52634 _smtpd 2 0 1528K 4068K idle kqread 0:00 0.00% smtpd
10451 _ntp 2 0 900K 2536K idle poll 0:00 0.00% ntpd
38306 _smtpd 2 0 1452K 3940K idle kqread 0:00 0.00% smtpd
93966 _vnstat 10 0 528K 1252K sleep/1 nanosle 0:00 0.00% vnstatd
Systat [pigs]
1 users Load 2.60 2.23 1.27 server 17:55:08
PID USER NAME CPU 10\ 20\ 30\ 40\ 50\ 60\ 70\ 80\ 90\ 100\
<idle> 100.00 ############################################################
91114 root softnet 49.80 #############################
13361 root wg_crypt 31.01 ##################
15182 root wg_crypt 30.66 ##################
systat [uvm]
1 users Load 2.83 1.99 1.07 server 17:53:20
===== Page Counters ===== Stats Counters ===== Fault Counters
248604 npages 367040 FAULTS fltnoram
80027 FREE 361291 TRAPS fltnoanon
6975 active 2041095 INTRS fltnoamap
101256 inactive 4474543 SWTCH fltpgwait
paging 87322 SOFTS fltpgrele
2 wired 398225 SYSCALLS 144272 fltrelck
10015 zeropages pageins 143823 fltrelckok
4 reserve_pagedaemon pgswapin 80013 FLTANGET
6 reserve_kernel pgswapout fltanretry
527 forks 73499 fltamcopy
===== Pageout Params 2 forks_ppwait 4720 fltnamap
8286 freemin 35 forks_sharevm 74568 fltnomap
11048 freetarg 180497 pga_zerohit 170329 fltlget
inactarg 4300 pga_zeromiss 144272 fltget
82868 wiredmax 67814 FLT_ANON
25 anonmin ===== Daemon Counters 12199 flt_acow
12 vtextmin pdwoke 165301 flt_obj
25 vnodemin pdrevs 4579 flt_prcopy
10 anonminpct pdswout 117140 flt_przero
5 vtextminpct swpgonly
10 vnodeminpct pdfreed ===== Swap Counters
pdscans 1 nswapdev
===== Misc Counters pdanscan 262143 swpages
fpswtch pdobscan swpginuse
15 kmapent pdreact nswget
pdbusy
===== Constants pdpageouts
4096 pagesize pdpending
4095 pagemask pddeact
12 pageshift
Any Comments ?
sha256: f020bffd3a4784cb489a410f17020ddc3a29ccb3f2b734b71106873a9743e83b