I have a wg server which is handicapped by a 100mbps connection. I have 2 clients on the same net which i wanted to run an iperf test with for my sanity.
when i run iperf3 using the local ip addresses given by my router i get the 10GBps i expect. when i run the same test using the 10.8.x.x wg vpn i get speeds of 100mbps.
i thought that when i connect 2 clients, they connect directly. these speeds make me think the traffic is being routed through the server.
am i missing something?
when i connect 2 clients, they connect directly.
did you connect them directly?
because if you didnt, then the only way they know how to talk to each other is through the vpn node that they are connected to.
That’s not how it works, they don’t auto mesh like DMVPN would.
When you used the tunnel addresses they’re both piping out to the server and back.
When you used the LAN addresses they’re locally switched.
Unsure where the confusion lies.
They are 10.8.0.2 and 10.8.0.9 respectively. I thought that since they both have 10.8 addresses when I ping one from the other it’s a direct connection. Is there something I have to do to connect them directly besides giving them client configs?
I guess a part of me was hoping the clients would connect to each other directly once the server established their connection.
you made 2 vpn tunnels. if you draw a diagram of that then it will look like a V (i.e. 2 sides of a triangle)
if you want them to be able to communicate along the 3rd side of the triangle then you need to add another vpn tunnel
but dont - cos it gets complicated when you have to start thinking about routing and route metrics and multiple routes to the same destinations.
If you’re expecting that everything in your 10.8 network uses the WG network you’ve defined that’s not necessarily true. It really depends on how you defined the WG network, how you configured your clients, how you configured the other network(s) and what the route table priorities are. In a simple case your 10.8.0.0/16 networks is a WG network and say your 10.9.0.0/16 is a non WG network but your test hosts are on both networks, the route taken may or may not cross the WG network depending on how you configured the peers. Usually if you ran iperf3 with addresses in the WG network your traffic would stay on the WG network but all other traffic would follow default routing rules so iperf3 between hosts outside the WG network would not traverse that route but again, not necessarily the case depending on your specific configuration. It’s difficult to answer without more detail.
That’s not how Wireguard works. If you want something that does this all for you, use Tailscale, which will establish a direct connection between peer A and peer B via server X acting as a STUN/TURN server (the servers from Tailscale that is).
Unsure why that is your expectation.
So basically what you’re telling me is that if the server is 10.8.0.1 any client on the 10.8 network is routing through the server to get to other clients?
i have the wireguard server setup for 10.8.0.0/24 and the clients are split tunnel, so their allowed ips are 10.8.0.0/24. when i do iperf or ping tests its within the 10.8 network. i did the test with the local ip addresses to ensure i was getting the 10GB i setup, but when i run the same tests though the tunnel i get the bandwidth cap of 100mbps.
Not true. You could easily scope your WG network to a /28 where your server is on .1, your peers are at .8 and .9 but nothing above .15 uses the WG network. This would be a bad idea but it’s absolutely possible
You can configure additional peers and on every client and build yourself a full mesh. It can be a pain to maintain manually.
If you want a full mesh, you should also look at something like tailscale. Or some of the other things built on top of wireguard that automatically tries to build peer to peer tunnels between all members of the VPN network.
Behaving as expected then. When your hosts connect to the WG server, your local route tables are set with a preference to the 10.8.0.0/24 for the tunnel. As the server has a 100Mbps link speed that’s what you’re going to get over the tunnel
Is there anything else that does this besides headscale or tailscale?
what would be the best way to get full 10GB traffic with wireguard then while staying within the VPN?
There are lots of them. Tailscale, netbird, and netmaker are occasionally mentioned here, but there are also lots of home brewed options if you search ‘wireguard mesh’. I don’t have any opinions about any of them.
The few times I needed mesh like functionality I only a few nodes and manually configured everything.
To do this you’d need a different server on the 10Gb backplane in a different network that doesn’t traverse a path through the host with the 100Mbps link. You could add another server on the 10Gb network or make one of your hosts the server and connect the other host to it (not ideal). Not sure why you’d do that though. I’m generally not going to be concerned about tunneling traffic in a non-publicly routable network especially if you have application level encryption and are in some sort of VPC.
There is a peer to peer option but I haven’t set that up yet personally
The server acts as a handshake and allows the two clients to talk directly to each other by punching the right hole through the right firewall
This is the functionality I am looking for. Is this possible with wireguard or will I have to go to something like tail scale?