Accéder au contenu principal

GNS3 vs VM: iperf3 test for VyOS

 In my last post I tried to simulate a site2site VPN connection using Wireguard via VyOS, my favourite router. It was very easy to implement but the performance was not that great on GNS3.

It was not a VyOS issue at all, GNS3 is just a simulation tool and we can't expect real world performance in it, even if it uses Qemu and Linux virtual networking for that end. To prove that, I made the following simple iperf3 test using 3 VyOS routers on GNS3 :


No VPN, just simple routing via connected routes through VyOS1.3-3. The result was similar to my Wireguard throughput test, of course considering the header size of Wireguard packets :

In my Wireguard test, I reached a bitrate of 53.8 Mbps, which is almost 76% of total bandwidth, and it's a good result, but I had to verify if VyOS is able to route at a greater bitrate. For just that, I created a VyOS VM on VirtualBox and connected two other VyOS VMs to it's interfaces, and made an iperf3 test. The result was clearly better :


Reaching 4.1 Gbps, with virtual machines, on a laptop is really an excellent result (it depends of many parameters that could impact the environment performance). The next challenge would be to try an iperf3 test in the same way I did in GNS3.

For this, I will create a Wireguard VPN, and use two other VyOS routers as iperf endpoints. The configuration is quite similar to the one used in GNS3. For this article, I will be using VyOS 1.4, some commands may be different. I will post the complete configuration for both routers, without the Wireguard keys of course.

Since the encrypted tunnel requires some CPU load for the Wireguard peers, the simulation would use 2 vCPU and 512 MB of RAM for each peer. The result is about 512 Mbps. While inspecting my system with Htop, I figured out that I was pushing my laptop to the limit of its processor, and for better values we may need just more CPU performance. 


The other important thing was latency. Trying a ping between the same two machines, which means using the wireguard tunnel through a third router, gave me a very good result :


These results for me are a testament to the performance of Wireguard and VyOS : Gigabit routing is not really an issue and I guess Gigabit VPN also is not that difficult provided you have enough CPU power. For a proper benchmark of VyOS I would need a Ten Gigabit Layer-3 Switch, 4 machines with decent performance and Ten Gigabit Interfaces, on which I would install VyOS on bare-metal. For now, 512 Mbps on a laptop with 2 vCPU/512 MB of RAM is exceptional!

Configuration on both routers :

### First VPN Router

set interfaces ethernet eth4 address '192.168.57.10/24'

set interfaces ethernet eth4 firewall local

set interfaces ethernet eth5 address '10.10.10.1/24'

set interfaces loopback lo

set interfaces wireguard wg01 address '10.1.0.1/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 address '192.168.56.10'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.10.10.0/24'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.10.20.0/24'

set interfaces wireguard wg01 peer to-wg02 port '55555'

set interfaces wireguard wg01 peer to-wg02 public-key '*********************************************'

set interfaces wireguard wg01 port '55555'

set interfaces wireguard wg01 private-key '*********************************************'

set protocols static route 10.10.20.0/24 interface wg01

set protocols static route 192.168.56.0/24 next-hop 192.168.57.1


### Second VPN Router

set interfaces ethernet eth4 address '192.168.56.10/24'

set interfaces ethernet eth4 firewall local

set interfaces ethernet eth5 address '10.10.20.1/24'

set interfaces loopback lo

set interfaces wireguard wg01 address '10.1.0.2/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 address '192.168.57.10'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.10.20.0/24'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.10.10.0/24'

set interfaces wireguard wg01 peer to-wg02 port '55555'

set interfaces wireguard wg01 peer to-wg02 public-key '*********************************************'

set interfaces wireguard wg01 port '55555'

set interfaces wireguard wg01 private-key '*********************************************'

set protocols static route 10.10.10.0/24 interface wg01

set protocols static route 192.168.57.0/24 next-hop 192.168.56.1


PS: generating keys in VyOS 1.4 has changed, the command is "generate pki wireguard key-pair"

PS: The stable version is always VyOS 1.3, VyOS 1.4 is still considered unstable.

Libellés :

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

GNS3: Simulating a 100% opensource site2site VPN using Wireguard, VyOS and OpenVSwitch

 This is something I had in mind but didn't find the time to accomplish before. It just took a very cold day to convince me that I have to play with Wireguard on VyOS. I used GNS3 of course, on my personal Linux laptop to create this setup. Of course the performance was not that great since it is just a simulation.  In real life, I am using Wireguard on a 10 years old Raspberry Pi Model B and amazingly with just a 700MHz single core ARM CPU and less than 512 MB of RAM I had a decent and stable permanent Wireguard tunnel. (My bandwidth would reach 24 Mbps without issue) Back to my simulation, this is what it looks like : Quick explanation: the VYOS routers labeled IPERF1 and IPERF2 are only used for an iperf3 test, which was able to reach about 50 to 60 Mbps each time. It ain't much but it was honest (and free) secure bandwidth! I won't get into the details of this setup but I will just post the two most important configurations : R-East and R-West : #### VYOS WireGuard Site...
Enregistrer un commentaire
Lire la suite

GNS3 on Manjaro/Arch Linux: How to create virbr0 for NAT to work

Problem: You can't add a NAT connection to your GNS3 simulation, and you get the error : "ERROR template_manager:226 Error while creating node from template: NAT interface virbr0 is missing, please install libvirt" Steps to resolve: 1- Create a file named /tmp/default.xml 2- Paste this content and save: <network>   <name>default</name>   <bridge name="virbr0"/>   <forward mode="nat"/>   <ip address="192.168.123.1" netmask="255.255.255.0">     <dhcp>       <range start="192.168.123.2" end="192.168.123.254"/>     </dhcp>   </ip> </network> 3- Execute the following commands in your shell : virsh net-define /tmp/default.xml sudo virsh net-start default sudo virsh net-autostart default  
Enregistrer un commentaire
Lire la suite

AutoWG: a simple Bash script to connect two devices with Wireguard

 I made today a quite simple BASH script that allows to connect two devices running Wireguard (tested with Debian Linux 12, but should work with any device) You can check it out (and fork it if you want) in this Gitlab Page This is the source code as of now, but I could modify it later (any suggestions are welcome) : #!/bin/bash # # AUTOWG written by Hamdi KADRI  # No copyright in any form or kind # This script is intended to create configurations for  # a point-to-point Wireguard connection between a server # and a client (/30 network) # # Step zero: declare configurations as variables servercfg="[Interface] Address = <serverwgIP> SaveConfig = true ListenPort = <port> PrivateKey = <server-privatekey> [Peer] PublicKey = <client-pubkey> AllowedIPs = <clientwgIP> " clientcfg="[Interface] PrivateKey = <client-privatekey> Address = <clientwgIP> [Peer] PublicKey = <server-pubkey> AllowedIPs = 0.0.0.0/0 EndPoint = <serverIP...
Enregistrer un commentaire
Lire la suite