Community discussions

MikroTik App
 
czpetrs
just joined
Topic Author
Posts: 2
Joined: Thu Jan 26, 2023 1:28 pm

WireGuard - routing more subnets via VPN with respect to the multi-core CPU load

Thu Jan 26, 2023 2:28 pm

Dear MikroTik gurus,
I would like to kindly ask you for help. I have a network structure similar to the one in the picture:
Image
There is a WireGuard VPN between the two RB4011. I basically follow the https://help.mikrotik.com/docs/display/ROS/WireGuard document (one WG interface and peer in each site) and the VPN works perfectly.
It is just a matter of adding more routes and FW rules to achieve:
- 192.168.1.0/24 can communicate with 192.168.2.0/24 and vice versa
- 192.168.3.0/24 can communicate with 192.168.4.0/24 and vice versa
- no other communication between subnets is allowed (192.168.1.0/24 - 192.168.4.0/24 for example)
Question 1: considering RB4011 4 core CPUs, is there any more effective way how to spread VPN calculation load between the individual cores? By the other words, if the WAN lines to the internet will be fast enough, can I expect VPN throughput to decrease because of one (?) core of CPU will be fully utilized?
The only way I can think of is to create a pair of WG interface/peer for each pair of subnets. In this case, would be the overall VPN throughput handled by more processes?
Question 2: what are the real world scenarios where creating more WG interfaces/peers actually makes sense? Site-to-site VPN and road warriors?
Thank you and happy routing!
Petr
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - routing more subnets via VPN with respect to the multi-core CPU load

Thu Jan 26, 2023 11:23 pm

I can only answer 2 partially ---> When one is forced to add another interface because their is allowed peers overlap.
 
czpetrs
just joined
Topic Author
Posts: 2
Joined: Thu Jan 26, 2023 1:28 pm

Re: WireGuard - routing more subnets via VPN with respect to the multi-core CPU load  [SOLVED]

Sat Feb 11, 2023 4:44 pm

No problem, thanks anyway.
I was experimenting with different WG configurations (with respect to different number of WG interfaces as described in the first post) and honestly, I do not see any difference:
- when I copy big files between subnets (for example 192.168.1.0/24 and 192.168.1.0/24) I always have full physical Ethernet port speed (similar to copying files over switch)
- CPU in every RB 4011 is somewhere around 50% of utilization - it means one core definitely does not limit WG calculation (and the speed)
Therefore, my conclusion is that it doesn't matter at all how many WG interfaces I use, ROS somehow manages the WG calculations. I do not like this situation when I do not understand how it works but until I debug the ROS kernel (no, I will not:-)) I can live with that. Anyway, as I always prefer as simple configurations as possible, I continue with 1 WG interface only. It means that the site-to-site WG VPN configuration is extremely simple and can be done in a minute, which is more than great in comparison with IPSec or OpenVPN stuff.
Thank you guys anyway! Petr
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - routing more subnets via VPN with respect to the multi-core CPU load

Sat Feb 11, 2023 5:18 pm

Concur, using one interface only at either end is simplest and easier.
The only reason to add additional wireguard interfaces is to prevent peer overlap.

Who is online

Users browsing this forum: Amazon [Bot], davidhirka, jamesperks, Michiganbroadband and 81 guests