multiserver wireguard setup

[realies]

how to achieve what has been demonstrated here? https://github.com/peacey/split-vpn/blob/main/Performance_Testing.md#multiserver-throughput

does this involve some kind of load-balancing? how does the UDM know how to split the traffic? is it multiple different users connected to the same server or multiple different users connected to different servers?

[peacey]

Hello @realies,

Which example are you talking about specifically from the performance guide?

Also, there is no load balancing. This script marks packets based on source or destination with a fwmark via iptables, and policy-based ip rules are added to route those marked packets through a custom route table with VPN routes.

[realies]

@peacey, I meant the multiserver setup where multiple wireguard clients are used to saturate a gigabit+ wan. Does it mean that connecting to the same server using more than one client is a good way to achieve this without having half of the traffic going out through on a different public IP?

[peacey]

The throughput on that graph increased from 1 Gbps to 1.4 Gbps, but CPU usage hit 100% to do that throughput. So I'm not sure if it's really worth it to use multiple servers for that slight extra bandwidth when your UDM might end up stalling other critical tasks.

However, if you're using multiple servers for other reasons like wanting different IPs for different forced clients (and not saturating the connection 100% of the time) then it could be a good option.

[realies]

I doubt I could saturate more than 1Gbps, but I'd like to do it if I could. And even if I could, it will be saturated for a very short amount of time. What critical tasks could be stalled that make you think this is not a great idea?

[peacey]

If CPU hits 100% for a long time, you might lose access to Network and other stuff that use the CPU will also lag during that time. You will probably be fine if you're not saturating it. I haven't tested my UDM with such a heavy load, so you'll have to monitor it for yourself and see what happens with your use case.

[realies]

Great, thanks. I take I just need to set up more than one VPN client (each with unique ROUTE_TABLE, MARK, PREFIX, PREF, and DEV), and the WAN would use both at the same time.

[peacey]

Based on which FORCED_* options you use in the VPN clients, the packets will be routed to the correct VPN. But if you're using FORCED_LOCAL_INTERFACE, you can only use it in one client's vpn.conf.

[realies]

I'm sorry to ask in multiple issues, but can't all traffic be routed through the VPNs regardless of its origin (UDM, VLANs, etc)?

[peacey]

You can route routed traffic (i.e. UDM clients) through the VPN with FORCEDSOURCE/FORCEDDEST options. You can route local UDM traffic with FORCED_LOCAL_INTERFACE. But there's no option to specify all traffic together.

Also, each vpn.conf should have different sources. There is no load balancing. You can't have one UDM client or match go out both VPNs.

[realies]

If you can't have a shared source (one VLAN) going out of more than one VPN, how did you measure the throughput improvement when using a multiserver config?

[peacey]

Those multiserver results are done with multiple clients (actually, they're one actual client but traffic is over a different port for each iperf instance, so it goes out a different VPN based on the source port).