Hacker Remix

WireGuard Performance with a Pi Zero (2019)

78 points by yamrzou 5 days ago | 71 comments

Sanzig 4 days ago

I have an old Pi 3 installed at my mother-in-law's house running Tailscale (which uses WireGuard as its actual VPN layer). It is connected to my Tailnet along with my Jellyfin server, and I have nginx set up as a reverse proxy to expose the Jellyfin server on the LAN IP of the Pi. This way, she and her sons can access my Jellyfin server as if it were on their LAN - great option for non technical relatives.

This setup has been in place about a year now and just works. The Pi can handle about 50 Mbit bidirectional over WireGuard, which is suffient even for a couple of 4K media streams. I am planning to duplicate this setup at some other relatives' homes.

j-krieger 4 days ago

> This setup has been in place about a year now and just works

For some reason, even with ram-only fs and all common tricks, my Sandisk SD cards keep failing. Do you have any tips?

vinni2 4 days ago

I had this problem with pi 4 after frying several SD cards I found out you can setup read only file system and since then no problems for 3 years now. https://core-electronics.com.au/guides/read-only-raspberry-p...

kstrauser 4 days ago

Boot from a USB SSD instead. I get literally 100x the IOPS over the reasonably fast SD cards I used. Things like apt-get upgrade take seconds instead of many minutes. It’s an entirely different experience.

EasyMark 4 days ago

Get as big of an SD card as you can from a known good company ( I think I have a 256GB card in mine). Turn off as many logging services as you can. You should be able to find several guides on the internet on how to limit writes to the SD card and that combined with a big card with decent wear leveling should last for years, mine has.

NavinF 4 days ago

Is it possible your SD cards are fake? I did full disk writes till destruction and got 1000 cycles with a Sandisk Ultra (their cheapest line of microSD cards)

That should be enough for 10 years under a typical Pi workload like writing and compacting logs.

sweeter 4 days ago

any advice setting something like this up? Also, wouldn't that get expensive?

NavinF 4 days ago

Why would it be expensive?

telgareith 4 days ago

Because an 8gb rpi4 costs close to $160. You can buy a m920q i3 with more compute- and with a similar amount of RAM (Conversion losses, Storage, and then Cooling or RAM(a few watts per 8gb) are the largest power consumers) and it can do a lot more than 50mbit. It might actually use less power than the rpi4. And, it could replace whatever is powering the TV display.

Of course, choose your power supply badly and both those sub 10W machines will be 50W at the wall.

sweeter 4 days ago

I also thought that Tailscale would probably incur some type of charges after using it that much, though Im not super familiar with their free tier policies and how sustainable they are in the long-term.

Sanzig 4 days ago

Tailscale sets up point-to-point WireGuard VPNs and only proxies through their relay servers when they can't establish a direct connection. In my experience that's pretty rare, Tailscale tries a whole bunch of NAT traversal tricks before falling back to relay mode.

Their free tier is pretty generous because it's basically a way for Tailscale to get homelabbers hooked on the product so they'll recommend a corporate plan at work. They even state as much: https://tailscale.com/blog/free-plan

The Pi 3 was essentially free to me because I already had it on a shelf. When I duplicate this setup at some other relatives' homes, I'm planning on using an Orange Pi Zero 3 ($30 CAD, quad core A53, gig of RAM, gigabit Ethernet).

NavinF 4 days ago

They're not proxying your data. That's why there are no usage limits

allset_ 4 days ago

They do proxy your traffic if it can't set up direct connections, and it's still free.

https://tailscale.com/kb/1232/derp-servers

NavinF 4 days ago

Wat.

- You're replying to a thread about someone using a 1GB Pi 3 to stream multiple 4K movies. It's $44 on Amazon including fast shipping. Cheaper on eBay if you can wait 3 days.

- The 8GB Pi 4 is $75 on canakit, not $160.

Anyway if you want more compute (on an edge device? why?), why not grab a AM4 board and CPU for like $80 each? That's 25W at the wall and gives you a ton of flexibility if you later wanna repurpose the machine adding GPUs, NVMe, SAS enclosures, etc

gruez 4 days ago

>The 8GB Pi 4 is $75 on canakit, not $160.

To be fair once you add in shipping, a sd card card, power supply, case/heatsink, and you'll get to around 160.

NavinF 4 days ago

Bizarre. MicroSD cards are $5 on Amazon. I figured everyone has a bunch of spare 5V 2.5A PSUs in the box of wall warts in their garage, but maybe that's a bad assumption. $5 for a brand new PSU and $15 canakit shipping. So it's $100 total if you didn't care at all about cost and bought the most expensive Pi for use as an edge device for no technical reason.

Why would you need a heatsink unless you use a case? Why would you use a case? That price tag is entirely self inflicted

yamrzou 4 days ago

Is it a Pi 3 B+?

whatevermom 5 days ago

Has someone a recommendation for a travel router where I could 1/ setup a WG VPN to encapsulate all my traffic 2/ connect to a Tailscale network?

abound 5 days ago

One of the GL.iNet travel routers [1] would probably work for you. They run OpenWRT (or a thin veneer around it), so you can SSH in and install packages and whatnot. They explicitly advertise Wireguard-based VPN support.

I don't have one of their travel routers, but I have a Flint 2.

[1] https://store.gl-inet.com/collections/travel-ac-router

EQYV 4 days ago

I haven’t managed to get the built in tailscale route-through-exit-node functionality working on my router. Have you / others had success?

abound 4 days ago

Ah I have not. I run a Headscale instance, but my router knows nothing about my Tailnet

sandreas 4 days ago

I'd go for a NanoPI R6S[1]. This thing is a 4 Core beast with USB-C Power Supply support. OpenWRT Support via snapshot, see ToH[2].

If this is too expensive, you could also go for a NanoPi R4S[3], but I wouldn't. The N6S is worth the additional cost.

If you need wifi, there is the R5C[4].

1: https://www.friendlyelec.com/index.php?route=product/product...

2: https://openwrt.org/toh/views/toh_available_16128

3: https://www.friendlyelec.com/index.php?route=product/product...

4: https://www.friendlyelec.com/index.php?route=product/product...

danieldk 4 days ago

The Rockchip in the R6S is very powerful, though depending on what you want to do there may be better options. The R6S doesn't have hardware offloading in OpenWrt. Many Mediatek Filogic SoCs do, so they can do NAT, routing, PPPoE, etc. while the CPU is almost idle. Banana Pi R3/R4 are good options or if you want something that is more of a ready-to-use product and doesn't requite SFP modules, the GL.iNet MT-6000 is really cool: https://www.gl-inet.com/products/gl-mt6000/

Runs their fork of OpenWrt with a user-friendly interface (though LuCi is also available) and you can also flash vanilla OpenWrt. They also have smaller travel models.

Of course if you use stuff that needs to run on the CPU (like Cake), then the R6S will be faster.

sandreas 4 days ago

I personally own a Banana Pi R3 as my main router and it's awesome. Unfortunately, it is pricey and pretty big for a travel router (besides the fact that it must be assembled). The MT6000 is even bigger. And you have to carry an extra power supply.

For traveling I use a Gl.inet Beryl (GL-MT1300), which is nice, but not very powerful. Nowadays I would probably go for a GL-MT3000[1], if there wasn't the NanoPi R5C, which is small, powerful, supports OpenWRT and has Wifi.

As a note: I thought about having Wifi via USB, but the stability and performance of USB-Wifi is nowhere near the integrated / miniPCIe stuff. So if wifi is a requirement, this might be important.

tarruda 4 days ago

I recommend installing tailscale client on your devices instead of carrying an additional device/router

ssl-3 4 days ago

I'll go ahead and install Tailscale on my PS5, then.

Thanks!

throw4950sh06 4 days ago

Why would you need it there? Serious question, would love the use case inspiration.

homebrewer 4 days ago

PlayStation store is not available in many regions, mine included. Not that I personally care, it doesn't make sense to support businesses that treat you like a lesser being.

planetafro 4 days ago

Also remote play is amazing!

sweeter 4 days ago

Chiaki for the SteamDeck is amazing. I love playing Bloodborne on the go.

spr-alex 4 days ago

We (https://supernetworks.org/) have a Tailscale integration https://github.com/spr-networks/spr-tailscale and support Site destinations for devices. For our hardware products one thing we do need is to source a good carrying case for travel.

issafram 5 days ago

I have a Pi 4 and ran Wireguard/PiHole on it for a few years before the SD card died.

I decided to install Ubuntu on a 6 year old Dell XPS computer. I now run Wireguard/PiHole strictly on docker and it is incredibly fast. Changed my settings to auto start the PC after a power loss. I haven't had any downtime for the containers. I'll stick to my custom docker compose file forever.

ycuser2 5 days ago

The only thing is the higher energy consumption.

irunmyownemail 4 days ago

I don't use the expensive Pi devices and like the parent commenter, I use an old laptop with a 4 Gig VM, host Ubuntu, VM Ubuntu and it runs my kube cluster as well as a separate kube cluster on the host itself. If it used much power, my wife would be on me about it. PS I don't use Snap.

doublepg23 4 days ago

Significantly more though? I think people overestimate x86 idle power draw.

ignoramous 5 days ago

WireGuard shouldn't consume energy when idle. Turn off KeepAlive, if your network setup allows for it (on most platforms, the official WireGuard implementation can roam just fine).

abound 4 days ago

I think they meant in case of the Pi vs Dell XPS

fnord77 5 days ago

Does the XPS use a lot more power than the pi 4?

EasyMark 3 days ago

Of course it does. It’s probably still less than a few dollars a month

chao- 5 days ago

Would you share said compose file?

stavros 5 days ago

I can't speak to the Compose file itself, but I use Compose to run stuff myself on an intel NUC and it has been amazing. Orders of magnitude faster than a Pi, super stable, tiny, I just love it.

I even wrote a utility to manage the bunch of Compose files via git and automatically update them when I push changes to the repo: https://harbormaster.readthedocs.io/en/latest/

disqard 4 days ago

Thank You For Making And Sharing :D

fnord77 5 days ago

> I’d say that if you’re planning on using WireGuard on an iOS device with the On-Demand Activation for untrusted wi-fi networks when away from the house, this should get the job done to protect you on public wi-fi networks. If the goal is permanent, high throughput usage, I would recommend a more powerful box to run WireGuard.

A zoom meeting on a phone is pretty high throughput...

PhilipRoman 4 days ago

Is it really? For personal use I find that anything except file transfers uses a tiny amount of bandwidth (few MBit/s at most). That includes stuff like video calls, remote desktop, youtube, etc.

EasyMark 3 days ago

Not when most households are getting 30Mbps up and 300Mbps down or more. Now several at once would strain it for sure.