l009uigs-2haxd-in Wireguard speed only 70 mbps

WillSo · March 26, 2024, 9:01am

Hi,

Not sure where to ask this question, so I’ll ask here.
I’ve got l009uigs-2haxd-in router, and connecting to it via Wireguard, I’m only getting around 70-80 mbps throughput (iperf3, tcp).
Is this normal for this router, or maybe I’ve misconfigured something?

I’m very new to networking and mikrotik ecosystem, so please excuse me if all of this is over my head.

I had problems with this particular wireguard tunnel (video streams not playing for ex.) until I lowered MTU to 1420, but the speed is still low.

If you would need my MikroTik configs, I can provide them.

Some more info:

On my end, ISP gives me 250 mbps symmetric connection.

On the other end of the tunnel is Ubuntu 20.4 virtual machine with gigabit connection and 6 cores from recent Ryzen Threadripper processor.

Before using this MikroTik router I used OpenWRT on Raspberry Pi 4, which had this tunnel running at almost full connection speed (a bit lower than 250 mbps). I remember I had to enable MSS clamping on OpenWRT for the tunnel to start working at full speed.

Thanks

jookraw · March 26, 2024, 9:23am

I would say that you are probably hitting the limit for Wireguard on the L009, it has only 2 ARM32 cores at 800. the rPi 4 have 4x ARM64 cores at 1.8GHz.

If you can, I would recommend keep using the rPi 4 for Wireguard.
the cheapest model from Mikrotik that can reach 300Mbps on Wireguard is the hAP ax2, I have used one for Site to Site vpn via wireguard and it could saturate the uplink of 300mbps without asking for help. It probably could go more than 300 easily

anav · March 26, 2024, 10:37am

Post both configs… ( minus public WANIP info, keys etc. )
The default mtu setting is 1420 so dont understand why you lowered to the default??
Important is that both sides of the connection have the same mtu setting

WillSo · March 26, 2024, 11:01am

Thank you,

Is there a way to confirm CPU is the limiting factor? My idea is to fill the tunnel with traffic and see routers CPU utilization.

I’ve purchased this router to simplify my network, and free up rPi4 for other uses. I do not really need (though it would be nice) very big speeds on that tunnel, just wanted to know if this is normal.

WillSo · March 26, 2024, 11:37am

Hi,
I have been playing around with different configs on my mikrotik, trial and error, so a lot of disabled and overhead things.

Mikrotik config (a bit sanitized, hope not too much):
wgvpn is the tunnel in question
WillSoL009.cfg.rsc (11.8 KB)
And wireguard config on server for the tunnel:

root@us-virt:/etc/wireguard# cat wglt.conf

[Interface]
PrivateKey = -PRIVATE KEY-
Address = 192.168.9.2/24
MTU=1420

[Peer]
PublicKey = -PUBLIC KEY-
AllowedIPs = 192.168.9.0/24, 192.168.5.0/24, 192.168.16.0/24, fdf1:e8a1:8d3f:9::2/64
PresharedKey = -PRESHARED KEY-
Endpoint = -HOME WAN IP-:51844
PersistentKeepalive = 25

Something weird Iperf today is around 70-115 Mbits, depends on a run, like:

Connecting to host ugnius.lan, port 5201
[  5] local WAN-IP port 45058 connected to 192.168.9.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  6.04 MBytes  50.7 Mbits/sec    0    401 KBytes
[  5]   1.00-2.00   sec  17.8 MBytes   150 Mbits/sec   85    715 KBytes
[  5]   2.00-3.00   sec  19.0 MBytes   159 Mbits/sec    0    806 KBytes
[  5]   3.00-4.00   sec  15.7 MBytes   132 Mbits/sec   32    613 KBytes
[  5]   4.00-5.00   sec  12.3 MBytes   103 Mbits/sec   18    469 KBytes
[  5]   5.00-6.00   sec  12.3 MBytes   103 Mbits/sec    0    498 KBytes
[  5]   6.00-7.00   sec  13.4 MBytes   112 Mbits/sec    0    514 KBytes
[  5]   7.00-8.00   sec  13.5 MBytes   113 Mbits/sec    0    522 KBytes
[  5]   8.00-9.00   sec  13.4 MBytes   112 Mbits/sec    0    525 KBytes
[  5]   9.00-10.00  sec  13.4 MBytes   113 Mbits/sec    0    541 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   137 MBytes   115 Mbits/sec  135             sender
[  5]   0.00-10.04  sec   135 MBytes   113 Mbits/sec                  receiver

CPU is not being overly used while running iperf.

anav · March 26, 2024, 12:02pm

Was not aware you have two wireguard tunnels on the go.
What are the four endpoints???
Which end is the server (for the handshake) on each network.

WillSo · March 26, 2024, 12:36pm

There are 2 wireguard tunnels

wgged - tunnel to UK server, for British TV, MikroTik router connects to the server using its IP and 51871 port. I only forward traffic through it from my local Roku box, rarely used.
wgvpn - tunnel in question, my MikroTik router is the server (waits for connection on port 51844 from my Ubuntu VM)

4 Endpoints??? Not really sure, all other wireguard configuration might be superficial. As I have said I have no idea what I am doing
If you mean subnets: 192.168.9.0/24 - wgvpn wireguard tunnel devices, 192.168.77.0 wgged tunnel devices (for UK gateway purpose), 192.168.5.0/24 my LAN subnet, 192.168.16.0/24 - forgot why this was set in the first place, should be removed. All IPV6 configs are not really used.

The separate wireguard config file I gave is from my virtual machine, it is trying to connect to MikroTik router WAN IP on port 51844

Thank you very much for trying to help me.

holvoetn · March 26, 2024, 2:47pm

Check tool / profile

MircoADM · April 24, 2024, 9:01pm

Sorry
the L009 device is a “to low-cpu” powered device.
There is no HW accelerated encryption / decryption using WG.
I love my L009 device for home using - low energy consumption a little “NAS” and container with linux.
Knowing the limitation(include WIFI) of this little red device

You can test it reality easy:

Open winbox connect the L009 device and show the CPU-panel.
Use 2 devices with 1Gbit ethernet and connect to the L009 device.
Make iperf test direct > IP-device1 to IP-device2 you should get about 850 - 900Mbits ore more (with WIFI AX 5G and a new iPAD / iPhone as client you get about 750 - 800Mbit)
Now make a NAT-rule in the L009 with redirect port 5201(TCP) to the iperf server port 5201 from all sources allowed.
Now test iperf from client to the L009 IP - you lost some percent’s of speed. Look while the tests on the CPU panel on winbox.
Only NAT-redirect eats 30-40% CPU.
Next configure the WG-tunnel (give the WG interfaces some IP-addresses outside the LAN addresses) connect the client with WG to the L009 box.
Now test iperf to the WG interface from the L009 device - now runs the test trough WG.
The CPU reaches 90+% in the winbox panel an the speed is about 100Mbit (range 90-120Mbit)

So see - the CPU IS THE LIMIT using WG, it “breaks” nearly 100Mbit.
If you have a transfer over the “real internet” also WAN with rates about 70 Mbit, it looks like a “good” value
Greets