Wireguard extremly slows down the connection

Amakesh · June 27, 2022, 12:08am

I have a Mikrotik CRS109 and a 1 Gbps internet connection. I tried to route all traffic over Wireguard(NordVPN) and it finally works, but the connection speed is much too slow.
Without wireguard it’s usually over 700 Mbps and with wireguard only around 50 Mbps. Is it normal or did i set something wrong?

/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full" comment=Internet
set [ find default-name=ether3 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full"
set [ find default-name=ether4 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full"
set [ find default-name=ether5 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full"
set [ find default-name=ether6 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full"
set [ find default-name=ether7 ] advertise="100M-half,100M-full,1000M-half,100\
    0M-full,10000M-full,2500M-full,5000M-full"
set [ find default-name=ether8 ] advertise=\
    1000M-half,1000M-full,10000M-full,2500M-full,5000M-full \
    disabled=yes full-duplex=no speed=100Mbps

/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=vpn

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2 list=WAN
add interface=wireguard1 list=WAN

/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=''.nordvpn.com \
    endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s \
    public-key="----"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.5.0.2 disabled=yes interface=wireguard1 network=10.5.0.0

/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=under_nordvpn disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward out-interface=wireguard1 src-address=\
    192.168.88.0/24
        
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat log=yes log-prefix=wg out-interface=\
    wireguard1
add action=masquerade chain=srcnat disabled=yes out-interface=ether2

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    10.5.0.2 pref-src=0.0.0.0 routing-table=vpn scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    0.0.0.0 routing-table=vpn scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup disabled=yes dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24 table=main
add action=lookup disabled=no src-address=192.168.88.0/24 table=vpn
/system clock

Znevna · June 27, 2022, 4:03am

Yes you did something wrong, you can’t use a switch as a router and expect good results.
Watch the CPU usage.

holvoetn · June 27, 2022, 7:39am

Even with some routers it might be a problem.

Wireguard is for now a 100% SW managed protocol. No HW offloading on some devices like e.g. ipsec.
So CPU needs to do all the work.
And if it is a weak cpu, your connection gets saturated quite fast.

Amakesh · June 27, 2022, 12:33pm

So, what Mikrotik device would you recommend?

anserk · June 28, 2022, 2:22am

This is an interesting question. I would be curious to know how something like RB5009 performs in this scenario and whether it can handle gigabit over WireGuard, at least half-duplex.

Just to give you some idea - some time ago I tested WireGuard with two hAP ac2 connected over gigabit Ethernet. With blank configuration, no firewall, no NAT, just WireGuard. I was getting 40-42MB/s sustained as reported by iperf3 with single TCP unidirectional stream between two desktops. That’s about 320Mbit/s of actual payload data, so the raw throughput was a bit higher due to protocol overhead.

This test was done just out of academic interest since in real world you would need CPU for firewall, NAT, routing, possibly other stuff. These little routers support IPSec hardware acceleration if you have that option, although it still won’t give you gigabit.

Znevna · June 28, 2022, 3:50am

http://forum.mikrotik.com/t/rb5009-wireguard-only-150-mbps/155060/11