wireguard slow

cneg1485 · May 16, 2025, 12:53am

I have an RB952 with default configuration. I am connecting the router to a wireguard server I have set up on a VPS. I have created a wireguard interface and wireguard peer. The router does the handshake with the server

Clients connected to the router are going to the internet through the wireguard interface and when i verify whatsmyip i get the server's ip. But the connection is extremely slow. I am able to connect to the Wireguard server from my phone on cellular network with fast connection.
what could be wrong on the configuration or what would i need to change?

\

2025-05-15 19:34:54 by RouterOS 7.18.2

software id = U13N-3S1V

model = RB952Ui-5ac2nD

serial number =

/interface bridge
add admin-mac=CC:2D:E0:F3:08:61 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=
MikroTik-F30866 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=
ap-bridge ssid=MikroTik-F30866 wireless-protocol=802.11
/interface wireguard
add comment=Ionos listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=wireguard
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=66.179.XXX.XXX
endpoint-port=51820 interface=wg0 name=Ionos persistent-keepalive=25s
preshared-key="KEY" public-key=KEY="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.8.0.7/24 comment="Ionos VPN" interface=wg0 network=10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg0 routing-table=wireguard
suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=wireguard
/system clock
set time-zone-name=America/Puerto_Rico
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

CGGXANNX · May 16, 2025, 4:41am

The hAP ac lite has only a single core weak CPU, so don’t expect more than a few tens Mbps WG performance.

That being said, maybe you can try adding some mangle to adjust the MSS to accommodate the reduced MTU:

/ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1380 \
    out-interface=wg0 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
    
/ipv6 firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1360 \
    out-interface=wg0 protocol=tcp tcp-flags=syn tcp-mss=1361-65535

And you should put wg0 into the interface list WAN, that way you won’t need the separate masquerade rule anymore.

cneg1485 · May 16, 2025, 5:01pm

The hAP ac lite has only a single core weak CPU, so don’t expect more than a few tens Mbps WG performance.

That being said, maybe you can try adding some mangle to adjust the MSS to accommodate the reduced MTU:
/ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1380 \
    out-interface=wg0 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
    
/ipv6 firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1360 \
    out-interface=wg0 protocol=tcp tcp-flags=syn tcp-mss=1361-65535
And you should put wg0 into the interface list WAN, that way you won’t need the separate masquerade rule anymore.

So if i use a computer, will it make difference seeing as it has more cpu and ram power?

CGGXANNX · May 17, 2025, 1:23am

In your current config, the router (with its single core 650MHz CPU) is one of the WireGuard peers, which means it has to perform all the encryption & decryption work for WG tunneled traffic passing through it and will be the bottleneck. Your powerful PC in the LAN doesn’t matter. Even if the 2nd peer at the other side is also a powerful device, it doesn’t matter.

If you want improved WG performance, your router should no longer be a WG peer and should only act as router for encrypted traffic. You then run the WG client on your more powerful PC and the PC acts as a WG peer and does the encryption/decryption. Of course, the downside is that your PC have to be powered on.

But even in that case, you’ll be limited by the 100Mbps fast ethernet ports of the hAP ac lite.