WireGuard slowdown after minutes

RouterOS Forwarding Protocols
1

Device: RB5009
FW: ROS 7.15.1
Issue: WireGuard slowdown after minutes

I have a strange issue for a few months (I think) with WireGuard on the RB5009.

After connect (or after reboot the device) the WireGuard with (Proton*or some other vendors) the download speed is 75% en de upload 50%, after a couple of minutes the download speed is 7Mbp/s and the upload will not go (test with Googles speedtest and Ookla). Internet pages will not load any more.
This was always good and fast

  • I tested it from various (more than 5) endpoint and ISPs

L2TP is stable, even if I test the internet connection via the RB5009 but without Wireguard.
Test via WiFi and directly (cable)

What I tried, among other things, is downgraded to 7.14, a factory reset. But every time my config put back.


Through a Mangel Rule I give a routing mark on traffic in VLAN15. Routing Mark was created via Routing Tables.
Via IP Routing I link the gateway (WG-VPN) to the Routing Table (Routing Mark)
CPU load 3%
Mem Free 984MB

I hope someone has an idea or a tip how I can debug it.


My setup

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-VPN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=169.xxx.xxx.xx endpoint-port=\
    51820 interface=WG-VPN name=\
    WG-VPN persistent-keepalive=25s public-key=\
    "xxxxxxxxx="

/interface bridge 
add fast-forward=no name=bridge_VLAN15_WG-VPN  port-cost-mode=short

/ip route
add  disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=WG-VPN pref-src="" routing-table=\
    vlan15_wg-vpn scope=30 suppress-hw-offload=no target-scope=10

/routing table
add disabled=no fib name= vlan15_wg-vpn

/interface vlan
add interface=ether5 name=VLAN15_WG-VPN_port5 vlan-id=15

/interface bridge port
add bridge=bridge_VLAN15_WG-VPN interface=VLAN15_WG-VPN_port5 \
    internal-path-cost=10 path-cost=10

/ip address
add address=10.10.15.1/24 interface=bridge_VLAN15_WG-VPN network=\
    10.10.15.0

/ip dhcp-server
add address-pool="VLAN15(10.10.15.0)" interface=bridge_VLAN15_WG-VPN name=\
    dhcp_vlan15_10.10.15

/ip pool
add name="VLAN15(10.10.15.0)" ranges=10.10.15.2-10.10.15.5

/ip firewall
add action=drop chain=forward comment="" \
    dst-address=!10.10.15.0/24 in-interface=bridge_VLAN15_WG-VPN log=yes \
    log-prefix="" src-address=10.10.15.0/24

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" dst-address=\
    !10.10.0.0/16 in-interface=bridge_VLAN15_WG-VPN new-routing-mark=\
    vlan15_wg-vpn passthrough=no src-address=10.10.15.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WG-VPN  src-address=10.10.15.0/24

/interface bridge
add fast-forward=no name=bridge_VLAN15_WG-VPN port-cost-mode=short
2

Hi,

You don’t seem to have an IP address on the wireguard interface, but then you are using masquerade on that interface??

The first /ip firewall rule (I assume is filter) seems a bit doubtful.

3

Hi,

Maybe I am afraid of your question, but you cannot set an IP address on the Wireguard Interface only interface of the Wireguard Peers.
Or do you mean this one? I had also added this, but I don’t see this necessary there.

/ip address
add address=10.2.0.2/30 interface=WG-VPN network=10.2.0.0

The IP filter is an extra security for when the VPN interface stops (or is not properly configured).

Add 112:35 (UTC)
I just generated a whole new VPN config at Proton. The first 5 to 10 minutes the download is 100Mbit/s. Then the speed decreases fast, only the ping can still respond.


Debug login

Jun/28/2024 11:54:20 WG_VPN-test: Sending keepalive packet to peer (185.xxx.xxx.xxx:51820)
Jun/28/2024 11:56:20 WG_VPN-test: Sending handshake initiation to peer (185.xxx.xxx.xxx:51820)
Jun/28/2024 11:56:20 WG_VPN-test: Receiving handshake response from peer (185.xxx.xxx.xxx:51820)
Jun/28/2024 11:56:20 WG_VPN-test: Sending keepalive packet to peer (185.xxx.xxx.xxx:51820)
Jun/28/2024 11:58:20 WG_VPN-test: Sending handshake initiation to peer (185.xxx.xxx.xxx:51820)
4

Your wireguard/vpn/bridge setup is a BLOATED mess.
Post entire config as if thats bad, the rest is likely butt ugly and needs a crack cleaning.

5

Okay, thanks for the feedback. Can I see an example of how Wireguard should be configured in RouterOS?

6

I have different VLANs with trunks to other routers. Everything seems to work well (?).
I have Wireguards VPNs from ProtonVPN and from provider-B I also have L2TP VPN connections.

I thought that if you have a working VLAN (including IP/DHCP) you could send this traffic via a route to the VPN interface.
This works in any time for the L2TP and the Wireguard for provider-B. But with ProtonVPN, the speed to a few minutes completely.

I may have thought it was wrong. And I should not give traffic from the VLAN a routing mark and send that traffic with a routing to the Wireguards interface is running?

What is the correct method to send traffic from a VLAN to a VPN connection (without trunk).

7

There is no one slice fits all pies… or something like that.
In a complex config three things are needed to sort out the issues. and they fall under CONTEXT.

a. network diagram with sufficient detail
b. set of requirements , identify all users and identify traffic they need to execute without talk of the equipment or config, USE CASES
c. provide export of config.

With a. b, there is a story, and then c. shows if you understood the story to apply the right configuration and where you went wrong.

Add to the story
-by describing the WAN side of the house, private/public, static, dynamic, how many, failover or load balance etc.

Add to the story

  • If there are xternal players such as a foreign object (FOD) like proton or other vendor, then additional information is required.
    In this case PROTON wireguard setttings ( just hide any public IP info ).

Add to the story

  • Answer all the what if questions… What happens if PROTON is not working for any reason, do the users get access to the local WAN???..