Wireguard Speed - Capping out at 20mb with Mangle rule and MTU of 1420

howdey57 · July 29, 2024, 8:17am

This is a build on a previous post: http://forum.mikrotik.com/t/wireguard-and-i-think-dns/175000/14

I have a working Wireguard VPN between France and London.
Both ends have connection speeds of 500mbs but the max speedtest I get over the VPN is approx 25mbs. This is causing problems with video conferences etc.

London RB4011 - max CPU load on speedtest is 10%
France HAP ax2 - max CPU load on speedtest is 13%
France end initiates VPN
Internet connections have MTU of1500 on both ends
Wireguard MTU is 1420 on both ends
I pinged between the two end points with no defrag and got a max MTU of 1392
Mangle rule, on France end only, is:

chain=forward action=change-mss new-mss=1380 passthrough=yes tcp-flags=syn protocol=tcp out-interface=Wireguard tcp-mss=1381-65535 log=no log-prefix=""

Could someone help me understand what influences VPN speed and whether there is something obvious I should be looking at. Or is it just tough - that is the kind of speed I should expect!!

Thanks in advance

Howdey57

holvoetn · July 29, 2024, 9:11am

Up/down on both ends 500Mb ?
So you have 500/500 in Paris and 500/500 in London ?
And no slow downs in between ?
Make sure what it is because the slowest part will determine the pace for all the rest…

The only way to know for sure which speed you get, is to do a direct test between both ends (with routers in between test devices, NOT testing ON the routers) and no VPN in between.
And that’s a tricky thing to test …

I have 1Gb/50Mb at home, consequently the fastest I get via WG-tunnel is 20-something when connecting to a site with 100/100 (I’m sure there are some other traffic jams in between).

anav · July 29, 2024, 4:14pm

Withoug seeing both configs not much more can be stated…

/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc..)

The two options for clamp rules as you have indicated are valid on the client peer for handshake…(France).

add action=change-mss chain=forward new-mss=1380 out-interface=wireguard protocol=tcp tcp-flags=syn tcp-mss=1381-65535
and
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard passthrough=yes protocol=tcp tcp-flags=syn

howdey57 · July 31, 2024, 9:20am

I did a router to router speedtest (from France) without the VPN in place and got 250mb down and 25mb up. Neither router topped out on CPU - max 14%

The mangle rules didn’t make a difference.

I’m wondering whether the 25mb up speed is the limiting factor that makes the VPN up/down both about 23mb??

sindy · July 31, 2024, 9:25am

Very likely, as the VPN adds some overhead - in a very simplified way, it adds another IP and UDP header to the original (“payload”) packet, plus some tunnel ID, plus some authentication field to prevent replay attacks). So the same amount of the original data has to be chopped into more packets.

But for test between the two endpoints, the limitation should take place only in the corresponding direction, is that the case?

holvoetn · July 31, 2024, 11:12am

That’s what I already indicated.
The slowest link determines the speed for the whole chain.

And you need to test from/to both ways.