Wireguard tunnel to OpenVPN tunnel performance issue

General questions
,
1

Hi,

I’ve a main router using VyOS. This router is a Wireguard server (wg01) and is also connected to an OpenVPN server as a client (vtun1). I can’t change anything on OpenVPN server (external resource).
When I scp on router to a computer on vtun1 network, transfer speed is good (as expected). However, if I run the same scp command on a client connected to Wireguard server, speed is more than ten times lower.
I guess (but I’m not sure), the issue is related to MTU vtun1 has a MTU of 1500 and wg01 has a MTU of 1420. Maybe I need to enable TCP-MSS Clamping on router ?

Thanks

2

Please enable MSS clamping. See Firewall — VyOS 1.4.x (sagitta) documentation

3

Thank you for your answer. However, enabling MSS clamping, on both client (it’s another VyOS router) and server, didn’t fix transfer speed.

set firewall options interface wg01 adjust-mss '1372'

Client (VyOS Router) wg01 (MTU 1420) <----------> wg01 (MTU 1420) Main Router (VyOS) vtun1 (MTU 1500) <-------------> […]

4

Can you use iperf3 on both sides to test? If it would be the MTU, you would lose all connections greater than 1420 bytes of payload. Have you checked that the responses for the requests sent on wg01 also come back on wg01? You can see the plaintext traffic via tcpdump if necessary too. (e.g. tcpdump --e -i wg01 host x.x.x.x).
So, try to record that traffic and we go from there.

5

Indeed, with iperf3, speed is good if length is default or length = 2000. (-l 2000)

So I recorded traffic with tcpdump in two cases:

  • Main router copying file from remote (vtun1 subnet) to local (using only OpenVPN)

Main router dump: https://pastebin.com/nvcqkyZK (dumping on vtun1)

In that case speed is about 800Kbyte/s

  • Client copying file from remote (vtun1 subnet) to local (and so using WireGuard + OpenVPN)

Main router dump: https://pastebin.com/fK9NnmgC (dumping on wg01)

In that case speed is about 30Kbyte/s

I’m not a tcpdump expert but I think traffic come back on wg01 as I can see packets going in both directions.

6

For second case, here is also tcpdump for client on same run:

Client dump: https://pastebin.com/bMjmTF5D (dumping on wg01)

7

Can you please record it into a file, just use -s 80 or so limit the size. Your posted information doesn’t contain the mac address (-e), which can show sometimes if you have a routing issue.