Tutorial Wireguard server tweaks

[jksmurf]

Wireguard MTU?

I'm using a Wireguard config from my VPN provider. I notice doing ping tests that it sets the MTU at 1420 for the WG connection. Is there any advantage to setting the MTU on the modem and/or the router WAN to 1392? RT-AX86U

www.snbforums.com

Doh … sorry I must have seen that already. Apologies.

 

[jksmurf]

Check the MTU of the wireguard connection and try to optimize that parameter.
If it fails contact your ISP to know if they throttle wireguard via DPI.

OK I ussed the commands (it's 1420) but I have no idea what comes in the ... of

ifconfig wgs1
Ifconfig wgc1
Ifconfig eth0
...

nor what to put here for ...

For changing it, use

ip link...

 

[ZebMcKayhan]

OK I ussed the commands (it's 1420) but I have no idea what comes in the ... of

ifconfig wgs1
Ifconfig wgc1
Ifconfig eth0
...

nor what to put here for ...

ip link...

Figure out whats your outgoing interface, i.e

ip route | grep default

Once you know the interface, use ifconfig on it to see mtu.

For changing mtu on your wireguard server, use

ip link set dev wgs1 mtu 1412

.
Normally your WAN interface mtu - 80 works for your link unless your isp is up to some funny business.

You can try even lower numbers, like 1340 and se if it resolves your issue.

Whatever you do it will only stick until your server is restarted so to make it stick follow post #1.

 

[jksmurf]

Figure out whats your outgoing interface, i.e

ip route | grep default

Once you know the interface, use ifconfig on it to see mtu.

For changing mtu on your wireguard server, use

ip link set dev wgs1 mtu 1412

.
Normally your WAN interface mtu - 80 works for your link unless your isp is up to some funny business.

You can try even lower numbers, like 1340 and se if it resolves your issue.

Whatever you do it will only stick until your server is restarted so to make it stick follow post #1.

So does this look correct. Seemed to be eth0.
It only gives a result issuing ifconfig wgs1; but ip link set dev wgs1 mtu 1360 changes it to that figure, is that correct?

 

[ZebMcKayhan]

So does this look correct. Seemed to be eth0.
It only gives a result issuing ifconfig wgs1; but ip link set dev wgs1 mtu 1360 changes it to that figure, is that correct?

It wont work if you use capital I as Ifconfig. It needs to be all lowercase. Try

ifconfig eth0

Edit: saw that the capital I came from my previous message, Corrected now.

 

[ZebMcKayhan]

but ip link set dev wgs1 mtu 1360 changes it to that figure, is that correct?

Yep, correct

 

[jksmurf]

Thank you! With lowercase i I get a result for wgs1 of 1360 and eth0 of 1500.
If the default is etho then the 1500-80 means I should target 1420?
Which was what it was in the beginning

 

[jksmurf]

I now tried running this set of commands on a remote computer I VPN to; ifconfigs says

1420 for wgsl, Not Found wgcl and 1500 for eth0.

However the ip route | grep default commands results in

default via XXX.XX.XX.XXX dev ppp0. Not sure what that means.
So I ran ifconfig ppp0 and it gave me 1492. So this one shoudl be set to 1412? I will try that.

k.

 

[ZebMcKayhan]

default via XXX.XX.XX.XXX dev ppp0. Not sure what that means.

It means the outgoing (wan) interface for this device is ppp0 and not eth0.

So I ran ifconfig ppp0 and it gave me 1492. So this one shoudl be set to 1412? I will try that

Yep, sound about right.

 

[ZebMcKayhan]

So I ran ifconfig ppp0 and it gave me 1492. So this one shoudl be set to 1412? I will try that.

Could you confirm that the case of default route being ppp0 (1492) sets wgs1 mtu to 1420? If so, we might have a firmware issue...

 

[DocUmibozu]

I now tried running this set of commands on a remote computer I VPN to; ifconfigs says

1420 for wgsl, Not Found wgcl and 1500 for eth0.

However the ip route | grep default commands results in

default via XXX.XX.XX.XXX dev ppp0. Not sure what that means.
So I ran ifconfig ppp0 and it gave me 1492. So this one shoudl be set to 1412? I will try that.

k.

How Is connected to internet that router? Pppoe interface?

 

[jksmurf]

Could you confirm that the case of default route being ppp0 (1492) sets wgs1 mtu to 1420? If so, we might have a firmware issue...

Sorry was super late last night on this issue, I logged in this morning and issued the 3 sets of commands (including for ppp0), output below:. That remote Router is behind a CGNAT and I got a StaticIP to be able to access it (for now at least). I have set up a RPi as a Tailscale subnet Router, wiill drop it in when I go early Aug, 9000km away. I understand Tailscale has a very low MTU of 1280.

[btw is there some program that will automatically change MAC addresses and usernames to XXX's?]

To answer your Q I am not sure if "ppp0 (1492) sets wgs1 mtu to 1420" as my knowledge of this stuff is very minimal, but using a WG VPN from a Desktop (Windows) client to access the remote Router which is running a WG Server

a. yes, it does say wgs1 MTU is 1420
b. yes, it does say default route is ppp0 which makes sense. I am running PPPoE (answering DocUmibozu's Q), see attached.

[btw should there be any settings added to the desktop or iOS conf which includes MTU parameters (I understood not as it was ignored anyway]

I checked after I set MTU 1412 (4192-80) and it was persistent after logging off.

ASUSWRT-Merlin RT-AX86U_PRO 388.2_2 Sun May  7 16:35:03 UTC 2023
XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ifconfig wgs1
wgs1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.6.0.1  P-t-P:10.6.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:488 errors:0 dropped:0 overruns:0 frame:0
          TX packets:828 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:82516 (80.5 KiB)  TX bytes:811936 (792.9 KiB)


XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ifconfig wgc1
ifconfig: wgc1: error fetching interface information: Device not found
XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
          inet addr:aaa.bb.ccc.dd  P-t-P:202.56.33.250  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:339890 errors:0 dropped:0 overruns:0 frame:0
          TX packets:322926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:334467099 (318.9 MiB)  TX bytes:322534281 (307.5 MiB)


XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ip route | grep default
default via aaa.bb.cc.ddd dev ppp0


XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ip link set dev ppp0 mtu 1412
XXXUSERNAMEXXX@RT-AX86U_Pro-BA48:/tmp/home/root# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
          inet addr:aaa.bb.ccc.dd  P-t-P:202.56.33.250  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1412  Metric:1
          RX packets:340064 errors:0 dropped:0 overruns:0 frame:0
          TX packets:322997 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:334485566 (318.9 MiB)  TX bytes:322547661 (307.6 MiB)


XXXUSERNAMEXXXRT-AX86U_Pro-BA48:/tmp/home/root#

With MTU 1412 it is still really really slow (my original reason for inquiring about whether MTU changes woudl improve it). The connection is Fibre 300/100 so it should be OK surely? I originally had 0.0.0.0/0,192.168.147.0/24 for AllowedIPs but changed that to just 192.168.147.0/24; no difference :-(,

 

[ZebMcKayhan]

With MTU 1412 it is still really really slow (my original reason for inquiring about whether MTU changes woudl improve it). The connection is Fibre 300/100 so it should be OK surely?

What speeds are you getting? How are you measuring this? When connected over vpn you will be on a high latency connection which affects certain protocols such as smb (network shares). Use something like iperf with multiple streams to assess your link speed.

I originally had 0.0.0.0/0,192.168.147.0/24 for AllowedIPs but changed that to just 192.168.147.0/24; no difference :-(,

If you remove 0.0.0.0/0 you should also add your wg server network, so: 192.168.147.0/24, 10.6.0.0/24

btw should there be any settings added to the desktop or iOS conf which includes MTU parameters (I understood not as it was ignored anyway

I'm no expert on how the low level stuff but I've read that clients should have same or lower mtu as the server. So if your ppoe device is a client you are probably fine. But if you have peers connecting to your pppoe device via wg they should be changed as well.

I checked after I set MTU 1412 (4192-80) and it was persistent after logging off.

Logging off?? Well, if you restart the wg server (switch on and off) or if you reboot the router, surely its gone, right?

 

[jksmurf]

What speeds are you getting? How are you measuring this? When connected over vpn you will be on a high latency connection which affects certain protocols such as smb (network shares). Use something like iperf with multiple streams to assess your link speed.

@ColinTaylor helped me with that (iperf) just the other day. I ran it on the remote router (it is built in) so as to send results to my ISP. Did both Send/Receive, see attached. It doesn't look too bad? Which is why I am struggling to undertsand why it feels so sluggish. All I am doing is WebAdmin on the Router.

If you remove 0.0.0.0/0 you should also add your wg server network, so: 192.168.147.0/24, 10.6.0.0/24

OK, ta I will do that. One thing that I wanted to confirm was the client settings that you export from the Router to your client, they don't actually have any bearing on the connection AT the Router right? i.e. I can (and have) actually amended the client settings (not the Server / Interface ones) in my client (only) and still get a connection (slow, but all the same, OK).

I'm no expert on how the low level stuff but I've read that clients should have same or lower mtu as the server. So if your ppoe device is a client you are probably fine. But if you have peers connecting to your pppoe device via wg they should be changed as well.

OK, you're a1000x more expert than me, so I will take you word for it.

Logging off?? Well, if you restart the wg server (switch on and off) or if you reboot the router, surely its gone, right?

Sorry I meant from WG clien tonly; NOT rebooting any routers.

Thanks Zeb for all your help here btw you have been very patient. This stuff is waaaaaay over my head, I just want to it to work like (as fast) as it does locally.

k.

 

[ZebMcKayhan]

It doesn't look too bad? Which is why I am struggling to undertsand why it feels so sluggish. All I am doing is WebAdmin on the Router.

Yep, I would expect better speeds from your connection, but both ends need to have good speeds, at both directions. Measuring speed is tricky, it could be anything disturbing the measurement. You could try adding "-P 10" to your iperf command to use more threads to better saturate your connection. When I used iperf on my vps to my nas I needed to use this to get a good speed measurement.

However, even 10Mbit/s would easaly be enough to browse the router gui and such. But the higher latency could make it feel more sluggish. What is your latency?

 

[jksmurf]

Yep, I would expect better speeds from your connection, but both ends need to have good speeds, at both directions. Measuring speed is tricky, it could be anything disturbing the measurement. You could try adding "-P 10" to your iperf command to use more threads to better saturate your connection. When I used iperf on my vps to my nas I needed to use this to get a good speed measurement.

Not sure if it just beginners luck but it feels 'slightly' better adding 10.6.0.0/24 as you recommended, to Allowed IPs. Still slow though.

However, even 10Mbit/s would easaly be enough to browse the router gui and such. But the higher latency could make it feel more sluggish. What is your latency?

Um... is this what you need?

 

[ZebMcKayhan]

One thing that I wanted to confirm was the client settings that you export from the Router to your client, they don't actually have any bearing on the connection AT the Router right? i.e. I can (and have) actually amended the client settings (not the Server / Interface ones) in my client (only) and still get a connection (slow, but all the same, OK).

Client specific setting, such as AllowedIPs (client) is only on the client side, so ok to change on the client only.

Um... is this what you need?

Wow, 200ms latency... thats alot. I get 50ms and thats over 1000km link... this may affect your experience

 

[Jeffrey Young]

Is either of the tunnel ends running any kind of anti-virus software that does packet inspection? Any kind of DPI will mess up wireguard. Some ISPs will also do DPI.

 

[jksmurf]

Client specific setting, such as AllowedIPs (client) is only on the client side, so ok to change on the client only.

Wow, 200ms latency... thats alot. I get 50ms and thats over 1000km link... this may affect your experience

Right... might be that then. Just pinged again (turned off "Respond ICMP Echo (ping) Request from WAN") and same result. Twice. Not sure how to get better results...move closer

 

[jksmurf]

Is either of the tunnel ends running any kind of anti-virus software that does packet inspection? Any kind of DPI will mess up wireguard. Some ISPs will also do DPI.

1. AV - Not that I know of. One end is just the router. The other end is my PC connected directly to my router (which just has normal MS AV and an ad-stopper (Diversion) in the Router). Both Routers have Trend Micro enabled.
2. I sent a note to my ISP earlier today on that. Will they respond truthfully .