Slow Kernel-based WireGuard Performance

Started by branin, August 02, 2021, 10:56:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2021, 10:56:24 AM
I have 2 OPNsense servers running a WireGuard site-to-site tunnel across a 1Gbps connection.  I've installed wireguard-kmod and previously was able to see approximately 850Mbps or so of iPerf across the connection.   However, I've installed updates over the last couple of weeks and now only see approximately 400Mbps via an iPerf test.  I saw the slowdown with both 21.1 and 21.7.

I'm not sure why wireguard-kmod has become much slower, but I'd like to try reverting the wireguard-kmod package to a previous version.  I'm having trouble figuring out how to do this though.

Any recommendations?

Thank you.
August 04, 2021, 03:25:27 AM #1
Any thoughts on how to revert to an earlier version of wireguard-kmod?

Thanks!
August 04, 2021, 07:01:41 AM #2
Which was last known working version?

opnsense-revert -r 21.1.x wireguard-kmod
August 04, 2021, 09:36:01 AM #3
opnsense-revert does not work over major version boundaries ;)


Cheers,
Franco
August 04, 2021, 09:40:22 AM #4
Unfortunately, I tried opnsense-revert even when I was still on 21.1 (before upgrading to 21.7) and it didn't work (fetching wireguard-kmod.txz failed).  The current version is 0.0.20210606_1, but the previous version was just 0.0.20210606 and it worked correctly, I believe.
August 04, 2021, 09:50:38 AM #5
If it's just a difference between "_1" no relevant WireGuard code was actually changed:

https://github.com/opnsense/ports/commit/415a97e9268ca8


Cheers,
Franco
August 04, 2021, 11:31:56 AM #6
You're right, of course.  Looking more into it, I built the system in the beginning of May, so 0.0.20210424 (or something similar) is probably the one that worked fast for me.  Any way of installing that version now?

Alternatively, any other ideas why Wireguard (in kernel mode) may have slowed down around Opnsense 21.1.8 or so?

Thanks!

Branin
August 04, 2021, 12:31:32 PM #7
Well there is:

wireguard-go-0.0.20210424,1.txz (your version indication but possibly not what you seek)
wireguard-kmod-0.0.20210503.txz (older kmod version indeed)

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/MINT/21.1.6/OpenSSL/All/wireguard-kmod-0.0.20210503.txz

You can try to hop through the MINT/21.1.x directories to find older versions. opnsense-revert does the same thing but not across major versions for safety as mentioned earlier.


Cheers,
Franco
August 06, 2021, 06:10:17 AM #8
Thank you for this!  I was able to go back a few generations and try older versions of wireguard-kmod.  Unfortunately, my speed remained slow throughout, so I assume the issue isn't due to wireguard-kmod but some other OPNsense change.

I'll plan on purchasing a support plan, if you think it will be helpful to diagnose this.

Thanks!

Branin
August 06, 2021, 09:25:00 AM #9
Hi Branin,

Sure, we could take a closer look. Though at this point it's a bit unclear what we will find and how long it takes. This could be anything from code changes to configuration changes to unrelated networking/infrastructure changes.


Cheers,
Franco
Print
Go Up Pages1
User actions