Wireguard performance regressions on 25.1?

Started by gac, February 02, 2025, 12:04:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 02, 2025, 12:04:55 AM
Has anyone noticed any issues with Wireguard performing badly since the 25.1 upgrade? I've done minimal troubleshooting with this so far besides some basic tinkering but I've noticed that even basic TCP/HTTPS connections with Wireguard are taking impossibly long times and more often than not failing.

My basic setup is that I generally have two NordVPN tunnels to different locations - one uses Wireguard, one uses OpenVPN (because otherwise the remote gateway IPs conflict; Wireguard and OpenVPN appear to use different overlay networks so I've had success with combining the protocols). The two gateways are in a gateway group with Wireguard as Tier 1, OpenVPN as Tier 2. Tonight, I noticed that I was having issues loading websites in a browser so I pared everything back a little to the most basic site I could think of (https://ipv4.icanhazip.com). If I do this from a Linux container on my LAN which matches a firewall forcing traffic through this gateway group then the connection runs for three minutes without success:

Code Select
root@5087ef50935a:/# time curl https://ipv4.icanhazip.com
^C

real    2m52.575s
user    0m0.009s
sys     0m0.010s

If I invert the priorities on the gateway group, then this works almost immediately

Code Select
root@5087ef50935a:/# time curl https://ipv4.icanhazip.com
87.120.102.196

real    0m0.229s
user    0m0.019s
sys     0m0.015s

In order to isolate NordVPN issues specifically, I set up another Wireguard connection to ProtonVPN

Code Select
root@5087ef50935a:/# time curl https://ipv4.icanhazip.com
^C

real    2m0.533s
user    0m0.005s
sys     0m0.016s

So in summary:

Wireguard/NordVPN: times out, has to be cancelled after a couple of minutes
Wireguard/ProtonVPN: times out, has to be cancelled after a couple of minutes
OpenVPN/NordVPN: works immediately

The gateway checks on both of the Wireguard VPNs is reporting that the gateways are up, so ICMP traffic appears not to be affected (NordVPN is showing a low level of packet loss but only 1%, which I wouldn't expect would cause this).

I find it hard to believe that two separate VPN providers would somehow blocklist a very safe site like this, while NordVPN still allows it via OpenVPN, which makes me think that maybe there's a performance regression in Wireguard somewhere since that's "the common factor" with the failures.

I intend to troubleshoot more tomorrow, all I've seen so far is that tcpdump'ing the Wireguard interface shows SYN packets leaving, but no SYN/ACK coming back (which would normally suggest a provider issue, but this is on two different providers), and I saw a GitHub issue about WAN MTUs being wrong so I applied the recommended patch and that didn't help. But if anyone else can confirm either that they're seeing similar issues, or that they're still using Wireguard successfully then I'd love that.
February 02, 2025, 10:03:08 AM #1
Wireguard running as expected on our 25.1 deployment (just private Wireguard servers).

May I suggest to check firewall configuration on the Wireguard interface?

Hope this helps
February 02, 2025, 10:32:26 AM #2
Wireguard running fine, I get near line speed at 800 GBit/s via iperf3, just with one thread.

And NordVPN runs at 1 GBit/s, so whatever the problem is, seems not to be Wireguard.

I have found that either peering or some kind of blocking at target sites sometimes bites me with Wireguard. Try changing the outlet server.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
February 02, 2025, 06:50:30 PM #3
Quote from: FraLem on February 02, 2025, 10:03:08 AMWireguard running as expected on our 25.1 deployment (just private Wireguard servers).

May I suggest to check firewall configuration on the Wireguard interface?

Hope this helps

I don't have any firewall config on that interface really - there are no rules (I don't want to accept any incoming traffic even if the provider theoretically allows it, which I don't think Nord do anyway), the interface is enabled but with very little config (the local IP is set in my Wireguard config and the gateway set via System/Gateways). But I removed everything and double-checked everything anyway.

Quote from: meyergru on February 02, 2025, 10:32:26 AMWireguard running fine, I get near line speed at 800 GBit/s via iperf3, just with one thread.

And NordVPN runs at 1 GBit/s, so whatever the problem is, seems not to be Wireguard.

I have found that either peering or some kind of blocking at target sites sometimes bites me with Wireguard. Try changing the outlet server.
This appears to have "solved" the issue. I picked a random server in Albania (which is their first country alphabetically, no other reason) and the performance came right back up to where it should be (around 0.4 seconds for the same HTTPS test I did above). So yeah, in this case looks like maybe some Cloudflare oddities that affected both NordVPN and ProtonVPN on their EU exit nodes.

At some point I might come back and troubleshoot it further, but it looks like it's working fine for now and it was just coincidence that I noticed this right after upgrading OPNsense to 25.1.
Print
Go Up Pages1
User actions