NordVPN WG very slow

veridiux · November 20, 2023, 5:55am

I'll try and give as much information as possible. I have a Proxmox machine setup with OpenWRT in a vm and a few lxc's setup running through the OpenWRT vm and the download rate they're getting is maximum of around 10Mbit. I've tried different VPN peers and it doesn't seem to matter. They all are getting the same speed. I used iperf to test between the OpenWRT machine and the lxc's and it was receiving 1gig without any issues. I also tested from the my main machine to the OpenWRT vm and again, received around 1gig. I used htop and the cpu usage on OpenWRT doesn't even reach 30%. I could use some help here. I'm completely lost.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd53:e388:fe55::/48'

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '10.1.7.150'
	option netmask '255.255.255.0'
	option gateway '10.1.7.1'
	list dns '10.1.7.1'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wg'
	option proto 'wireguard'
	option private_key 
	list addresses '10.5.0.2'
	option mtu '1400'

config wireguard_wg
	option route_allowed_ips '1'
	option description 'nordvpn-uk2007.conf'
	option public_key 
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'uk2007.nordvpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option disabled '1'

config wireguard_wg
	option description 'ca1507.nordvpn.com'
	option public_key 
	option route_allowed_ips '1'
	option endpoint_host 'ca1507.nordvpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wgfirewall'

egc · November 20, 2023, 8:00am

Probably not related to your speed problem but remove list network 'wg' and option mtu_fix '1' from the lan zone.

mtu setting of the wg interface can influence througput.
Try with lowering mtu e.g. to 1280

veridiux · November 20, 2023, 8:54am

I made those changes but sadly didn't fix the issue. I don't understand what could be causing this.

psherman · November 20, 2023, 9:09am

I’m confused about the topology- your wan has a static ip of 192.168.1.1 and you lan is 10.1.7.150 with a gateway of 10.1.7.1.

What is happening on the wan? And is the uplink via lan?

Are the other containers pointing to 10.1.7.150 as their gateway?

And now about speed expectations:

what is your internet speed (what you pay for)? Up and down?
with wg deactivated, what speeds to you actually achieve when using an internet speed test?
are there speed tiers for your vpn provider? Or what speed do they advertise? Up and down.

veridiux · November 20, 2023, 9:55am

oh the wan doesn't actually exist. I shouldn't have it, but so scared to change anything cause I broke it earlier and definitely don't want that happening again lol. I solved my speed issue though. Turned out being because I was using smb shares through truenase. I setup nfs shares and it works like a charm. Any idea why this might be?