I know, I heard from someone needing to use MTU of 400 to get a stable connection, that seems incredible low but it was one-marc-fifty and he knows what he is talking about.
I always tell people if they have slow or hanging connections, difficulty with some websites (facebook, streaming media) to lower MTU.
Starting with 1500 is a bit high, the actual max MTU if you are only using IPv4 is WAN MTU - 60, if you use IPv6 you have to substract 80.
That -60 and 'subtract 80' is confusing me (not as confusing as MTU of 400). How are those numbers implimented?
60 is the WireGuard overhead for only IPv4 and 80 is the WireGuard overheard if you use IPV6.
IPv4 header 20 bytes or 40 bytes for IPv6, UDP 8 Bytes, WG 32 Bytes for a total overhead of 60 (IPv4) or 80 (IPv6)
You can test what MTU is OK e.g. see:
https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn
1 Like
I created a different topic regarding this.
What I meant:
~25% CPU usage of all cores
Here is sar output (mpstat is same):
Linux 6.6.31+rpt-rpi-2712 (adsrpi5) 07/06/24 _aarch64_ (4 CPU)
13:45:51 CPU %user %nice %system %iowait %steal %idle
13:45:52 all 0.27 0.00 17.76 0.00 0.00 81.97
13:45:53 all 0.52 0.00 22.25 0.52 0.00 76.70
13:45:54 all 0.54 0.00 19.57 0.00 0.00 79.89
13:45:55 all 0.27 0.00 20.38 0.27 0.00 79.09
13:45:56 all 0.52 0.00 25.00 0.26 0.00 74.22
13:45:57 all 0.27 0.00 24.14 0.00 0.00 75.60
13:45:58 all 0.81 0.00 23.12 0.00 0.00 76.08
13:45:59 all 0.27 0.00 21.92 0.00 0.00 77.81
13:46:00 all 1.06 0.00 23.67 0.00 0.00 75.27
13:46:01 all 5.82 0.00 23.28 0.26 0.00 70.63
Average: all 1.04 0.00 22.13 0.13 0.00 76.69
76.69 %idle is ~25% busy
EDIT:In terms of the MTU, start with 1500, and use ping no-fragment to determine a working MTU, then reconfigure WG with that MTU.
C:\> ping -f -n 1 -l 1400 8.8.8.8
C:\> ping -f -n 1 -l 1380 8.8.8.8
C:\> ping -f -n 1 -l 1392 8.8.8.8
I get why this is easily misunderstood, but Linux reports total cpu usage and the user is supposed to know the # of cores.
But don't take my word for it:
Thank you but I've done that on every router and my present router has an MTU (before it starts to fragment) of 1472, add 28 and it is squarly on 1500.
Load Average != CPU Usage.
Load Average calculations vary between Linux, FreeBSD, Solaris, AIX and different Linux kernel versions.
I prefer CPU usage as reported in vmstat/mpstat/sar/iostat (from sysstat package).
See https://www.brendangregg.com/blog/2017-08-08/linux-load-averages.html
With CPU load averages, one could divide the value by the CPU count, then say that if that ratio is over 1.0 you are running at saturation, which may cause performance problems.
Is that not what I said?
I did not know you were displaying the numbers that way.
Alright everyone. Today i tried again. I remoted into a MBP in NJ and ran a bandwidth test and got the advertised speed. Did it twice. I did not reset the router. The MBP is on the wifi network.
Less than a minute later, I connected to the wireguard server and used the same website (verizon.com/speedtest) to test the bandwidth. This was being done on my S24 phone (in toronto) and on that website it gave me the advertised speed. On nerp.com or fast.com it gave me any where 70-80 down and 24-30 up. So huge difference. What i did notice is that on nperf and fast.com, the upload part of the test hangs for a few seconds prior to starting.
So where to go from here? Do you think the isp is throttling down the speed for websites that test bandwidth except their own website? But why would only happen on the uplaod part of the test?
Edit: just ran the test on the verizon.com/speedtest again from the s24 on toronto with WG on, but now the upload speed was 24 Mbps. THIS IS DRIVING ME CRAZY
What exactly is the issue? Are there any real world problems or just speed test sites not giving you the results you think they should?
Due to the slow upload speed, sometimes when watching a videos k. A streaming device the video will buffer. So ita a real world issue I guess.
Have you run iperf between the 2 wireguard devices yet?
Ivhave been playing around with the MTU size of the wireguard (always making sure to restart the wireguard interface after saving the changes). Currently i am at 1300. That fized the hang up that would happen when the bandwidth test would change over from the download part to the upload part of the text.
I also came across this thread. Anyone know if that would help?
The DL/UL in NJ is back to the advertised speed FWIW.
Regarding this option, wouldn't there still be a need to port forward from the ISP router in NJ to the Pi4 router? Asking because I understand your instructions better now and have been reading about it. However, this video instructions implies that port forwarding would still be necessary. Is it wrong?
Port forwarding would not be necessary. It is like connecting to a commercial vpn service or a vpn for work. From the perspective of the nj location, it is an outbound connection (just like visiting a website). Only inbound connections require port forwards.
Got it. This is just for my understanding, when you say "Only inbound connections require port forwards," if i start a connection from the toronto location wouldnt that be considered a inbound connection to the NJ site?
Also, you mentioned creating a new wG interface in the NJ router but would thencurrent WG interface stay kn place or should it be removed?
Yes. But in the case I was talking about, the nj site would initiate the connection back to your Toronto location.
They can both exist simultaneously. No need it remove anything.
1 Like
So if the site to site is up and running and something were to happen to the ISP router, lets says reset to factory, would i still be connect to the NJ Pi4 to configure the isp router? Or would that answer be no since i would be starting the connection in toronto?
The nj site should auto start and initiate the connection back to Toronto. This means that you should always have access as long as the nj site is online. It is possible that for certain situations, the wg interface will need to be manually restarted - you could use a package called watchcat for that, or just tell someone in the nj location to yank the power from the pi for a moment and plug it back in.
1 Like
Honestly, I appreciate all that you explained and the time you have taken @psherman. I jabe learned A LOT over the past week.