I have 2x Flint 2 routers, one per location, and both are on Verizon FiOS 1 Gig symmetric connections. The locations are 5 miles apart in the same state. All I’m trying to do is establish a site to site VPN connection with WireGuard between them. And I have already done that. The problem is the performance between the two sites via WireGuard is terrible. Meaning 25-50MBps, using iPerf3. Same speeds in both directions.
Standard internet speed tests put both locations at about 660MBps down and 880MBps up.
I have adjusted MTUs on both sides of the tunnel to all values I’ve seen online with no notable changes in upload/download within the tunnel.
For reference with the same ISP circuits and using 2x ER-4 Edgerouters, I can achieve 300-350MBps without a problem, but that’s because the ER-4s don’t have the CPU capability that the Flint 2s do.
Flint 2 routers are on 23.05.4 Stable (no Gl.Inet firmware in place). I’ve tried all variations of firmware (the Gl.Inet stable and their op24 version) with no performance change.
At this point I’m looking for any ideas on what can be done next, or if anyone has had a similar issue with these routers.
So did more testing with MTU values. Started with the lowest OpenWRT would let me use, 576. On the iperf -R (reverse mode) we get to 137MBps. With the iperf -s (non reverse test) we get to 72.5MBps.
I test from Site B to Site A using iperf3 -c server name, then iperf3 -c server name -R. The iperf server is in Site A.
Also tried some wild values in the 9000 range and got good upload from Site A. Was also decent near MTU 1050
@egc you mention a MTU Fix, what is that and how to adjust that?
For reference I am changing the MTU on the Network - Interfaces - Devices tab, then change the MTU for the device Wireguard. Then I do it on both routers, then restart the interface.
@brada4 I did implement your nft rule on both devices, don't know if it made any real difference.
I used a MTU of 576 at site A (with the iperf server) and a MTU of 9000 at Site B and that yields 140MBps from B to A, and about the same the other way. No idea how this makes any sense.
You do not need to set LAN side MTU, check via nft list ruleset that postrouting mtu fixup includes wireguard interface. Obviously you have to use default unspecified MTU.
You set the MTU on the Interfaces > Advanced section of the WG interface or in /etc/config/network > WG interface: option mtu '1420'
But I think what you do amounts to the same
The MTU fix is set on the Firewall zone of the WG interface enable MSS clamping (/etc/config/firewall > WG zone: `option mtu_fix '1').
But if you have the WG interface in the LAN zone you have to create a separate zone for the WG interface
So what is the correct way to create the Wireguard zone in the firewall and allow traffic to pass in the site to site VPN manner? I normally just put it in the LAN zone.
That is the easy (and correct) way but if you want to apply the MTU fix than make a separate zone with the WG interface and with the same settings (so all ACCEPT) and add MTU fix to this zone
The detail - $wan_devices match default checkbox, you need to check fw4 print | less and use respective interface variable or interface, since wg is software interface it should be oifname in place of oif