Wireguard: Throuput to WAN much slower than LAN


I am using Wireguard on a recently updated OpenWrt installation (currently using the latest nightly build to get SFP support Turris Omnia: Experimental support for SFP cage). The OpenWrt instance acts as a Wireguard "server" and allows clients to access the internal LAN as well as use the internet connection (forwarding to WAN is enabled). Connections do work as expected: I can access devices on LAN, as well as use the Internet connectivity of my OpenWrt router by using AllowedIPs and make sure the client sets up routes properly.

Now when doing performance testing I get ~18Mbyte/s when downloading a file from a http server running on the LAN. The speed is probably limited by the Internet connection speed on my client side.

However, when downloading a file from the web, I get only about 1Mbyte/s and the speed is declining over time to about ~300kByte/s! Downloading that same file within the LAN (hence using the same internet/WAN connection), I get around ~35MByte/s (showing that the Internet connectivity should be much faster).

What can cause the http connection going through the Wireguard tunnel out through WAN to be that much slower than the http connection through the Wireguard tunnel out through LAN? The router's CPU load seems low in both cases (below 20%). I tried various options like Packet Steering or setting lower MTU (currently using 1380), but no success so far.

As downloading through the Wireguard tunnel is fast, I assume this is not related to Wireguard directly. It seems that somehow http traffic routed through the tunnel gets "throttled". Could it be related to the fact that traffic through the tunnel has a much higher latency? (e.g. TCP windowing algorithm messed up...?). Any ideas how to debug such kind of issues? Wireshark seems not really helpful as I just see tons of TCP packages flowing back and forth.

Best regards,

Have you tried installing IRQbalance and enabling it from config and changing #devcrypto=devcrypto to devcrypto=devcrypto in the file /etc/ssl/openssl.cnf under the [engine] section?

Although Your CPU usage is low anyway it might not make much difference but may improve performance even further with IRQbalance, providing you have a multicore OpenWRT device .

devcrypto=devcrypto option enables the OpenSSL acceleration which WireGuard and openVPN use.

Are you sure?

OpenWrt uses the in-kernel Wireguard implementation, which in turn uses the Kernel Crypto API. In any case, crypto performance cannot really be the problem here as the router is able to handle much higher throughput through the tunnel when downloading from a device which is connected to the LAN.

1 Like

I have been testing this my self, however, for me, the download speed is spot on, although my wan connection is causing a bottleneck on that side. But when uploading from my device to the wan side of my router I get 16Mb/s where I should see something within the 100s when using the tunnel.