Hello I hope one of you can help point me in the right direction.
I have a VPS with a static IP and a wireguard tunnel from VPS to home network (no bridging in the router, just point-to-point with specific devices).
I found an abysmal connection speed with bandwidth on the order of 50-100 kbps tested via iperf. Connection between the same devices outside the wireguard tunnel is 10-20 mbps, which is 100-400 times slower, which I don't understand since wireguard usually has very little overhead.
I have tried different MTU settings on both VPS and devices on my home network (both cabled and via wi-fi) in the range from 1360 to 1460, and above speeds are the best I have reached with MTU 1420 and 1440. I have tried both with and without iptables rules setting the mss correspondingly.
The above speeds are acceptable for incremental backups and document synchronization, but completely unsuitable for media streaming.
Where would I start diagnosing the bottleneck?
Thanks in advance.
UPDATE 2025-10-09:
I have not figured the issue out yet, and I do not know where to go from here.
I found a single similar issue (asymmetric wireguard speeds) here: https://forum.openwrt.org/t/wireguard-client-upload-slowness/190772, but that was resolved by changing MTU.
It must be a VPS issue, since when testing from multiple clients on different networks and locations, the bandwidth from client to server does not vary.
I have tried MTU from 1280 to 1460.
Current best settings, MTU = 1440 on client and server, and an iptables rule:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu.
Via tcpdump I have confirmed that the two endpoints negotiates an mss of 1460 (outside wireguard), making an MTU of 1420 to 1440 appropriate for the wireguard tunnel.
UDP without wireguard can saturate network connection.
TCP without wireguard has about 50-60% slowdown compared to UDP.
Bandwidth from vps to client is decent inside wireguard tunnel.
Bandwidth from client to vps inside wireguard tunnel is still abysmal.
Current speeds UDP:
- UDP, no wireguard: 16 mbps (client to vps) (at the time of testing, saturates client connection upload)
- UDP, no wireguard: 270 mbps (vps to client) (at the time of testing, saturates client connection download)
- UDP, wireguard: 80 kbps (client to vps)
- UDP, wireguard: 106 mbps (vps to client) Current speeds TCP:
- TCP, no wireguard: 8 mbps (client to vps)
- TCP, no wireguard: 117 mbps (vps to client)
- TCP, wireguard: 280 kbps (client to vps)
- TCP, wireguard: 4 mbps (vps to client)
Thanks for the suggestions.
I see no CPU spike on the VPS, and no CPU spikes on the clients.
I use WG started by root using wg-quick via systemctl on all devices.
I tried setting the MTU to 1280, with no significant changes, apart from slight slowdown compared to MTU of 1420 or 1440.
Smaller packet size also resulted in slightly lower speeds.
I used
tcpdumpon both client and server to find the negotiated MSS, and it shows an MSS of 1460 outside wg tunnel, so by following the calculations shown in this article https://www.procustodibus.com/blog/2022/12/wireguard-performance-tuning/, 1440 is the correct MTU for the wireguard interface when using IPv4 inside the tunnel.