Wireguard GCP Performance Fix

Anton Osmond antonosmond at gmail.com
Mon Feb 4 15:33:04 CET 2019 

Hi

I want to share some problems I had in getting wireguard setup and the
solutions I found.
It might be good to have a "common problems & solutions" section in the
wireguard documentation where things like this can be added to help users
in the future.

We decided to try wireguard and compare it to OpenVPN, well aware that
wireguard's still considered alpha/experimental.
Our use case was to have a VPN for access to a kubernetes cluster in a
private network in Google Cloud.

After getting everything setup, I noticed the performance of wireguard was
MUCH slower than a connection to the same cluster over OpenVPN.
To give an example, a request to list the nodes in the cluster over OpenVPN
was taking around half a second or less. The same request over wireguard
was taking between 4 and 6 seconds.
Eventually I tracked down the issue and it turned out to be the MTU on the
wireguard interface.
GCP have a lower default MTU for network interfaces "due to additional
header space required inside Google's network".
The network interface set up on my Mac was using the default (for most
unix-like systems) of 1500.
But the MTU on the network interface on the Google instance was only 1460
which meant the packets being sent from my Mac were too big for the network
interface on the Google instance, resulting in packet splitting and
increased latency. I reduced the MTU on the network interface on my mac and
immediately the latency had gone away and wireguard was probably faster
than OpenVPN.

To be honest, the linux network stack is not something I've really messed
about with in any great detail so most of this is new to me and I learnt a
lot from this old but useful article:
https://www.linuxjournal.com/content/queueing-linux-network-stack.

I couldn't find much documentation on the values that you're able to put
into the wireguard configs (used by wg-quick) so i tried adding MTU in
there and to my surprise it worked!

Hopefully my learnings here can help others and it'd be great to see a
common problems & solutions section in the docs and also improve the docs
around the wg-quick tool and associated configs.

Thanks

Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190204/36d1272f/attachment-0001.html>

More information about the WireGuard mailing list