Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard performance - where's the limitation?

    Scheduled Pinned Locked Moved WireGuard
    2 Posts 2 Posters 32 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tfboy
      last edited by

      I have two pfSense firewalls setup, one outside London in the UK, a second in Paris.
      Initially, I had some routing issues (via the trunks between the two countries) that added a lot of latency, but my ISPs have resolved that. I now have a ping between the two sites of around 10ms.
      Both sites have FTTH connections - UK has 2.5Gbit symmetric, Paris has around 900Mbit down / 600Mbit up.

      I have always had decent perrformance when not using any kind of VPN tunnel. If I set up an FTP server in the UK with port forwarding from my WAN address to the server, I get over 100 MByte/s transfer rates.

      But as soon as I try to push the traffic via my Wireguard tunnel, the performance drops massively to around 15-20 MByte/s.

      What I have done so far:

      • Via testing, I have configured what I believe is the optimum MTU/MSS for the WG tunnel (1472 MTU and 1432 MSS).
      • via iperf3 testing, I get between 500 and 700 Mbits/s performance. This is not that much slower than what I get going outside the tunnel.
        This tells me the underlying Wireguard tunnel should be OK.

      Both of my pfSense firewalls are running on bare metal Protectli appliances. The one in Paris is a Vault Pro VP6650 with an Intel i5-1235U CPU. The one in the UK is a Vault 1210 with an Intel N5105 CPU.
      In my testing, the CPU never goes above 15-20% so I doubt that's a bottleneck. Maybe the CPU isn't really being used as Wireguard uses ChaCha20 which isn't a crypto supported by the CPU?

      So is it normal I'm only getting a fifth to a quarter performance for traffic over the Wireguard tunnel? I'd be happy to switch to another protocol - I did have IPsec running for some time but the performance issues were similar so I thought I'd try Wireguard to compare, but it's not any different.

      Both Protectli are running pfSense 2.8.0 CE.

      Any suggestions?
      TIA.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @tfboy
        last edited by Bob.Dig

        @tfboy said in Wireguard performance - where's the limitation?:

        via iperf3 testing, I get between 500 and 700 Mbits/s performance. This is not that much slower than what I get going outside the tunnel.
        This tells me the underlying Wireguard tunnel should be OK.

        Then I would say, there is nothing you can do about it. At least, it is not a WireGuard problem.

        Via testing, I have configured what I believe is the optimum MTU/MSS for the WG tunnel (1472 MTU and 1432 MSS).

        As far as I can tell, you should use 1420 for both fields in pfSense. Then only exception would be a tunnel over IPv6 with PPPoE involved, then you would use less.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.