Development discussion of WireGuard
 help / color / mirror / Atom feed
* WireGuard Windows should have default MTU of 1280.
@ 2022-02-19  1:23 Rujbin
  2022-02-21 18:52 ` tlhackque
  2022-02-21 18:53 ` Michael Tokarev
  0 siblings, 2 replies; 8+ messages in thread
From: Rujbin @ 2022-02-19  1:23 UTC (permalink / raw)
  To: wireguard

Hello,

i am just confused. When i use default MTU the Performance on Windows is VERY poor. It is almost unuseable. It happens on multiple Windows devices. I started using MTU 1280 for a while, but why is it only Windows with that issue? First, the speed is limited to 100mbps maximum. Thats weird, when i use MTU 1280 i have 1gbps. https://i.imgur.com/ELGOWDQ.png

This bug exists for a long time to me. I ran Wireguard on almost every provider, (i didnt check if it happens on Azure) but this bug exists on Hetzner, DigitalOcean, OVH. This is not normal. I am running the latest stable version of Wireguard Windows. Kernel module on servers and BoringTun.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
  2022-02-19  1:23 WireGuard Windows should have default MTU of 1280 Rujbin
@ 2022-02-21 18:52 ` tlhackque
  2022-02-21 18:53 ` Michael Tokarev
  1 sibling, 0 replies; 8+ messages in thread
From: tlhackque @ 2022-02-21 18:52 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 1881 bytes --]

On 18-Feb-22 20:23, Rujbin wrote:
> Hello,
>
> i am just confused. When i use default MTU the Performance on Windows is VERY poor. It is almost unuseable. It happens on multiple Windows devices. I started using MTU 1280 for a while, but why is it only Windows with that issue? First, the speed is limited to 100mbps maximum. Thats weird, when i use MTU 1280 i have 1gbps. https://i.imgur.com/ELGOWDQ.png
>
> This bug exists for a long time to me. I ran Wireguard on almost every provider, (i didnt check if it happens on Azure) but this bug exists on Hetzner, DigitalOcean, OVH. This is not normal. I am running the latest stable version of Wireguard Windows. Kernel module on servers and BoringTun.

The question is so vague that you're not going to get unconfused without 
doing more work.

Sounds like a fragmentation issue.  Where can't be determined from the 
information given.  But if path MTU discovery is disabled/broken, that 
kind of slowdown isn't surprising.

1280 is the minimum MTU for IPv6.  (Path discovery is encouraged to use 
larger if possible.)  See RFC2460 section 5.

Where are you setting the MTU?  On the physical IF, or the WireGuard IF?

If the former, you want to increase by the size of the WG overhead.

If your physical IF is IPv4, but you're tunneling IPv6 over WG - the 
minimum MTU for IPv4 is 512, so unless some MTU is set (and available 
for the complete route), WG packets will definitely fragment.

In short, you need to provide more information (including a complete 
configuration, traceroutes with packet sizes, see if MTU discovery is 
blocked, ...), and do more work in order to get a useful answer.

This includes the Windows question.  Is WG running on windows, or on 
some router?  IPv4?  How does this differ from the other devices?  What 
are they (IOS, Android, Linux, VMS, ZOS, ...)?



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
  2022-02-19  1:23 WireGuard Windows should have default MTU of 1280 Rujbin
  2022-02-21 18:52 ` tlhackque
@ 2022-02-21 18:53 ` Michael Tokarev
       [not found]   ` <Mailbird-87f65eb5-1417-4955-ae28-858c7511900b@gmail.com>
  1 sibling, 1 reply; 8+ messages in thread
From: Michael Tokarev @ 2022-02-21 18:53 UTC (permalink / raw)
  To: Rujbin, wireguard

19.02.2022 04:23, Rujbin wrote:
> Hello,
> 
> i am just confused. When i use default MTU the Performance on Windows is VERY poor. It is almost unuseable. It happens on multiple Windows devices. I started using MTU 1280 for a while, but why is it only Windows with that issue? First, the speed is limited to 100mbps maximum. Thats weird, when i use MTU 1280 i have 1gbps. https://i.imgur.com/ELGOWDQ.png

In our case with default MTU (of 1420 iirc), in-tunnel performance is near
the direct pefrormance. When lowering MTU to 1280, the speed reduces a bit
but not much (I guess due to larger overhead due to smaller packet size).

> This bug exists for a long time to me. I ran Wireguard on almost every provider, (i didnt check if it happens on Azure) but this bug exists on Hetzner, DigitalOcean, OVH. This is not normal. I am running the latest stable version of Wireguard Windows. Kernel module on servers and BoringTun.

I don't see a bug here.

/mjt

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
       [not found]   ` <Mailbird-87f65eb5-1417-4955-ae28-858c7511900b@gmail.com>
@ 2022-02-21 19:16     ` Michael Tokarev
  2022-02-21 19:57       ` Roman Mamedov
  2022-02-21 19:18     ` Michael Tokarev
  1 sibling, 1 reply; 8+ messages in thread
From: Michael Tokarev @ 2022-02-21 19:16 UTC (permalink / raw)
  To: wireguard

21.02.2022 22:11, Michael Adams wrote:
> Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.

Lemme guess. The OP is routing wg packets over IPv6?  Can this be
the problem here, because V6 has larger overhead so that 1420 is
too large to fit into 1500 bytes together with IPv6 header?

Speaking of the good practice - it really depends.

/mjt

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
       [not found]   ` <Mailbird-87f65eb5-1417-4955-ae28-858c7511900b@gmail.com>
  2022-02-21 19:16     ` Michael Tokarev
@ 2022-02-21 19:18     ` Michael Tokarev
  1 sibling, 0 replies; 8+ messages in thread
From: Michael Tokarev @ 2022-02-21 19:18 UTC (permalink / raw)
  To: Michael Adams, wireguard

21.02.2022 22:11, Michael Adams wrote:
> Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.

BTW, tinc is quite good these days at figuring the right pMTU.
It fails only in case of completely broken network..

/mjt

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
  2022-02-21 19:16     ` Michael Tokarev
@ 2022-02-21 19:57       ` Roman Mamedov
  2022-02-21 21:44         ` Roman Mamedov
  0 siblings, 1 reply; 8+ messages in thread
From: Roman Mamedov @ 2022-02-21 19:57 UTC (permalink / raw)
  To: Michael Tokarev; +Cc: wireguard

On Mon, 21 Feb 2022 22:16:22 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> 21.02.2022 22:11, Michael Adams wrote:
> > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.
> 
> Lemme guess. The OP is routing wg packets over IPv6?  Can this be
> the problem here, because V6 has larger overhead so that 1420 is
> too large to fit into 1500 bytes together with IPv6 header?

1420 is picked specifically so that it fits into a 1500 byte packet with IPv6.

If you run WG exclusively over IPv4, you can use up to 1432.

However, if your ISP uses, say, PPPoE or L2TP, you need to reduce these
numbers accordingly, as the underlying interface will not have the full 1500
byte MTU.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
  2022-02-21 19:57       ` Roman Mamedov
@ 2022-02-21 21:44         ` Roman Mamedov
  2022-02-23  5:21           ` David Anderson
  0 siblings, 1 reply; 8+ messages in thread
From: Roman Mamedov @ 2022-02-21 21:44 UTC (permalink / raw)
  To: Michael Tokarev; +Cc: wireguard

On Tue, 22 Feb 2022 00:57:10 +0500
Roman Mamedov <rm@romanrm.net> wrote:

> On Mon, 21 Feb 2022 22:16:22 +0300
> Michael Tokarev <mjt@tls.msk.ru> wrote:
> 
> > 21.02.2022 22:11, Michael Adams wrote:
> > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.
> > 
> > Lemme guess. The OP is routing wg packets over IPv6?  Can this be
> > the problem here, because V6 has larger overhead so that 1420 is
> > too large to fit into 1500 bytes together with IPv6 header?
> 
> 1420 is picked specifically so that it fits into a 1500 byte packet with IPv6.
> 
> If you run WG exclusively over IPv4, you can use up to 1432.

Correction: 1440.

https://www.mail-archive.com/wireguard@lists.zx2c4.com/msg01856.html

I'm just used to subtracting 8 everywhere, because my ISP *does* use PPPoE. :)

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: WireGuard Windows should have default MTU of 1280.
  2022-02-21 21:44         ` Roman Mamedov
@ 2022-02-23  5:21           ` David Anderson
  0 siblings, 0 replies; 8+ messages in thread
From: David Anderson @ 2022-02-23  5:21 UTC (permalink / raw)
  To: wireguard

FWIW, a variety of cloud providers have a leaky abstraction, where they expose an MTU slightly below 1500 to their VMs due to encapsulation they use internally, and not using jumbo frames for various reasons. For example, Google Compute Engine VMs have an MTU of 1460b before WireGuard.

So, if you blindly set your MTU to "1500 minus exactly WireGuard overhead", it'll mysteriously break in those cloud environments (unless you get lucky with PMTUD saving the day, but I tend to assume it got broken by a misguided firewall). It's a common stumbling block I've seen many people hit when deploying WireGuard to cloudy environments that aren't AWS or on-premises systems (which tend to have well-behaved MTUs and jumbo frames on the wire, empirically).

Unfortunately dropping the wg MTU all the way to 1280 can break stuff differently, for people running encapsulation _inside_ WireGuard, because then their inner packet size is smaller than the mandated minimum for IPv6. So, short of building OOB MTU discovery into WireGuard (a-la QUIC - a reasonably big complexity bump), there's no one size fits all default that'll make everyone happy, I fear.

- Dave

On Mon, Feb 21, 2022, at 13:44, Roman Mamedov wrote:
> On Tue, 22 Feb 2022 00:57:10 +0500
> Roman Mamedov <rm@romanrm.net> wrote:
> 
> > On Mon, 21 Feb 2022 22:16:22 +0300
> > Michael Tokarev <mjt@tls.msk.ru> wrote:
> > 
> > > 21.02.2022 22:11, Michael Adams wrote:
> > > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.
> > > 
> > > Lemme guess. The OP is routing wg packets over IPv6?  Can this be
> > > the problem here, because V6 has larger overhead so that 1420 is
> > > too large to fit into 1500 bytes together with IPv6 header?
> > 
> > 1420 is picked specifically so that it fits into a 1500 byte packet with IPv6.
> > 
> > If you run WG exclusively over IPv4, you can use up to 1432.
> 
> Correction: 1440.
> 
> https://www.mail-archive.com/wireguard@lists.zx2c4.com/msg01856.html
> 
> I'm just used to subtracting 8 everywhere, because my ISP *does* use PPPoE. :)
> 
> -- 
> With respect,
> Roman
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-02-23  5:21 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19  1:23 WireGuard Windows should have default MTU of 1280 Rujbin
2022-02-21 18:52 ` tlhackque
2022-02-21 18:53 ` Michael Tokarev
     [not found]   ` <Mailbird-87f65eb5-1417-4955-ae28-858c7511900b@gmail.com>
2022-02-21 19:16     ` Michael Tokarev
2022-02-21 19:57       ` Roman Mamedov
2022-02-21 21:44         ` Roman Mamedov
2022-02-23  5:21           ` David Anderson
2022-02-21 19:18     ` Michael Tokarev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).