From: Anton Osmond <antonosmond@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Wireguard GCP Performance Fix
Date: Mon, 4 Feb 2019 14:33:04 +0000 [thread overview]
Message-ID: <CAKcysNyra1=4+KGVfkHu=VMeVH6u9fYksXRFNquzcO8p2C4UCw@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 2145 bytes --]
Hi
I want to share some problems I had in getting wireguard setup and the
solutions I found.
It might be good to have a "common problems & solutions" section in the
wireguard documentation where things like this can be added to help users
in the future.
We decided to try wireguard and compare it to OpenVPN, well aware that
wireguard's still considered alpha/experimental.
Our use case was to have a VPN for access to a kubernetes cluster in a
private network in Google Cloud.
After getting everything setup, I noticed the performance of wireguard was
MUCH slower than a connection to the same cluster over OpenVPN.
To give an example, a request to list the nodes in the cluster over OpenVPN
was taking around half a second or less. The same request over wireguard
was taking between 4 and 6 seconds.
Eventually I tracked down the issue and it turned out to be the MTU on the
wireguard interface.
GCP have a lower default MTU for network interfaces "due to additional
header space required inside Google's network".
The network interface set up on my Mac was using the default (for most
unix-like systems) of 1500.
But the MTU on the network interface on the Google instance was only 1460
which meant the packets being sent from my Mac were too big for the network
interface on the Google instance, resulting in packet splitting and
increased latency. I reduced the MTU on the network interface on my mac and
immediately the latency had gone away and wireguard was probably faster
than OpenVPN.
To be honest, the linux network stack is not something I've really messed
about with in any great detail so most of this is new to me and I learnt a
lot from this old but useful article:
https://www.linuxjournal.com/content/queueing-linux-network-stack.
I couldn't find much documentation on the values that you're able to put
into the wireguard configs (used by wg-quick) so i tried adding MTU in
there and to my surprise it worked!
Hopefully my learnings here can help others and it'd be great to see a
common problems & solutions section in the docs and also improve the docs
around the wg-quick tool and associated configs.
Thanks
Anton
[-- Attachment #1.2: Type: text/html, Size: 2566 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
reply other threads:[~2019-02-17 1:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKcysNyra1=4+KGVfkHu=VMeVH6u9fYksXRFNquzcO8p2C4UCw@mail.gmail.com' \
--to=antonosmond@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).