Bug #14895
openWireguard / bad performance after reboot, if running together with OpenVPN
0%
Description
Hello,
I initially posted in the netgate forum, but in the meantime I conducted more investigations and I think I managed to narrow down the issue, and that it can be of some help here.
Please refer to https://forum.netgate.com/topic/183489/wireguard-bad-performance-after-reboot for more details, although they may not be so relevant now.
Configuration: pfSense CE 2.7.0 running in a VM (KVM/QEMU on Proxmox), Wireguard (v0.2_0_2) to my VPN provider (I tested two actually).
MTU/MSS set on both WAN and Wireguard interfaces (1500/1500 and 1320/1320 respectively, but values probably aren't relevant here).
Important: this pfSense instance also runs 2 OpenVPN clients.
Symptom: I face severe performance degradation of my Wireguard connection after reboot (from 1 Gbps to 35Mbps download). However, if in the UI, I then go to the WAN interface and click on Save (then Apply), the performance is back to normal. Then if I reboot, the performance drops again, until I apply the interface configuration again, and so on.
Investigations: I suspected a side-effect of running OpenVPN clients in parallel, so I removed my OpenVPN clients, and the symptom disappeared: even after a reboot, the performance now stays nominal.
My 2 cents: may this have - directly or indirectly - some similarities with the old issue #11691?
Hope this helps, although it surely needs more investigations to be fruitful. Do not hesitate to ask me if needed.
Also, I would be grateful if you can provide me with a workaround, otherwise I can live with reapplying the WAN config after each reboot, not such a big deal.
Thank you,
Pascal.
Updated by Kris Phillips about 1 year ago
Is it possible your Wireguard tunnel is trying to establish over your OpenVPN tunnel somehow due to a route-all directive on your OpenVPN tunnel? Dropping from 1 Gigabit to 35 Megabit points me to think you're hitting a throughput limit of OpenVPN without DCO.
What is the routing configuration for your OpenVPN? I'm assuming these are OpenVPN clients to a VPN provider?