pfSense WireGuard Site-to-Site Performance Issues - Solved

Networking Networking Software
, ,
1

Hello everyone,

(Edit: See the replies as I have found an answer)

I’ve set up a WireGuard site-to-site connection between my house and my relatives. The connection has been established successfully; however, the bandwidth performance is quite poor. When I run an iperf test over the WireGuard connection, I’m getting the following results:

image

This performance is surprisingly low when compared to the results I get when I run iperf tests over the WAN IPs, as shown here:
image

The WireGuard firewall rules on both of my pfSense routers are configured as follows:

image
image809×205 16.2 KB

I’m not sure if this is relevant to the issue, but I also have an existing Mullvad WireGuard setup, as visible in the screenshots above. (Just providing this information for your reference.)

On my side (Site A) my wireguard config looks like this:

image
image809×209 15.8 KB

At my relatives (Site B) the config is this:

image
image797×144 10.2 KB

If anyone has suggestions or has faced a similar issue, your help would be greatly appreciated. Thank you in advance!

2

I found the solution. I’ll leave it here for whomever might have this issue.

As mentioned here: Very Slow Wireguard Connection | Netgate Forum

I needed to set the MSS value for my wireguard interfaces to 1380.

2 Likes
3

What performance uplift did you see after configuring MSS?

My understanding is that MSS is a TCP thing and MTU applies to the outside frame size and can alter UDP, did you also later MTU settings?

Since a lot of traffic is HTTP3 now, I wonder what kind of UDP performance you got? (-u and -b flags are for working with UDP I think)

1 Like
4

Hi there!

I just adjusted the MSS and didn’t make any changes to the MTU. Once I set the MSS to 1380, I noticed that my iperf results improved to 5-10MB/s, which works well for what I need. I’m curious, though, about what the MSS does and whether a different value might be more suitable.

image
image802×479 27.9 KB

1 Like
5

Hello fellow travelers,

I’ve been delving into the MSS/MTU issue and made some headway. By utilizing the command ping -D -s <packet_size> <destination_ip> in the PFsense router shells on both ends, I successfully determined the correct MTU value for this WireGuard site-to-site connection, which turned out to be 1390. To fine-tune it, I subtracted 40 (IPv4 header size) from the MTU value.

image

After implementing these adjustments, I reran my iperf tests, yielding significantly improved results.
image

To better contextualize the WireGuard performance, here are the internet speed test results for each site:

Site A (based in the Netherlands)
image

Site B (based in the Caribbean)
image

However, there remains an unanswered question. Although the iperf speed test indicates some retries, a ping from site to site shows no timeouts. Noteworthy is that both locations are equipped with fiber internet. Any insights into this discrepancy would be greatly appreciated.

1 Like
6

Hello there,

Found an answer to the retry count in the iperf3 results. TL:DR answer is if the resulting transfer/bitrate is good/consistent. ignore the retry count.

discussed on here:
https://www.reddit.com/r/networking/comments/d15bj6/10g_home_lab_experiment_iperf3_how_many_retries/

1 Like