Jump to content
Not connected, Your IP: 3.234.210.25
Staff

[COMPLETED] WireGuard beta testing available

Recommended Posts

1 hour ago, ZPKZ said:

On my old laptop, I used to for some reason get extremely low speeds. No matter which server.


Really old computers may lack the AES-NI instructions that make GCM ciphers efficient.  In those cases you'll likely do better in OpenVPN if you configure for the CHACHA20-POLY1305 cipher (the cipher that wireguard uses).  I'm not an Eddie user so can't advise there, but if you are setting up OpenVPN using the Air configurator, check the "Advanced" box on the upper right, then scroll down to "Advanced - OpenVPN only" and under "Data Cipher" select "Mobile  (prefer CHACHA)".  The configuration it generates is not actually specific to phones, but where modern hardware is concerned, it's really only phones (and tablets) that are missing the AES-NI instructions, hence the labeling of this choice.

Share this post


Link to post
On 11/26/2021 at 6:30 PM, maxhawk said:
Update:
The issue is that OpenVPN uses an MTU=1500 while Wireguard uses MTU=1420. Dropped packets were preventing the proper SSL handshake. My fix is to manually force an MTU=1392 in the machine that's having trouble. The long term fix is to have any machine that connects to this subnet use an MTU of 1392, but that's an issue outside of Wireguard and AirVPN.

I am using WireGuard (kmod) on OPNsense to route my VPN-enabled_VLAN through AirVPN. I have been noticing download and browsing speed issues with this for a while now and yesterday finally found the reason and workaround thanks to your post.

Did you ever solve this in the long term? Any solution that doesn't involve changing the network config of the client devices?

Share this post


Link to post
2 hours ago, TheHellSite said:

I am using WireGuard (kmod) on OPNsense to route my VPN-enabled_VLAN through AirVPN. I have been noticing download and browsing speeds with this for a while now and yesterday finally found the issue and workaround thanks to your post.

Did you ever solve this in the long term? Any solution that doesn't involve changing the network config of the client devices?

Hello!

For your information, the official WireGuard Android user app forces MTU to 1280 bytes (in our Eddie app, we also had to force 1320, although MTU remains customizable in Eddie settings). Higher sizes cause malfunctions, timeouts, line breaks or snail throughput on virtually any device and network we tested, almost surely because there is (often) no room in the frame. Even the Linux client forces 1280 bytes (if it doesn't find anything else in the profile) if our memory is correct. Thus your findings are consistent and hint to the necessity to keep a low MTU size.

Kind regards
 

Share this post


Link to post

With wireguard on pfsense setting each wireguard interface I create to 1420 MTU and MSS seems to result in no problems and good performance. 

Share this post


Link to post
6 hours ago, go558a83nk said:

With wireguard on pfsense setting each wireguard interface I create to 1420 MTU and MSS seems to result in no problems and good performance. 


Hello!

Do you declare an MTU size on the WireGuard conf file? Relevant for this discussion: https://superuser.com/questions/1537638/wireguard-tunnel-slow-and-intermittent

Different networks may require different sizes. This is probably the reason for which WireGuard developers opted for the smallest allowed size in Android, 1280 bytes. Of course if it's possible to set higher sizes the performance will improve.

Kind regards
 

Share this post


Link to post
13 hours ago, go558a83nk said:

With wireguard on pfsense setting each wireguard interface I create to 1420 MTU and MSS seems to result in no problems and good performance. 

7 hours ago, Staff said:

Do you declare an MTU size on the WireGuard conf file? Relevant for this discussion: https://superuser.com/questions/1537638/wireguard-tunnel-slow-and-intermittent

As OPNsense and pfSense are/where pretty much the same, I am also interested in this!

Looking at pictures of the pfSense WireGuard user interface (VPN --> WireGuard --> Tunnel Configuration) it seems that there is no field which would allow setting an MTU or MSS value for the tunnel.
It looks like you only have the option to set the MTU (and MSS) value in the pfSense interface section.

However on OPNsense there is an extra field (VPN --> WireGuard --> Local --> "Tunnelname") to set the MTU value directly in the WireGuard config but also no field for the MSS value.
In the OPNsense interface section it also of course possible to define the MTU (and MSS) value. The interface section also overwrites any setting configured in the WireGuard tunnel configuration.

Also reading through this tutorial and the linked reddit thread it seems that it is best to just set these values in the interface section of OPNsense/pfSense and not in the tunnel configuration.
I will try this out and report back here.
 

Update

It is best to declare the MTU value at the interface configuration and also in the tunnel configuration. The latter is necessary because each reload of the interface configuration and each reload of the WireGuard package will reapply the MTU value to the interface.
Setting the MTU=1420 and MSS=1420 in the interface configuration of the interface assigned to the WireGuard tunnel and also MTU=1420 in the tunnel configuration resolved both the speed and SSL issues.
 
  1. Note
    I personally have to use MTU=1412 since my WAN requires the use of PPPoE, which adds another 8 byte of overhead that needs to be substracted of the theoretical maximum MTU=1420.
    WireGuard MTU for PPPoE = 1420 - 8 = 1412
    Details see here: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html
     
  2. Note
    Setting the MSS value the same as the MTU value is specific to OPNsense and pfSense! Both firewalls automatically reduce the value entered in the MSS field by 40 bytes.
    On other systems the MSS value has to be entered 40 bytes lower than the MTU value.
    OPNsense / pfSense: MTU entered = actual MTU applied to the interface
    OPNsense / pfSense: MSS entered = MSS entered - 40 bytes = actual MSS applied to the interface

Share this post


Link to post
5 hours ago, Staff said:

Hello!

Do you declare an MTU size on the WireGuard conf file? Relevant for this discussion: https://superuser.com/questions/1537638/wireguard-tunnel-slow-and-intermittent

Different networks may require different sizes. This is probably the reason for which WireGuard developers opted for the smallest allowed size in Android, 1280 bytes. Of course if it's possible to set higher sizes the performance will improve.

Kind regards
 
No, I didn't know that existed.  :)  I'll have to check it out when I get a chance.

Share this post


Link to post
Posted ... (edited)

I was running OpenVPN on my pfSense box to AirVPN for a few years but lately I experienced a lot of speed problems.
Before I could hit around 600mbit (1gb line) but recently I was hitting the 150mbit max...

So I switched to WireGuard and after settings the MTU to 1420 I was getting decent speeds again! Except some websites did not load or were utterly slow.
After reading the comments here from @go558a83nk and @TheHellSite I set the MSS to 1420 also (so MTU + MSS = 1420) and voila problem solved!
This is done on the pfSense Interface, not in the wireguard config.

Getting around 700 - 800mbit on my line and everything is snappy again!
Just wanted to share my 2 cents.

Edited ... by Teng Teng Toa

Share this post


Link to post

I've been running Wiregaurd for the VPN for a while now and I have a question, 
In the config it does separate tables for IP 4 and IP 6, why isn't the inet family used instead? 
From the MAN pages: 

IPV4/IPV6/INET ADDRESS FAMILIES
       The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of
       packets. They contain five hooks at different packet processing stages
       in the network stack.
from the command prompt it looks like this for output: 
sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		iif "lo" accept
		ct state established,related accept
		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report, 151, 152, 153 } accept
		counter packets 242 bytes 43336 drop
	}
}
table ip6 wg-quick-tun0 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "tun0" ip6 daddr fd7d:76ee:e68f:a993:6c33:1401:f02c:98a8 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
table ip wg-quick-tun0 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "tun0" ip daddr 10.162.132.125 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
I'm just curious as why the inet wasn't used instead of the separate IP Families.   

Daaa Baby Smurf do do do😁

Linux_WIN.jpeg

Share this post


Link to post

How can I automatically (from a script) renew my keys to force a new random IP address reassignment (as per WireGuard FAQ)?

In 2020 a member of the AirVPN Team suggested we'd be able to to so in the future:

On 7/30/2020 at 1:38 PM, Clodo said:

We will offer an API to automate the above, letting users write a script that performs HTTPS calls to change local IP address, download updated .conf, and then wg-quick. 


The same feature has been requested here and in this thread:
 
On 11/6/2021 at 11:28 PM, airvpnforumuser said:

It seems renewing the keys does have a minor privacy benefit and is something I'd like to do routinely. At the moment managing keys is only possible via your website and is one of the biggest feature suggestions I'd like to see added to the API (then I can rotate keys freely).


Is this feature on the roadmap?

Share this post


Link to post
On 10/2/2022 at 10:25 PM, Opayq said:
Quote

How can I automatically (from a script) renew my keys to force a new random IP address reassignment (as per WireGuard FAQ)?



In 2020 a member of the AirVPN Team suggested we'd be able to to so in the future:


The same feature has been requested here and in this thread:
 
Is this feature on the roadmap?

Hello!

The feature has not been implemented yet, we're sorry. An impact assessment is beginning in a few days. After that, if everything is fine, we will proceed. We will keep you informed. EDIT 2022-10-06: FEATURE IMPLEMENTED

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...