Sluggish web browsing via Wireguard on Mikrotik

[blacktooth 0]

Hi All,

I’m experiencing sluggish web browsing when using a WireGuard connection through my Mikrotik router.

My home internet connection is 1Gbps download / 50Mbps upload.

Router is a Mikrotik hAP ac RB962UiGS (firmware version 7.16)

When I use the Eddie client on my phone or PC to connect to the WireGuard server in Singapore, web browsing is fast and responsive.

However, when I configure WireGuard directly on the Mikrotik hAP to connect to the same server and route my PC or phone traffic through the tunnel, browsing slows down significantly—almost to the point of being unusable.

Everything connects successfully, but the degraded browsing performance is a disappointing.

It doesn't appear to be resources on the Mikrotik, when attempting to download a file of the Mikrotik wireguard tunnel, CPU barely gets to 20%

Can anyone give guidance on how to improve the performance?

Here is my Mikrotik Config..

WAN is ether1
LAN is ether2
WG is wg-airvpn

# by RouterOS 7.16
# software id = ITU9-GZKB
#
# model = RB962UiGS-5HacT2HnT


/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes

/interface wireguard
add listen-port=13231 mtu=1320 name=wg-airvpn

/interface list
add name=LAN
add name=WAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/routing table
add disabled=no fib name=wireguard

/ip firewall connection tracking
set udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface list member
add interface=ether2 list=LAN
add interface=ether1 list=WAN

/interface ovpn-server server
set auth=sha1,md5

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=sg3.vpn.airdns.org endpoint-port=1637 interface=wg-airvpn name=peer2 persistent-keepalive=15s preshared-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

/ip address
add address=10.152.XXX.XXX interface=wg-airvpn network=10.152.XXX.XXX
add address=172.28.28.1/28 interface=ether2 network=172.28.28.0

/ip cloud
set update-time=no

/ip dhcp-client
add interface=ether1

/ip firewall address-list
add address=172.28.30.199 list="VPN Only"   # My PC

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid 
add action=accept chain=input comment="accept ICMP" in-interface=ether1 protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=!ether2 

add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid 
add action=reject chain=forward comment="reject WAN access to VPN Only List"  out-interface=ether1 reject-with=icmp-network-unreachable src-address-list="VPN Only"
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=!ether2 log=yes 

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!172.28.28.0/22 new-routing-mark=wireguard passthrough=yes src-address-list="VPN Only"
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=wg-airvpn passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg-airvpn

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip route
add disabled=no dst-address=10.128.0.1/32 gateway=wg-airvpn routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.28.28.0/22 gateway=172.28.28.14 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=wg-airvpn routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wg-airvpn routing-table=wireguard suppress-hw-offload=no

/ip service
set telnet address=172.28.28.0/22 disabled=yes
set ftp address=172.28.28.0/22 disabled=yes
set www address=172.28.28.0/22
set ssh address=172.28.28.0/22
set www-ssl address=172.28.28.0/22
set api address=172.28.28.0/22
set winbox address=172.28.28.0/22
set api-ssl address=172.28.28.0/22 disabled=yes

/ip ssh
set strong-crypto=yes

/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

/routing rule
add action=lookup-only-in-table disabled=yes src-address=172.28.29.128/25 table=wireguard

/system clock
set time-zone-name=Australia/Sydney

/system identity
set name=bump

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=pool.ntp.org

/tool bandwidth-server
set enabled=no

/tool graphing interface
add

/tool graphing queue
add

/tool graphing resource
add

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

 

[Air4141841 24]

in my experience this is typically MTU.   you may try to decrease the 1320 you already set.
 
from what I have read on this forum.  lower typically helps this issue 

[blacktooth 0]

Thanks for the suggestion.

The Wireguard tunnel MTU is set to 1320 as in the config file.

I dropped the MTU on my PC from 1500 to 1300, performance did not improve :-(

I dropped the MTU on the Wireguard interface to 1300 and my PC to 1280, performance did not improve :-(

Is there a recommended MTU that I should be using?



 

[Air4141841 24]

I've read 1280 several times from staff.