I've got a dedicated server (Ubuntu Server 20.04), running two WireGuard interfaces:
wg0is used to connect end-users, like laptops, mobile devices, etc.wg1is a tunnel to a 3rd-party VPN service
wg1 is set as the default route on the server itself:
~ ip route get 8.8.8.8
8.8.8.8 dev wg1 table 51820 src 10.13.128.233 uid 0
Then, a NAT is set up, to masquerade traffic coming from wg0 tunnel (end-users) onto wg1 tunnel (3rd-party VPN service):
iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
The simplified scheme thus looks like this:
(end-users) ----> wg0 ----> (Hetzner server) ----> NAT ----> wg1 ----> (3rd-party VPN)
wg0 config is super-minimal, with no MTU option specified. Laptop clients use default MTU, iperf tests below were performed on laptops.
wg1 config specifies 1420 as MTU value.
The problem is, I'm getting a subpar internet browsing performance on end-user devices. I believe the problem lies in server configuration, and not the network, because I've performed three tests:
- Ran command-line tests on the server for Fast.com using awesome fast-cli and SpeedTest.net CLI utility. Both showed 1 Gbps performance via
wg1tunnel from server to internet. - Ran
iperffrom several end-user devices to the server viawg0tunnel. Tests showed 80-90 Mbps performance from end-user to the server. - Finally, I ran Fast.com and SpeedTest.net tests on end-user devices themselves. Tests showed performance ranging from 20 to 27 Mbps when forwarding traffic from end-user via
wg0towg1tunnel and to internet.
To recap: server-to-internet WireGuard performance is fine at 1Gbps. End-user to server WireGuard performance is great too, almost at 100 Mbps. However, end-user to internet performance via two WireGuard tunnels, as shown on scheme above, drops to 20-27 Mbps.
My IPv4 stack settings are all defaults expect the usual forwarding option.
Idk if this is normal, but loss of 70-75% bandwidth seems like a lot. Would really much appreciate any advice on the matter, cause not really sure how to troubleshoot this further!