1

I setup a local home VPN on a Raspberry Pi 4 Model B 2019 Quad Core (4GB of RAM) running Ubuntu 20.04 connected to my home router using ethernet. I used PiVPN with Pihole for the setup. I setup the client on my iPhone and Mac and it connects, but the connection speeds are very slow compared to my home speed. My ISP plan is AT&T Fiber with Gigabit Speed, so my RPi4 has a pretty close upload/download speed to this: speedtest cli

        ISP: AT&T U-verse
    Latency:     3.32 ms   (0.83 ms jitter)
   Download:   913.95 Mbps (data used: 887.2 MB )                               
     Upload:   921.47 Mbps (data used: 1.1 GB )                               
Packet Loss:     0.0%

For my clients (iPhone and Mac, both connected over Wifi), I used speedtest.net to gather their speeds without the VPN (just connected directly to the home network)

Mac: 397mbps/486mbps (download/upload)
iPhone: 377mbps (download)

Once connected to the VPN, the connections were much lower (using the same test):

Mac: 15.65mbps/15.11mbps (download/upload)
iPhone: 8.45mbps (download)

I started looking at other threads of people having the same issue and tried the following:

  1. Changed the default listening port (51820) to other different ports (tried 51821, 81, 443) in case my ISP (AT&T) was throttling any of those ports. No luck.
  2. Reinstalled PiVPN without PiHole integration (in case that was messing it up somehow). No luck.
  3. Changed the server and client MTU to different values (initially it is 1420): 1400, 1300, 1200. No luck. (I did ifconfig and it seems my network mtu is 1500, so the default should have been fine)
  4. Performed an iperf3 test using my Mac to see if I could find something with that test:

iperf test without vpn

iperf3 -c 192.168.1.93
 Connecting to host 192.168.1.93, port 5201
[ 5] local 192.168.1.64 port 57206 connected to 192.168.1.93 port 5201
[ ID] Interval  Transfer  Bitrate
[ 5]  0.00-1.00  sec 76.2 MBytes  639 Mbits/sec  
[ 5]  1.00-2.01  sec 72.2 MBytes  598 Mbits/sec  
[ 5]  2.01-3.00  sec 62.8 MBytes  533 Mbits/sec  
[ 5]  3.00-4.00  sec 55.2 MBytes  465 Mbits/sec  
[ 5]  4.00-5.00  sec 72.9 MBytes  612 Mbits/sec  
[ 5]  5.00-6.00  sec 72.4 MBytes  608 Mbits/sec  
[ 5]  6.00-7.00  sec 68.0 MBytes  569 Mbits/sec  
[ 5]  7.00-8.00  sec 61.4 MBytes  516 Mbits/sec  
[ 5]  8.00-9.00  sec 70.4 MBytes  591 Mbits/sec  
[ 5]  9.00-10.00 sec 70.6 MBytes  592 Mbits/sec  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval  Transfer  Bitrate
[ 5]  0.00-10.00 sec  682 MBytes  572 Mbits/sec sender
[ 5]  0.00-10.01 sec  681 MBytes  571 Mbits/sec receiver

iperf test with vpn

iperf3 -c 10.6.0.1
Connecting to host 10.6.0.1, port 5201
[ 5] local 10.6.0.2 port 59800 connected to 10.6.0.1 port 5201
[ ID] Interval  Transfer  Bitrate
[ 5]  0.00-1.00  sec 3.16 MBytes 26.3 Mbits/sec  
[ 5]  1.00-2.00  sec 0.00 Bytes 0.00 bits/sec  
[ 5]  2.00-3.00  sec 0.00 Bytes 0.00 bits/sec  
[ 5]  3.00-4.00  sec 1.21 MBytes 10.2 Mbits/sec  
[ 5]  4.00-5.00  sec 1.72 MBytes 14.4 Mbits/sec  
[ 5]  5.00-6.00  sec 1.58 MBytes 13.2 Mbits/sec  
[ 5]  6.00-7.00  sec 1.91 MBytes 16.1 Mbits/sec  
[ 5]  7.00-8.00  sec 1.72 MBytes 14.4 Mbits/sec  
[ 5]  8.00-9.00  sec 0.00 Bytes 0.00 bits/sec  
[ 5]  9.00-10.00 sec 0.00 Bytes 0.00 bits/sec  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval  Transfer  Bitrate
[ 5]  0.00-10.00 sec 11.3 MBytes 9.48 Mbits/sec sender
[ 5]  0.00-15.52 sec 11.3 MBytes 6.11 Mbits/sec receiver

This test just confirmed what I had already seen from the speedtest.net test. I am left with no other things to try, so I have a few questions if you guys can help me:

  1. Does AT&T throttle Wireguard packets? could that be the reason why I am kind of stuck at 10mbps?
  2. Is it normal to expect going from 400mbps to 10mbps using Wireguard?
  3. How can I fix this issue? what do you recommend to speed up my connection? A couple other things to note:
  • I am using an AT&T gateway router Pace 5268AC (port-forwarding seems to work fine)
  • This is my current pivpn -d debug log:
=============================================
::::  Latest commit   ::::
Branch: master
Commit: f80b0a7962d91862132c0a4abd65c1e67bd37bd7
Author: 4s3ti
Date: Fri Dec 3 21:41:13 2021 +0100
Summary: Update Changelog
=============================================
::::  Installation settings    ::::
PLAT=Ubuntu
OSCN=focal
USING_UFW=1
IPv4dev=eth0
install_user=ubuntu
install_home=/home/ubuntu
VPN=wireguard
pivpnPORT=443
pivpnDNS1=1.1.1.1
pivpnDNS2=1.0.0.1
pivpnHOST=REDACTED
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=0
INSTALLED_PACKAGES=()
=============================================
:::: Server configuration shown below  ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 443
### begin user ###
[Peer]
PublicKey = user_pub
PresharedKey = user_psk
AllowedIPs = 10.6.0.2/32
### end user ###
### begin Phone ###
[Peer]
PublicKey = Phone_pub
PresharedKey = Phone_psk
AllowedIPs = 10.6.0.3/32
### end Phone ###
=============================================
:::: Client configuration shown below  ::::
[Interface]
PrivateKey = user_priv
Address = 10.6.0.2/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = server_pub
PresharedKey = user_psk
Endpoint = REDACTED:443
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
::::  Recursive list of files in  ::::
:::: [4m/etc/wireguard shown below  ::::
/etc/wireguard:
configs
keys
wg0.conf
/etc/wireguard/configs:
Phone.conf
clients.txt
user.conf
/etc/wireguard/keys:
Phone_priv
Phone_psk
Phone_pub
user_priv
user_psk
user_pub
server_priv
server_pub
=============================================
::::  Self check   ::::
:: [OK] IP forwarding is enabled
:: [OK] Ufw is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Ufw input rule set
:: [OK] Ufw forwarding rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 443/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive  ::::
:::: information, however, still make sure that PrivateKey, PublicKey ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this: ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::
=============================================
::::  Debug complete   ::::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.log

edit this is what htop looks like while running the speedtest enter image description here

Improve this question
3
  • Have you tried running vmstat whe the vpn is running? My guess is the rpi is struggling to handle the en/decryption without cpu offload on a low performance (relative to a typical pc) CPU.
    – davidgo
    Commented Dec 24, 2021 at 23:38
  • I don't think that is the issue @davidgo. I ran htop while the speedtest is running, and it seems that none of the four cores are overwhelmed.
    – Pablo
    Commented Dec 25, 2021 at 0:20
  • Even on my Pi 3B+, no core usage go over 50% when my WG client is downloading at ~100Mbps (it's actually like 3x * 2 + 1x * 2 on average).
    – Tom Yan
    Commented Dec 25, 2021 at 0:23

1 Answer 1

Reset to default
0

I was able to improve this by lowering the MTU to 1432 (MTU = 1432 in your wireguard config). Here are the before/afters on my LAN (wifi) between a MBP and my Raspi 4:

default MTU:

$ iperf3 -c 172.16.42.1 -p 5201
Connecting to host 172.16.42.1, port 5201
[  5] local 172.16.42.2 port 60457 connected to 172.16.42.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   148 KBytes  1.21 Mbits/sec
[  5]   1.00-2.00   sec  30.7 KBytes   251 Kbits/sec
[  5]   2.00-3.00   sec  54.5 KBytes   448 Kbits/sec
[  5]   3.00-4.00   sec  5.34 KBytes  43.8 Kbits/sec
[  5]   4.00-5.00   sec  33.4 KBytes   273 Kbits/sec
[  5]   5.00-6.00   sec  86.9 KBytes   712 Kbits/sec
[  5]   6.00-7.01   sec  28.1 KBytes   229 Kbits/sec
[  5]   7.01-8.00   sec  45.4 KBytes   374 Kbits/sec
[  5]   8.00-9.00   sec  33.4 KBytes   273 Kbits/sec
[  5]   9.00-10.00  sec  45.4 KBytes   372 Kbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec   511 KBytes   419 Kbits/sec                  sender
[  5]   0.00-10.69  sec   411 KBytes   315 Kbits/sec                  receiver

iperf Done.

lower MTU:

$ iperf3 -c 172.16.42.1 -p 5201
Connecting to host 172.16.42.1, port 5201
[  5] local 172.16.42.2 port 60683 connected to 172.16.42.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  12.9 MBytes   108 Mbits/sec
[  5]   1.00-2.00   sec  14.0 MBytes   117 Mbits/sec
[  5]   2.00-3.00   sec  13.7 MBytes   115 Mbits/sec
[  5]   3.00-4.00   sec  14.4 MBytes   121 Mbits/sec
[  5]   4.00-5.00   sec  15.2 MBytes   127 Mbits/sec
[  5]   5.00-6.00   sec  15.4 MBytes   129 Mbits/sec
[  5]   6.00-7.00   sec  15.4 MBytes   129 Mbits/sec
[  5]   7.00-8.00   sec  17.1 MBytes   143 Mbits/sec
[  5]   8.00-9.00   sec  16.0 MBytes   134 Mbits/sec
[  5]   9.00-10.00  sec  16.0 MBytes   134 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec   150 MBytes   126 Mbits/sec                  sender
[  5]   0.00-10.03  sec   149 MBytes   125 Mbits/sec                  receiver

iperf Done.

This gist has some more info about finding the optimal server/client MTU combination for your network: https://gist.github.com/nitred/f16850ca48c48c79bf422e90ee5b9d95

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .