Methods to speed up overall throughput and Lower Latency w This + WG

[noelashford]

Hello - I am still testing ref to IPv6 but i do have a few links up with IPv4 of this for testing right now, its 13% as fast as native WG - so as such i am wondering how you would suggest should i wish to mod this myself to speed it up?

Multithreading on HTTPS side ? Offloader Cards (Which ones - AES ?)

What else would speed this up & lower latency? I am assuming if i was to try a solid video stream it may become problematic / buffer often ? LEt's say i had a prod use for this requiring this as a larger volume, how would this scale ?

Also would this pass DPI / Deep Packet Inspection and if not, why?

[erebe]

Hello,

Dont think you can. You are running wireguard over udp over websocket over tls over tcp, so at some point you going to take a hit in througput.

you encrypt twice every packet. Once with wireguard and an other one with tls.

Every udp packet data is going to be masked because of websocket requirement (and after unmasked server side), and every udp packet is going to map to a websocket frame which is a lot more heavy weight than sending raw data over udp.

While this being said, you should profile client and server with perf in order to check where is the bottleneck (gc, syscall, cpu) to check what can be done. Last time i checked for tcp (not udp) it was mostly the gc which was the culprit. But may not be the same for wireguard and udp.

the server/client are already multithread but accross several connection. on a single cnx, there is no benefit of multithreading, as it is hard ti be cpu bound.

You dont want to go prod with this, you are just encapsulating too much. You can try on wireguard interface to reduce mtu to reduce latency

[noelashford]

Thanks for the detailed info - is there a way that I could take encapsulation prod that's lighter and would pass DPI ? Also, would this pass DPI ? How Many connections would it handle before toppling over / becoming too much overhead ? Does it not scale whatsoever ? At current notably I route this via an NGINX ingress as i have a lot on port 80, i doubt highly nginx is the bottleneck... by GC, i assume you mean garbage collection?

[noelashford]

Also, in ref to prod, i mean being able to offer a few VPN connections across this for friends and family in places with difficult internet connections censorship wise, hence asking what the breaking point would be. I want to wrap WSTUNNEL in a mobile app with WG as well. Wireguard is easy to detect FW wise / DPI so i am simply trying to mask it. Is there a better way to mask this / more lightweight that will pass firewalls in odd areas of the world :) ? I also would make use of DOH servers as well so even DNS cant be detected. Looking to go stealth for them to get uncensored internet. UDP is a none starter in general in such places.

[erebe]

If it is just a few connections for friends, well you will not have any issue with wstunnel. Most likely from within a censored country your outbound traffic will be very much limited, so wstunnel/your remote server will not be the limiting factor.

The most lightweight alternative to wirehuard, would just be to use wstunnel at client side directly. Just use the socks5 -D option and ask your friend to configure their browser to use it. https://www.chromium.org/developers/design-documents/network-stack/socks-proxy/ It will way better than trying to encapsulate wireguard.

[Ali-Flt]

I am also using this tutorial for wireguard over wstunnel. But the performance is not stable. I know my bandwidth is not the issue because at the same time that I have low download speed through wstunnel I have a decent one through a v2ray proxy connection. Is there anything I could do for better performance? Also I should mention that multiple clients are connecting to the Wstunnel on server which is conencted to the WG server (Server_IP:8443). Can that be problematic for Wstunnel? My setup is like this:

WG server on localhost:51822 <-> Wstunnel on server from localhost:51822 to 0.0.0.0:8443 <-> Wstunnel on Client from Server_IP:8443 to localhost:51822 <-> WG client with Endpoint=localhost:51822

[erebe]

Hello,

If you have an issue with stability, try lowering the MTU of the WireGuard interface on your server/client

[Interface]
Address = 10.200.200.1/24
ListenPort = 995
MTU = 1300

It will reduce the packet size of the interface, which will be more likely to fix in a single tcp packet containing the tls + websocket frame + wireguard data. Try to play with the value to see what fit best for you.

For performance, there is not much to do. I checked on my server and workstation, and the server is going to saturate your CPU way before your bandwith due to too many syscall per packet received.

For example, in my case with a server with just 2 low grade cpu: -> I can download at 80Mo per second without anything -> while using wireguard I download the same file at 30Mo/sec -> and when using wireguard + wstunnel I painfully hit 10Mo/sec due to the server saturating its CPU. (-> ssh -D ~50Mo/sec)

[Ali-Flt]

I understand, my server has only 1 CPU core so I decided to use OpenVPN (TCP) on wstunnel. So far Performance is stable and haven't experienced any latency spikes.