search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
5.11k stars 339 forks source link

Just having Mullvad installed reduces network speeds on M1 Macs #4640

Open MahdiNazemi opened 1 year ago

MahdiNazemi commented 1 year ago

Issue report

Operating system: macOS Ventura (13.3.1) App version: 2023.3 Other software:

Issue description

TL;DR: Merely installing and setting up the Mullvad client reduces my download speed by about 30%, irrespective of whether the app is active or not. Removing the Mullvad client and using wireguard-tools does not exhibit the same behavior.

I own two M1 Mac machines--one connects to my modem/router via Ethernet cable while the other one connects through WiFi. Unfortunately, the latter has been experiencing slow download speeds for the past few months, and despite tinkering with the modem/router's WiFi settings, I haven't been able to resolve the issue.

M1 Mac with a Wired Connection

The nominal download speed of the ISP is 800 Mbps, but I typically reach a speed of around 900 Mbps when using the Ethernet connection and without VPN. When I connect to a Mullvad server from the terminal using the wg-quick up command, my speed usually ranges between 750-800 Mbps.

M1 Mac with a Wireless Connection

The download speed without using VPN falls within the range of 550-650 Mbps, whereas with VPN (Mullvad client), it ranges between 450-550 Mbps. The distance between the router and the laptop is approximately 4-5 meters, with a wall separating the two.

However, it is possible to increase the reported download speed numbers to approximately 800 Mbps and 700 Mbps for non-VPN and VPN connections, respectively.

How to Reproduce the Issue (numbers based on my Internet service)

  1. Uninstall any VPN applications on your machine including but not limited to Mullvad client, WireGuard official app for macOS, OpenVPN Client, Tailscale, and ProtonVPN. I use AppCleaner for this purpose.
  2. Turn off WiFi and run the following command to reset network settings: 
    cd /Library/Preferences/SystemConfiguration; sudo rm -rf com.apple.airport.preferences.plist* com.apple.wifi.message-tracer.plist NetworkInterfaces* preferences*
  3. Run sfltool resetbtm to reset Login Items and Allow in the Background settings.
  4. Reboot.
  5. Run multiple speed tests on https://speedtest.net. On average, my download speed ranges from 750-825 Mbps.
  6. Install the Mullvad client, log in, enable Launch app on start-up, Auto-connect, and Local network sharing, set the protocol to WireGuard, and connect to a nearby server.
  7. Run speed tests and observe the download speed drops to around 500 Mbps.
  8. Disconnect from the Mullvad server, quit the app, disable "Allow in the Background", or any combination of these options (the Mullvad daemon will continue to run).
  9. Run speed tests and observe the download speed is around 600 Mbps.
  10. Repeat steps 1. to 4. and observe the download speed goes back to the high range of 750-825 Mbps.
  11. Install wireguard-tools, generate a WireGuard configuration file on https://mullvad.net, and use wg-quick up to connect to a server.
  12. Run speed tests and observe the speed is around 700 Mbps (compared to around 500 Mbps with the Mullvad client).
  13. Disconnect from the server using the wg-quick down command.
  14. Run speed tests and observe the speed is around 800 Mbps, which is similar to the case where the Mullvad client is not installed.

I understand that the Mullvad client utilizes wireguard-go, which is also a software dependency of wireguard-tools. As such, I am having difficulty comprehending the reason behind the difference in the reported behavior.

I repeated the aforementioned steps three times using the same machine, and I was able to reproduce similar results consistently. I would appreciate it if someone else could go through the same steps and observe if they also experience the same behavior. Currently, I have switched to using wg-quick.

faern commented 1 year ago

The latest version of wireguard-go has some performance enhancing patches. We ship with a slightly older version. So upgrading that on our side might help with the performance difference compared to the vanilla WireGuard client.

The performance dip you see by just having our app installed might come from us enabling the macOS built in firewall, pf. But we are not sure yet. That's strange. You could try running sudo pfctl -d from a terminal to disable it after you have disconnected from Mullvad to see if it brings your performance back up to the expected values.

MahdiNazemi commented 1 year ago

Thank you for taking the time to read my bug report and provide suggestions.

  1. I assume you are referring to the optimizations introduced by Tailscale that were merged upstream. Would it be possible to manually change the wireguard-go version in Mullvad (without compiling from scratch) for an apples-to-apples comparison?
  2. Removing pf did not help. The download speed with the VPN turned off drops from 800-900 Mbps to 600-700 Mbps.
  3. I can report more accurate results here instead of just a rough estimate to allow for a precise comparison.
pinkisemils commented 1 year ago

Thank you for reporting this.

I can reproduce your findings, but I've eliminated internet noise and ran iperf on a LAN. After resetting the system, I'm getting speeds above 900MBit/s, and after installing and connecting to a relay, the LAN performance degrades to about 730MBit/s, but not during the first test. We'll try updating to a newer version of wireguard-go, but I don't believe this will relieve us of this pathological behavior. Even disabling the daemon and the firewall does not help, this can be done via the following command

sudo launchctl unload /Library/LaunchDaemons/net.mullvad.daemon.plist
sudo pfctl -d

I'm not entirely certain what part of our client could lead to horrible performance degradation on interfaces we do not touch, difficult to speculate. We'll see if we can spend more time on this.

MahdiNazemi commented 1 year ago

Thank you for investigating and reproducing the issue. Please feel free to change the title to something more descriptive.

MahdiNazemi commented 1 year ago

The latest version of wireguard-go has some performance enhancing patches. We ship with a slightly older version. So upgrading that on our side might help with the performance difference compared to the vanilla WireGuard client.

We'll try updating to a newer version of wireguard-go, but I don't believe this will relieve us of this pathological behavior.

I recently started building Mullvad from source for my Mac devices. @pinkisemils, Can you please let me know how I can update the version of wireguard-go used in Mullvad?

I suspect I should update wireguard/libwg/go.mod with a newer version number, but I'm not sure where to get the commit hash (?) of the latest version available on golang.zx2c4.com/wireguard.

Thank you!

pinkisemils commented 1 year ago

Sorry for the radio silence @MahdiNazemi, you should take one of the latest tags from https://git.zx2c4.com/wireguard-go/ and try that. However, I don't believe this has much to do with WireGuard and most everything to do with macOS's internals - I think you'd be able to reproduce the same issues by just creating a utun device, applying some routes to it and subsequently destroying it. Happy hacking :slightly_smiling_face:

MahdiNazemi commented 1 year ago

OpenVPN doesn't seem to suffer from this issue. It would be interesting to see if iperf shows the same behavior when using OpenVPN.

MahdiNazemi commented 8 months ago

@faern, do you mind sharing if there has been any recent investigation on this issue and if it is likely to be fixed in the near future?

faern commented 8 months ago

Sadly we have not looked into this. We don't really get reports about this issue from many users at all. Not sure if it only affects a small subset of users, or if most people don't notice/care about the performance drop.