Why is my wireguard speed still affecting internet speed even if the VPN policy disables on speed tests? (AX1800 Flint)

Basically, I have a VPN policy setup so it’s only enabled for streaming services and all their extra domains. It works, however I’m noticing an odd side effect of this when running a speed test.

Since the VPN policy is only for streaming services, I’m testing using ookla speed test and not fast.com. Regardless, my ping is supposed to be around or below 40 without a VPN. But, with the VPN policy enabled, although the download and upload is where it’s supposed to be at (faster than with a VPN) the ping is acting like a VPN is enabled, it goes above 60, sometimes to 70 or 80 which isn’t ideal. These are the same ping numbers as if I enabled the VPN on the entire network and ran a speed test.

Another portion where this is problematic is testing a livestream with OBS. Without a VPN I can easily stream 50,000kbps with zero dropped frames, with the VPN on, it’s not nearly as stable and the highest I can probably go without dropping frames is 20,000kbps. However, I am testing this by streaming to YouTube, so does anyone know if that applies to the VPN policy?

I only put Netflix and YouTube on the list, because my ISP throttles those websites, and using a VPN helps significantly. However, the OBS thing is odd to me because although watching YouTube without a VPN is slow, I was able to livestream to YouTube through OBS without issue, that’s how I got that 50,000 kbps number. My upload speed is around 60mbps.

is this just a side effect of using VPN policies or have I set something up wrong? It almost defeats the purpose because now my main connection is a little slower even with no VPN.

Edit: Perhaps instability in Wireguard? I was against using OpenVPN on my entire network because it would be slower, but now that I know this VPN policy works, I’m willing to switch it to OpenVPN if that’s better. My internet speed is about 250/60, if I can at bare minimum get 150/30 on OpenVPN, I’m fine with that. Possible?

In real world tests (not speedtest) I’ve seen close to 200mbps using OpenVPN on an AXT1800:

(graph measured at the VPN server)

Could be worth a try, though I doubt that’s your issue. You might also monkey with the MTU settings in WG (lower them).

I have it on 1280, wouldn’t lowering it more cause an issue? Increasing it definitely makes it worse.

p.s. thank you again for your help over text, I didn’t want to keep bothering you so I made a post instead of replying again haha

1 Like

1280 should be fine, but you can always go lower to see if it improves more.

Or you can do the actual calculation to figure out what it should be:

How to find the proper MTU size for my network | TP-Link.

Should I remove the MTU in the settings before trying that? 1280 is the only number that doesn’t give the “packet needs to be fragmented but DF set” but I’d imagine that’s because I have the MTU manually set to 1280

Edit: or maybe I’m misunderstanding how the calculation works, maybe I’ll just try lowering MTU

Yeah - if you’ve got it set to 1280 it will fragment anything above that.

Ah, actually I just realized. I have the MTU on the VPN set to 1280, is there a separate setting for plain WAN connection MTU? or is 1280 for both?

Edit: That was a silly question, the MTU is on the modem’s admin page. Are they supposed to be the same MTU? is that causing the problem perhaps?

Generally should be less for the VPN. Again, 1280 should be safe (that’s a typical number for IPSec MSS clamping), but it depends on your ISP too.

Right, so I have an LTE modem/router that I just disabled WiFi on and push it directly to the router via ethernet. I must be mistaken because I thought I could change the MTU on the modem but I don’t see an option for that. I noticed IP passthrough was disabled on it though, not sure if that’s relevant or important.

I tried lowering the MTU to various different numbers, I even tried something extremely low like 800, it seemed to have no impact on the ping at all. It was just making the wireguard speeds slower, but not the main connection.

Oddly enough I disabled the VPN and the VPN policies, and the ping is still 60, which is more than it was before. Perhaps this is just LTE being LTE, that’s fine.

However, problem still persists with the OBS streaming example. VPN off I can stream 40k for example perfectly fine, with VPN on 40k drops plenty of frames, and again, I’m not entirely sure the VPN should even be routing through here if I can stream fine without it.

I lowered the MTU to 1180, then 1100 same problem.

However, I ran a speedtest on wireguard, looks like it’s having trouble barely breaking 40mbps upload. Which again is fine, just how VPNs work, but even when I compensate for this by making the bitrate 33k, it still drops frames. This is with the MTU back to 1280 though.

Lastly, I set the MTU to 1180, really let it sit for a minute, then tried an OBS test with a compensated 33k bitrate and it’s still dropping frames. Again, no VPN can do 50k no issue, no ISP throttling regardless that YouTube and fast.com is throttled. As a matter of fact, lowering the MTU on the VPN to 1180 seems to significantly reduce speeds (200ish to now 100ish)

Should I just continue testing? Not really sure.

I mean, one thought would be to try TCP OpenVPN - guaranteed in-order delivery.

Sure why not, I’ll find time today to boot up an OpenVPN server and launch it on the router, then I’ll reply to you or any one else’s comments. Thanks again!

1 Like

TCP adds additional packet overhead, so adjusting MTU will probably be needed again. If you’re doing this on LTE then I’d suggest looking for guides on LTE MTU specifically - I’m sure they exist.

It’s a huge mixed bag of information from my brief look, I’m just messing around with this on AT&T, I get varying numbers for what’s suggested.

If you don’t specify MTU openvpn will calculate the best setting.

interesting, does this apply to Wireguard as well?