Hi,

today I tried to use the MT router as wireguard client (peer) and worked really easy. I had problems with MTU (I guess), but with the mangle entry (see #fix MTU) it worked like a charm: Afterwards I changed the default route to the IP 10.200.200.1 (wireguard server) and added a static router to reach the server itself without the tunnel (see viewtopic.php?t=73775). Now the whole traffic is tunneled.

For the benchmark, I used my internet connection (100mbit), with the following results:
* RB951G-2HnD - max. 65mbit/s at 99% CPU
* hEX (RB750Gr3) - max. 95mbit/s at 50-60% CPU

I have a Wireguard subsciption vis OVPN.net and trying to use their config file to enter my info into my SXT LTE6 running 7.1
I'm using Winbox, have not mastered CLI yet.
I can see wireguard in my interfaces list.
Do I now need to add it to the interface list?
Sorry, I'm real new.

Thanks for sharing your config and experience, mawebi. My wg connection was also spotty but adding the MSS mangle rule fixed it (thanks to your post).

I am using a MikroTik hAP ac2 and am currently seeing 30% of the throughput that a Raspberry Pi with the same Wireguard configuration delivers. I will go through my setup again to make sure the delta is not caused by a misconfiguration, but for what it's worth, I am also seeing 50-60% CPU usage during a speedtest.

Thanks for the info on MTU!

I'm curious now to see if I can get it to 1Gbps reliably over wireguard. May have to do some tests into our DC with CCRs

Would love to hear about your results if you end up running the tests.

Also looking forward to see the Wireguard support on RouterOS mature, but it's been performing very reliably on my little setup so far.

With two MT routers (one as client the other as server) one behind another MT and the other behind an ISP modem/router (both on same gig fiber network approx 15km apart) getting 300Mbps up and down. Very stable, had to play with MTU go enable some specific internet sites. Mangling is not required to adjust MTU

At which points in chain did you end up adjusting the MTU? I currently have a mangle rule in place but that probably slows things down. The MTU on the wg interface alone (1420) wasn't enough.

If changing MSS fixes things for you, you're doing something wrong. Or.. atleast don't say that MSS fixes MTU. Setting the proper MTU "fixes" MTU.

Well yes and no, cause the MSS determines how large a packet is going to be when it reaches the data link layer.

If adjusting the MSS fixes the problem related to MTU, I think the OP framed it accurately enough with the understanding of the problem that was available at the time.

The MikroTik documentation (https://help.mikrotik.com/docs/display/ROS/WireGuard) suggests the Wireguard interface's MTU is set to 1420 by default. But many people's setup doesn't work with that setting. So the question is at which point(s) does the MTU need to be set to avoid having to clamp the MSS through a mangle rule? Does one orientate at the MTU of the PPPoE interface for example, or the lowest value in the chain?

Also see my questions from above:

At which points in chain did you end up adjusting the MTU? I currently have a mangle rule in place but that probably slows things down. The MTU on the wg interface alone (1420) wasn't enough.

When the MTU was set to 1420 on both Wireguard interfaces (the MTU setting on the Wireguard MENU), the client computer started an application that brings up a program that allows access to websites etc, but first takes the user to a verification website. The process was not completed so we started messing with MTU settings. I understand about fragmentation so the first attempt was to reduce MTU.
I went from 1420 seemingly the default to 1400 and no joy. I went as low as 1320 and then went the other way.
I went in the opposite direction and tried 1480, and 1492 with no joy.
When I next attempted 1500 mtu, the client application worked great. Doing a test it shows fragmentation occurs but the user does not care as a challenging connection works flawlessly as do all other applications needed and general internet performance.

Thanks for sharing these data points!

I don't have a lot of experience with MTU settings, so will spend some time learning more about it beyond the basic definitions, particularly how it needs to be configured across interfaces in a network setup.