{"id":114,"date":"2021-12-02T18:01:19","date_gmt":"2021-12-03T00:01:19","guid":{"rendered":"https:\/\/sourceopen.com\/?p=114"},"modified":"2021-12-08T16:03:51","modified_gmt":"2021-12-08T22:03:51","slug":"howto-fix-slow-networking-with-a-wireguard-server-in-a-freebsd-jail-on-a-vps-and-slow-downloads-in-a-jail-on-a-vps","status":"publish","type":"post","link":"https:\/\/sourceopen.com\/index.php\/howto-fix-slow-networking-with-a-wireguard-server-in-a-freebsd-jail-on-a-vps-and-slow-downloads-in-a-jail-on-a-vps\/","title":{"rendered":"HOWTO Fix Slow Networking with a WireGuard server in a FreeBSD Jail on a VPS, and Slow Downloads in a Jail on a VPS"},"content":{"rendered":"\n

I was setting up WireGuard server on a FreeBSD machine (13.0) on a VPS. In this case the VPS was a Contabo VPS which uses KVM. (Edit<\/em>: I just encountered the same issue with an Oracle Cloud VM Instance as well (which also used KVM).)<\/p>\n\n\n\n

In particular the goal was to run a WireGuard server inside a jail on this VPS. I essentially followed this pretty nice guide<\/a> on setting things up. This got everything working, but it was far from fast. An OpenBSD machine, running on a much inferior VPS was tons faster. <\/p>\n\n\n\n

I determined that simple downloads with the likes of wget <\/em>from inside the jail on the VPS were terribly slow as well. I was getting about 90K\/sec vs. the many MB\/sec I should have been getting. When I tried the same download from the VPS itself (outside the jail) I go full speed.<\/p>\n\n\n\n

I tried NOT using the bridge interface as discussed in the article above<\/a>. (Look for where it says,”But if you need only a single jail, it\u2019s not necessary to use the bridge.”) I wondered if perhaps that extra layer was slowing things down. This made no measurable difference. However, since I got all the results I wanted without the bridge, I figured I was indeed better off without this extra layer.<\/p>\n\n\n\n

I found that pf (and ipfw too I believe) need tso disabled in the vtnet <\/em>driver in order to do NAT in kernel. So I added the following to the \/boot\/loader.conf<\/em> on the VPS machine (outside the jail):<\/p>\n\n\n\n

hw.vtnet.X.tso_disable=\"1\"
hw.vtnet.tso_disable=\"1\"<\/pre>\n\n\n\n
(Changing this file requires a full reboot of the VPS, not just the jail.) That really didn’t seem to do much either.<\/p>\n\n\n\n
Then I found this posting <\/a>from the mailing list archive. Here the gentleman suggested disabling lro as well. So now my  \/boot\/l<\/em>oader.conf contained the following (along with anything else that had been in there before I started all this).<\/p>\n\n\n\n
hw.vtnet.X.tso_disable=\"1\"
hw.vtnet.tso_disable=\"1\"
hw.vtnet.lro_disable=\"1\"
hw.vtnet.X.lro_disable=\"1\"<\/pre>\n\n\n\n
So this fixed my download speeds when doing a wget directly inside the jail! Everything was back to full speed inside the jail. Good progress!<\/p>\n\n\n\n
However, transfers via WireGuard from the WireGuard client machine(s) were still quite slow (like around 1-2Mbps), and seemed to have some high latency like possibly some packets were dropped, though I could never see dropped packets or high latency via tools like ping <\/em>or mtr<\/em>.<\/p>\n\n\n\n
So I decided, what the heck, let’s try disabling checksum (csum) offloading too! Now the  \/boot\/l<\/em>oader.conf  contained:<\/p>\n\n\n\n
hw.vtnet.X.tso_disable=\"1\"
hw.vtnet.tso_disable=\"1\"
hw.vtnet.lro_disable=\"1\"
hw.vtnet.X.lro_disable=\"1\"
hw.vtnet.csum_disable=\"1\"
hw.vtnet.X.csum_disable=\"1\"<\/pre>\n\n\n\n
And with these settings on the vps (non-jail) machine and a reboot I was finally able to realize the full potential speed of the WireGuard VPN on the Contabo (or Oracle Cloud) KVM based VPS.<\/p>\n\n\n\n
This is how I fixed the slow networking with a WireGuardVPN server  in a FreeBSD Jail. This also fixed slow download speeds with a FreeBSD Jail on a VPS. I hope this helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"
I was setting up WireGuard server on a FreeBSD machine (13.0) on a VPS. In this case the VPS was a Contabo VPS which uses KVM. (Edit: I just encountered the same issue with an Oracle Cloud VM Instance as … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[106,109,79,101,89,104,108,107,24,105,102,103],"_links":{"self":[{"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/posts\/114"}],"collection":[{"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":2,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":136,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions\/136"}],"wp:attachment":[{"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sourceopen.com\/index.php\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}