wireguard cloudflare warp really slow on mikrotik router

[Powerful84tiger]

I assume it's a setting I messed up while trying to configure it, so I need help to find out where exactly I messed up. This is the video I watched
Source I don't what information to provide so just ask me and I will just share whatever is needed. Also, if I try using wireguard on my pc, I get full speeds so it's not my internet causing issues.

 

[Lolita_Magnum]

So.. when you say it's slow, what exactly do you mean? Also, can you do a ping to any ranged IPs with and without warp.

What are your normal speeds, what is the speeds you are getting and what is the model?

An output from https://www.cloudflare.com/cdn-cgi/trace with and without warp.

Also, if you have access to CLI, you'd need to share the following:
interface wireguard export verbose ip address export verbose ip firewall filter export verbose

Hide any sensitive information.

 

[Powerful84tiger]

So.. when you say it's slow, what exactly do you mean?
The sites will take few mins to load while I was on mumbai colocation server.

Also, can you do a ping to any ranged IPs with and without warp.


Without warp

C:\Users\>ping fr.archive.ubuntu.com Pinging ubuntu.lafibre.info [51.158.154.169] with 32 bytes of data: Reply from 51.158.154.169: bytes=32 time=139ms TTL=51 Reply from 51.158.154.169: bytes=32 time=127ms TTL=51 Reply from 51.158.154.169: bytes=32 time=130ms TTL=51 Reply from 51.158.154.169: bytes=32 time=128ms TTL=51 Ping statistics for 51.158.154.169: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 127ms, Maximum = 139ms, Average = 131ms

With warp

C:\Users\>ping fr.archive.ubuntu.com Pinging ubuntu.lafibre.info [51.158.154.169] with 32 bytes of data: Reply from 51.158.154.169: bytes=32 time=180ms TTL=56 Reply from 51.158.154.169: bytes=32 time=184ms TTL=56 Reply from 51.158.154.169: bytes=32 time=183ms TTL=56 Reply from 51.158.154.169: bytes=32 time=180ms TTL=56 Ping statistics for 51.158.154.169: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 180ms, Maximum = 184ms, Average = 181ms

What are your normal speeds, what is the speeds you are getting and what is the model?
I have a 300 mbps plan and with cloudflare warp I get around 280 mbps on all most all speedtest servers and also while downloading files. With wireguard(warp settings) setup on Mikrotik, I wasn't even able to open the speedtest site properly. It took few mins to load and after loading when I clicked on the start button, it was just stuck on starting. I am using Mikrotik RB750GR3

An output from https://www.cloudflare.com/cdn-cgi/trace with and without warp.

without warp

fl=578f85 h=www.cloudflare.com ip=103.XXX.XXX.XX ts=1699790052.878 visit_scheme=https uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 colo=BOM sliver=none http=http/3 loc=IN tls=TLSv1.3 sni=plaintext warp=off gateway=off rbi=off kex=X25519

with warp

fl=202f207 h=www.cloudflare.com ip=104.XX.XXX.XX ts=1699790164.495 visit_scheme=https uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 colo=BOM sliver=010-bom03 http=http/2 loc=IN tls=TLSv1.3 sni=plaintext warp=plus gateway=off rbi=off kex=X25519

One weird thing is that on my PC I always get Mumbai colocation server but on my phone which is on the same network gets Singapore colocation. If I put 162.159.193.5 as my endpoint, I always get mumbai server.


Also, if you have access to CLI, you'd need to share the following:

[@MikroTik hEX] > interface wireguard export verbose # 2023-11-12 17:37:57 by RouterOS 7.11.2 # software id = 1UZ2-YDTG # # model = RB750Gr3 # serial number = HEX095B7WBN /interface wireguard add disabled=no listen-port=13231 mtu=1420 name=wireguard1 /interface wireguard peers add allowed-address=0.0.0.0/0 disabled=no endpoint-address=162.159.193.5 endpoint-port=2408 interface=wireguard1 public-key="bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="

[jash@MikroTik hEX] > ip address export verbose # 2023-11-12 17:38:54 by RouterOS 7.11.2 # software id = 1UZ2-YDTG # # model = RB750Gr3 # serial number = HEX095B7WBN /ip address add address=192.168.88.1/24 comment=defconf disabled=no interface=bridge network=192.168.88.0 add address=172.16.0.2/24 disabled=no interface=wireguard1 network=172.16.0.0

[jash@MikroTik hEX] > ip firewall filter export verbose # 2023-11-12 17:39:25 by RouterOS 7.11.2 # software id = 1UZ2-YDTG # # model = RB750Gr3 # serial number = HEX095B7WBN /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

 

[Skeeter]

You get 162.159.193.1-x as mumbai because it is anycast IP pointing to MUM as per the routing of your ISP.
WireGuard is not the culprit here, I get 600ish on WireGuard Tunnel using CF MUM endpoint on my Pi running OpenWRT.

 

[JB701]

mtu issue maybe?

Wireguard - wrong MSS - MikroTik

forum.mikrotik.com

 

[Skeeter]

1280 is ideal.

 

---

[Lolita_Magnum]

Few changes, I'd recommend as well.

/ip address add address=172.16.0.2/32 disabled=no interface=wireguard1
/interface wireguard add disabled=no listen-port=13231 mtu=1280 name=wireguard1

And, I hope you are NAT-ing your wireguard interface.

Lastly, are you fully routing everything to wireguard when testing or are you using some kind of a rule or mangle?

 

[Powerful84tiger]

so I somehow managed to setup warp on Mikrotik and I am only getting and 40 mbps most likely due to my router CPU. My router CPU usage is at 60% while downloading.

 

[Powerful84tiger]

@Skeeter which pi do you use?

 

[Skeeter]

4B 4GB ram.