Both WireGuard and OpenVPN with Pi-Hole unusably slow

Expected Behaviour:

OpenVPN and WireGuard setups on the same server Pi-Hole runs on give me a download speed on the client faster than like 4 KBs per second in the case of WireGuard on Ethernet on the LAN and 50-100 bytes in the case of OpenVPN

Actual Behaviour:

Both OpenVPN and WireGuard setups work, but they both give the abysmal and unusable speeds stated above

Hi all:

I am trying to follow this guide and this guide to be able to use my Pi-Hole for DNS outside of the LAN. I am a college student and will not be on the same network as the Pi-Hole next month, and as such I would like to set up a personal VPN to be able to at least route DNS through my Pi-Hole from abroad.

I started with the OpenVPN guide first. I installed and configured Access Server just as instructed. I can connect to the server fine, but the connection tops out at like 4 KBs per second at first contact and immediately drops off to like 50-100 bytes -- not kilobytes, but bytes -- over UDP. After trying again from scratch 2-3 times I gave up on OpenVPN and tried WireGuard. WireGuard works as well but only garners a mere 4 KBs per second on Ethernet with the client system sitting right next to the server.

I've read posts about these protocols being slow, but I would be very surprised to hear they are working as intended if they are this slow. I know there are a ton of variables in this scenario -- the server running Pi-Hole and OpenVPN/WireGuard is on Ethernet and gets 200 MB/s download/15-20 MB/s upload. I run Searx/xBrowserSync/Nextcloud/Vaultwarden and stream 1080p video through Jellyfin all on the same machine as Pi-Hole with no bandwidth issues whatsoever. Neither OpenVPN nor WireGuard are using up enough resources to seriously slow down the server, either; when connections are active both of them only add maybe 200 MBs of RAM usage to bring the server's total up to around 1.3 GB with 3 GBs to spare. I definitely am inclined to think this is a configuration issue with OpenVPN/WireGuard and not a hardware/bandwidth bottleneck.

Pi-Hole listens on all interfaces and works 110%. I know this is an OpenVPN/WireGuard problem, but since the guides were in the Pi-Hole docs I figured I'd ask around here before I look elsewhere.

Things I have tried (really all for OpenVPN as I didn't thoroughly test WireGuard after realizing I get the same speeds as OpenVPN):

Listening on UDP only -- this makes my iPhone XR unable to find the server. iOS will only locate the OpenVPN server if OpenVPN is configured to listen on TCP.

Commenting out push redirect-gateway def1 from OpenVPN -- same result/speeds

Checking for a firewall/port forwarding issue -- there are none that I can see

Pi-Hole and OpenVPN/WireGuard are both running on Ubuntu 20.04.3 on an HDD and with 4GB DDR3.

I don't have my OpenVPN configs anymore because I deleted them since it didn't work. Here's WireGuard wg0 currently:

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 2053 # I changed this from the guide's 47111 because I use Cloudflare and Cloudflare blocks all traffic except for traffic on a select 10 or so ports
PrivateKey = *private key*
[Peer]
PublicKey = *public key*
PresharedKey = *PSK*
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

Debug Token:

https://tricorder.pi-hole.net/CsOd3dzg/

I did see whilst generating this debug token that Pi-hole failed to resolve DNS on the WireGuard interface although DNS resolves fine on all other interfaces.

I wrote both guides and stopped using OpenVPN a long time ago. Wireguard performs much better.

Wireguard is that lightweight, it cannot be considered slow at all. Even on a Raspberry Pi it can easily handle something like 50 MBit/s.

This sounds pretty extreme already. I do not see any impact on memory with Wireguard. As it lives in kernel-space, I also don't expect anything visible (i.e., much less than 1 MB even) to be consumed as there is no dedicated server process.

Your wireguard config looks fine, did you try to connect from outside, too? I wonder if there are some strange networking issues in your local network that may make things bounce or go in circles somehow. Having said that, my phone is always connected to my home network via Wireguar (so even when I'm in my home WiFi) and never had any issues.

This is unusual, it works as expected on my local Pi-hole (which also runs wireguard). I do get a delay of around 3 msec. Without wireguard, there is no measurable delay (the tested domain is cached).

Just double-checking it is the "permit all origins" option, right?

Thanks so much for the reply.

This sounds pretty extreme already. I do not see any impact on memory with Wireguard.

You're right, I don't see any impact on memory either with Wireguard. I falsely correlated OpenVPN's overhead with Wireguard. Wireguard is practically invisible.

did you try to connect from outside, too?

Yes, I tried connecting from outside with OpenVPN and got the same speeds I stated previously. The connection works but is too slow to do anything at all with. I didn't even bother with WireGuard outside the LAN yesterday because WireGuard on the LAN on Ethernet sitting next to the server gave me the same speeds as OpenVPN outside the LAN.

I wonder if there are some strange networking issues in your local network that may make things bounce or go in circles somehow.

I feel this is probably the answer, but I'm not running anything unusual AFAIK that might cause these issues. As I said I have followed both guides to the letter and gotten the same result.

My router is running the 15th December nightly build of OpenWRT. I need the snapshot for the forseeable future because there's a bug with the wireless driver in OpenWRT 21.02.1 that makes my iPhone not work well on WiFi -- the bug is fixed, but the next stable release that includes the fix isn't out yet. Other than that it's a completely stock setup aside from the port forwards I've put in, including 2053 for TCP/UDP to the server. I have not touched ANY of the default firewall rules.

Until two days ago I didn't even have a firewall on the server itself. I've been using UFW since and have allowed 2053. The firewall works fine for all the other services I run on the machine, and I would believe it works for WireGuard as well by virtue of me being able to connect at all albeit unusably slow. This also leads me to believe there are no issues with the OpenWRT firewall or port forwarding.

I had issues first getting Pi-Hole to work last week that were the result of me running the adblock package on OpenWRT at the same time Pi-Hole was trying to run. Once I disabled adblock everything worked perfectly and has since. As part of troubleshooting that issue I did uninstall systemd-resolved because it was binding to port 53 on the Pi-Hole localhost and causing a conflict -- could this be part of this particular issue? I got errors attempting to set up WireGuard and had to install resolvconf which has caused no issues thus far.

Just double-checking it is the "permit all origins" option, right?

Yes.

WireGuard fixed itself after wiping the whole configuration and starting over. The values in the WireGuard guide work perfectly, and speed is what one would usually expect over WireGuard. I think something may have gotten wonky issuing the echo commands. I also issued pihole -r and chose wg0 as the interface during setup like I did in the case of tun0 with OpenVPN.

I never got OpenVPN to work, and I'm more than happy with the speeds WireGuard provides me, so I'll never know what the problem was there.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.