{"id":25436,"date":"2025-10-10T10:07:52","date_gmt":"2025-10-10T08:07:52","guid":{"rendered":"https:\/\/contabo.com\/blog\/?p=25436"},"modified":"2026-04-08T12:06:19","modified_gmt":"2026-04-08T10:06:19","slug":"maximizing-wireguard-performance","status":"publish","type":"post","link":"https:\/\/contabo.com\/blog\/maximizing-wireguard-performance\/","title":{"rendered":"Maximizing WireGuard Performance: Advanced Tuning and Benchmarking"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"630\" src=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg\" alt=\"Maximizing WireGuard Performance: Advanced Tuning and Benchmarking (head image)\" class=\"wp-image-25452\" srcset=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg 1200w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-600x315.jpg 600w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-768x403.jpg 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This practical guide shows you how to measure and maximize WireGuard performance on a VPS or dedicated server. You&#8217;ll build a reliable baseline vs. tunnel benchmark, fix high-impact variables (MTU\/MSS, parallel streams, GRO\/GSO, CPU tuning), and configure a clean, reproducible server interface. We&#8217;ll then cover some advanced concepts such as offload-aware tunneling, parallelism, NUMA\/frequency, and network topology details, and wrap with a concise FAQ. Follow the checklists and verified commands to turn theory into repeatable results.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d618bbfa\"><h2 class=\"uagb-heading-text\">Introduction: Unlocking WireGuard Performance&nbsp;<\/h2><\/div>\n\n\n\n<p>WireGuard performance can be exceptional when properly configured. While WireGuard is fast by design, achieving peak speeds requires attention to key factors: CPU characteristics, correct MTU settings, and rigorous benchmarking methods. Many WireGuard performance issues stem from simple misconfigurations like an incorrect MTU (Maximum Transmission Unit) that fragments packets, or single-stream tests that miss multi-core capabilities .<\/p>\n\n\n\n<p>Always test after each change to ensure improvements and maintain a clear rollback path.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d3428647\"><h2 class=\"uagb-heading-text\">The Science of WireGuard Speed: Why It&#8217;s Faster&nbsp;<\/h2><\/div>\n\n\n\n<p>WireGuard speed comes from three fundamental design principles: simplicity, modern cryptography, and smart placement in the operating system. Understanding these factors helps explain why WireGuard consistently outperforms traditional VPN protocols.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1001\" height=\"600\" src=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN.png\" alt=\"WireGuard Performance Key Factors\" class=\"wp-image-25449\" srcset=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN.png 1001w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN-600x360.png 600w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN-768x460.png 768w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/figure>\n\n\n\n<p>WireGuard achieves its performance through several key factors:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lean design<\/strong>: ~4,000 lines of code (compared to OpenVPN&#8217;s tens of thousands), making audits and optimization simpler.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Modern encryption<\/strong>: Uses ChaCha20-Poly1305, which runs efficiently on all processors, unlike AES that requires hardware acceleration (AES-NI) for optimal speed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kernel integration<\/strong>: Processes packets without expensive context switches.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>UDP optimization<\/strong>: Takes advantage of built-in network acceleration features.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Seamless rekeying<\/strong>: Keys rotate automatically via short handshakes every few minutes or after message thresholds, without interrupting flows.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>With multi-queue network cards, different connection flows can be distributed across multiple CPU cores. This means WireGuard can scale performance by using parallel processing instead of hitting single-core limits.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-991458a8\"><h3 class=\"uagb-heading-text\">Performance Verification Commands&nbsp;<\/h3><\/div>\n\n\n\n<p>Before you start tuning, verify that your system is using the fast path WireGuard was designed for:&nbsp;<\/p>\n\n\n\n<p>Check the kernel version (WireGuard built-in from 5.6+):&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>uname \u2013r&nbsp;<\/code><\/pre>\n\n\n\n<p>Verify the WireGuard module:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>modinfo wireguard&nbsp;<br><br>lsmod | grep wireguard&nbsp;<br><br>sudo modprobe wireguard&nbsp;<\/code><\/pre>\n\n\n\n<p>Check the network offloads:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -k eth0 | grep -E 'gro|gso|tso'&nbsp;<\/code><\/pre>\n\n\n\n<p>Test the multi-core scaling:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iperf3 -P 4&nbsp;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-c4e7d010\"><h2 class=\"uagb-heading-text\">WireGuard Benchmark: Beyond a Simple Speed Test&nbsp;<\/h2><\/div>\n\n\n\n<p>A reliable WireGuard benchmark requires much more than a quick WireGuard speed test or single-stream measurement. The gold standard is a methodical comparison between no-VPN baseline throughput and WireGuard tunnel performance, using parallel streams to show the protocol&#8217;s multi-core scaling, plus measurement of both TCP and UDP behavior. Consistency is critical: test conditions (hosts, routes, MTU, stream count, and duration) must be identical in both scenarios for results to be meaningful.&nbsp;<\/p>\n\n\n\n<p>For most cases, iperf3 is the primary tool, measuring TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) throughput with both single and multiple simultaneous streams (<code>-P<\/code>). irtt is valuable for in-depth latency and jitter analysis, while simple system counters (like <code>top<\/code>, <code>mpstat<\/code>, or <code>ip -s link<\/code>) help flag CPU or packet drop issues during runs. Optional tools like Netdata can provide a real-time dashboard but aren\u2019t a requirement for sound benchmarking.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-395ba722\"><h3 class=\"uagb-heading-text\">Core Testing Methodology&nbsp;<\/h3><\/div>\n\n\n\n<p>Start by running an iperf3 test between client and server endpoints over the raw network, without WireGuard. Measure both single-stream (<code>c<\/code>) and parallel-stream (<code>-P 4<\/code> or <code>-P 8<\/code>) throughput to reveal whether you\u2019re limited by one flow or can exploit multi-core scaling.&nbsp;<\/p>\n\n\n\n<p>Next, bind the iperf3 server to your tunnel endpoint (e.g., <code>10.0.0.1 <\/code>with <code>-B<\/code> on the server) and replicate the same tests through the WireGuard tunnel. Always repeat each measurement in both directions &#8211; you can use iperf3&#8217;s reverse option (<code>-R<\/code>) &#8211; since tunnel performance can be asymmetric. For UDP, set an explicit bandwidth (<code>-u, -b<\/code>) and monitor loss to estimate ceiling throughput.\u00a0<\/p>\n\n\n\n<p>Maintain as much environmental consistency as possible: keep both hosts stable (wired and on the same provider\/region), set a fixed test duration, and avoid background load. Pin CPU scaling to \u201cperformance\u201d during your runs for stable results.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-83b93da0\"><h3 class=\"uagb-heading-text\">Result Interpretation&nbsp;<\/h3><\/div>\n\n\n\n<p>The most important WireGuard benchmark insight comes from comparing baseline vs. tunnel performance, especially with parallel streams. If WireGuard closely matches raw networking on parallel tests, your configuration is tuned for your hardware. If there\u2019s a significant drop, check MTU\/MSS (for fragmentation), offloads (GRO\/GSO), and per-core CPU saturation before deeper troubleshooting.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-0d282fb1\"><h2 class=\"uagb-heading-text\">WireGuard Performance Tuning Variables&nbsp;<\/h2><\/div>\n\n\n\n<p>Getting great results isn\u2019t about one magic flag; it\u2019s about fixing a few high-leverage variables in the right order for your WireGuard performance tuning. Use this section as a quick checklist you can apply after your baseline vs. tunnel comparison.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-56c22fc5\"><h3 class=\"uagb-heading-text\"><strong>What to tune (and how)<\/strong>&nbsp;<\/h3><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Variable<\/strong><\/td><td><strong>Why It Matters<\/strong><\/td><td><strong>Quick Test<\/strong><\/td><td><strong>Fix<\/strong><\/td><\/tr><tr><td>MTU\/MSS<\/td><td>Wrong MTU causes fragmentation and TCP stalls&nbsp;<\/td><td>Monitor TCP retransmits during tests&nbsp;<\/td><td>Set MTU in <code>[Interface]<\/code> (after PMTU test); only if routing subnets, clamp TCP MSS to PMTU on egress<\/td><\/tr><tr><td>Parallelism<\/td><td>Single streams hit per-flow limits; parallel streams use multiple cores&nbsp;<\/td><td>Compare <code>iperf3 -P 1<\/code> vs <code>-P 4\/8<\/code>&nbsp;<\/td><td>Judge capacity with <code>-P 4\/8<\/code>; split bulk transfers&nbsp;<\/td><\/tr><tr><td>CRO\/GSO offloads<\/td><td>Batching reduces per-packet CPU cost for UDP tunnels&nbsp;&nbsp;<\/td><td>Check offload status; correlate with CPU usage&nbsp;<\/td><td>Ensure GRO\/GSO enabled with <code>ethtool&nbsp;<\/code><\/td><\/tr><tr><td>CPU scaling<\/td><td>Crypto is CPU-bound; frequency dips limit speed&nbsp;<\/td><td>Watch per-core usage during tests<\/td><td>Set governor to &#8220;performance&#8221;&nbsp;<\/td><\/tr><tr><td>System bottlenecks<\/td><td>Old kernels\/drivers and poor queue distribution limit scaling&nbsp;<\/td><td>Check kernel version; test <code>if -P<\/code> scales&nbsp;<\/td><td>Use modern kernels; prefer multiple flows&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-8867e616\"><h3 class=\"uagb-heading-text\">Essential Commands&nbsp;<\/h3><\/div>\n\n\n\n<p>MSS Clamping (for subnet routing):&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -t mangle -A FORWARD -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu&nbsp;<\/code><\/pre>\n\n\n\n<p>Verify Offloads:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ethtool -k eth0 | grep -E 'gro|gso'&nbsp;<\/code><\/pre>\n\n\n\n<p>System Buffers:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/sysctl.d\/99-wireguard.conf&nbsp;<br><br>net.core.rmem_max = 134217728&nbsp;<br><br>net.core.wmem_max = 134217728&nbsp;<br><br>net.core.netdev_max_backlog = 250000&nbsp;<\/code><\/pre>\n\n\n\n<p><strong>Key insight<\/strong>: WireGuard&#8217;s cryptography is fixed (no cipher selection). PersistentKeepalive helps NAT traversal, not speed. Most gains come from MTU correctness, offloads, and parallelism &#8211; optimize these before advanced kernel tuning.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-f26055fc\"><h2 class=\"uagb-heading-text\">Configuring the WireGuard Server Interface&nbsp;<\/h2><\/div>\n\n\n\n<p>To configure your WireGuard server for performance, start with a minimal setup and systematically add optimizations.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-564886ca\"><h3 class=\"uagb-heading-text\">Prerequisites and Key Generation&nbsp;<\/h3><\/div>\n\n\n\n<p>Ensure your Linux server has wireguard-tools installed (kernel 5.6+ preferred) and UDP port 51820 open. Generate server keys with proper permissions:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>umask 077&nbsp;<br><br>wg genkey | tee \/etc\/wireguard\/privatekey | wg pubkey &gt; \/etc\/wireguard\/publickey&nbsp;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-84552fc1\"><h3 class=\"uagb-heading-text\">Minimal Server Config&nbsp;<\/h3><\/div>\n\n\n\n<p>Create <code>\/etc\/wireguard\/wg0.conf<\/code>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Interface]&nbsp;<br>Address = 10.0.0.1\/24&nbsp;<br>PrivateKey = &lt;SERVER_PRIVATE_KEY&gt;&nbsp;<br>ListenPort = 51820&nbsp;<br><br># MTU = 1440 (leave unset for auto-selection, or set after testing)&nbsp;<br><br>&#91;Peer]&nbsp;<br>PublicKey = &lt;CLIENT_PUBLIC_KEY&gt;&nbsp;<br>AllowedIPs = 10.0.0.2\/32&nbsp;<br>PersistentKeepalive = 25 # usually set on the NATed client, not needed on server&nbsp;<\/code><\/pre>\n\n\n\n<p>Replace keys and set a private \/24 network.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-ada4dcf8\"><h3 class=\"uagb-heading-text\">Firewall and Network Configuration&nbsp;<\/h3><\/div>\n\n\n\n<p>Proper firewall configuration is essential for WireGuard performance and connectivity. Set up these rules before starting the service.&nbsp;<\/p>\n\n\n\n<p>Basic firewall setup:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Allow WireGuard UDP port&nbsp;<br><br>sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT&nbsp;<br><br># For internet access through the tunnel, enable IP forwarding and NAT&nbsp;<br><br>echo 'net.ipv4.ip_forward=1' | sudo tee \/etc\/sysctl.d\/99-sysctl.conf sudo sysctl --system sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE&nbsp;<\/code><\/pre>\n\n\n\n<p>Replace&nbsp;<code>eth0<\/code>&nbsp;with your server&#8217;s internet-facing interface.&nbsp;<\/p>\n\n\n\n<p><strong>NAT and firewall traversal<\/strong>:&nbsp;WireGuard handles NAT automatically. Clients behind NAT don&#8217;t need special configuration. If a client needs to receive incoming connections through NAT, add&nbsp;<code>PersistentKeepalive = 25<\/code>&nbsp;to the client&#8217;s peer configuration &#8211; this keeps the NAT mapping active by sending keepalive packets every 25 seconds.&nbsp;<\/p>\n\n\n\n<p><strong>Troubleshooting<\/strong>:&nbsp;If WireGuard connects but clients can&#8217;t reach the internet, verify IP forwarding is enabled with&nbsp;<code>sysctl net.ipv4.ip_forward<\/code>&nbsp;and confirm NAT is working with&nbsp;<code>iptables -t nat -L -v<\/code>.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-ee29bc68\"><h3 class=\"uagb-heading-text\">Enabling and Verifying&nbsp;<\/h3><\/div>\n\n\n\n<p>Start WireGuard and verify connectivity:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now wg-quick@wg0&nbsp;<br><br>sudo wg show&nbsp;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-2e4ab8c5\"><h3 class=\"uagb-heading-text\">MTU Optimization&nbsp;<\/h3><\/div>\n\n\n\n<p>Start simple: Leave MTU unset so <code>wg-quick<\/code> auto-selects; verify with&nbsp;<code>ip link show wg0<\/code>.&nbsp;<\/p>\n\n\n\n<p>If setting manually: Find PMTU to your server&#8217;s public IP using&nbsp;<code>ping -M do -s &lt;size&gt; &lt;server_ip&gt;<\/code>&nbsp;(start with 1472), then subtract encapsulation overhead (~60B IPv4, ~80B IPv6). Set that as MTU in each peer&#8217;s&nbsp;[Interface], restart, and re-run parallel-stream tests (<code>iperf3 -P 4<\/code>, both directions).&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-2e51f165\"><h3 class=\"uagb-heading-text\">Final Checks&nbsp;<\/h3><\/div>\n\n\n\n<p>Confirm handshakes occur with clients and internet routing works as expected. Always benchmark after MTU and firewall changes to measure performance impact.&nbsp;Further information can be found in the official <a href=\"https:\/\/www.wireguard.com\/quickstart\" rel=\"nofollow\">WireGuard Quick Start documentation<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-45853abb\"><h2 class=\"uagb-heading-text\">Advanced Performance Concepts&nbsp;<\/h2><\/div>\n\n\n\n<p>To optimize WireGuard beyond basic configuration, focus on extracting the final 10-20% performance gains through systematic kernel and hardware optimizations. Make incremental changes and measure after each adjustment.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-1b00ffd3\"><h3 class=\"uagb-heading-text\">Offload-Aware Tunneling&nbsp;<\/h3><\/div>\n\n\n\n<p>WireGuard benefits significantly from kernel batching features (GRO\/GSO) that reduce per-packet CPU overhead. Ensure these offloads are enabled on your underlying NIC and avoid disabling them except for debugging:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Verify offloads are active&nbsp;<br>ethtool -k eth0 | grep -E 'gro|gso'&nbsp;<\/code><\/pre>\n\n\n\n<p>Modern drivers (virtio-net, ENA, gVNIC on VMs; Intel\/Broadcom on bare metal) support these features. Traffic shaping can help with latency but typically reduces peak throughput.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d68f4fd3\"><h3 class=\"uagb-heading-text\">Parallelism and CPU Scaling&nbsp;<\/h3><\/div>\n\n\n\n<p>Single flows often bottleneck on one CPU core or RX queue. Use multiple parallel streams for bulk transfers &#8211; your benchmarks should reflect real-world usage patterns. On bare metal servers, proper IRQ distribution and multi-queue NICs matter significantly. Even in VMs with limited RSS, parallel streams still improve performance.&nbsp;<\/p>\n\n\n\n<p>If <code>iperf3 -P 4 <\/code>doesn&#8217;t scale linearly, check for CPU cores at 100% utilization or single queues handling all traffic.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-13fd704d\"><h3 class=\"uagb-heading-text\">CPU and System Optimization&nbsp;<\/h3><\/div>\n\n\n\n<p>WireGuard is CPU-bound despite its efficiency. Maintain stable clock speeds using the performance governor during testing:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Set performance governor&nbsp;<br>echo performance | sudo tee \/sys\/devices\/system\/cpu\/cpu*\/cpufreq\/scaling_governor&nbsp;<\/code><\/pre>\n\n\n\n<p>On multi-socket NUMA systems, keep network interrupts and WireGuard endpoints on the same socket to avoid cross-node penalties.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-7a8eb45b\"><h3 class=\"uagb-heading-text\">Kernel and Driver Improvements&nbsp;<\/h3><\/div>\n\n\n\n<p>Newer kernels provide better UDP segmentation and receive path optimizations. Keep systems current and prefer:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In-kernel WireGuard (kernel 5.6+) over userspace implementations&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-queue enabled drivers&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modern NIC firmware&nbsp;<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-47d0520f\"><h3 class=\"uagb-heading-text\">TCP Performance Inside Tunnels&nbsp;<\/h3><\/div>\n\n\n\n<p>Most application traffic is TCP carried inside WireGuard&#8217;s UDP tunnel. Lower latency and fewer drops help TCP avoid retransmits. Consider BBR congestion control on both endpoints for long-distance or lossy paths:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Test BBR (validate performance impact)&nbsp;<br>echo 'net.ipv4.tcp_congestion_control=bbr' &gt;&gt; \/etc\/sysctl.conf&nbsp;<\/code><\/pre>\n\n\n\n<p><strong>Bottom line<\/strong>: Once MTU\/MSS and benchmarking are optimized, focus on intact offloads, genuine parallelism, stable CPU performance, and modern kernel\/driver stacks. Measure each change individually.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-1a4eb59e\"><h2 class=\"uagb-heading-text\">WireGuard Performance FAQ&nbsp;<\/h2><\/div>\n\n\n\n<p><strong>How does WireGuard work?<\/strong>&nbsp;<br>WireGuard creates encrypted peer-to-peer connections between devices using public key authentication. It operates inside the Linux kernel for maximum speed and efficiency, unlike older VPN protocols that require more overhead.&nbsp;<\/p>\n\n\n\n<p><strong>Does WireGuard use TCP or UDP?<\/strong>&nbsp;<br>WireGuard uses UDP only. That choice keeps overhead low and lets the kernel apply batching\/offloads (GRO\/GSO) for high throughput. If a network blocks UDP, you can tunnel WireGuard inside TCP\/HTTPS via generic wrappers, but you should expect extra latency and possible slowdowns. For performance, native UDP is strongly preferred.&nbsp;<\/p>\n\n\n\n<p><strong>How do I check if WireGuard is working?<\/strong>&nbsp;<br>To check if WireGuard is working, run the wg command on either connected device and look for a &#8220;latest handshake&#8221; timestamp along with increasing transfer counters. These confirm that the peers have successfully exchanged keys and are passing traffic. You can also verify the connection by pinging the peer\u2019s WireGuard tunnel IP address, such as 10.0.0.1. For a quick performance check, run the iperf3 test through the tunnel using multiple parallel streams (e.g., iperf3 -P 4) and compare the results to a test without the VPN. If you notice timeouts or slow speeds, ensure that your firewall permits UDP traffic on port 51820, that both peers have matching AllowedIPs configurations, and revisit your MTU and MSS settings to rule out misconfiguration.&nbsp;<\/p>\n\n\n\n<p><strong>What MTU should I use with WireGuard?<\/strong>&nbsp;<br>Start by leaving MTU unset &#8211; wg-quick picks a route-aware value. If you set it manually, derive it from measured PMTU (typical starting points: ~1440 for IPv4, ~1420 for IPv6 on 1500-byte links), then re-test.&nbsp;<\/p>\n\n\n\n<p><strong>Why is my WireGuard speed lower than baseline?<\/strong>&nbsp;<br>Three common culprits: incorrect MTU\/MSS (fragmentation\/retransmits), disabled GRO\/GSO offloads, or a single-flow ceiling (fix with parallel streams, e.g., -P 4\/8). Re-run the baseline vs. tunnel matrix from the benchmarking chapter to pinpoint the bottleneck.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This practical guide shows you how to measure and maximize WireGuard performance on a Contabo VPS or Dedicated Server. Build a reliable baseline-vs-tunnel benchmark, fix MTU\/MSS, verify offloads, and use parallel streams. Clear checklists and minimal commands turn tuning into repeatable, near-baseline throughput.<\/p>\n","protected":false},"author":65,"featured_media":25452,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[18],"tags":[],"ppma_author":[1489],"class_list":["post-25436","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"uagb_featured_image_src":{"full":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"thumbnail":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-150x150.jpg",150,150,true],"medium":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-600x315.jpg",600,315,true],"medium_large":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-768x403.jpg",768,403,true],"large":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"1536x1536":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"2048x2048":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false]},"uagb_author_info":{"display_name":"Julia Mink","author_link":"https:\/\/contabo.com\/blog\/author\/julia-mink\/"},"uagb_comment_info":0,"uagb_excerpt":"This practical guide shows you how to measure and maximize WireGuard performance on a Contabo VPS or Dedicated Server. Build a reliable baseline-vs-tunnel benchmark, fix MTU\/MSS, verify offloads, and use parallel streams. Clear checklists and minimal commands turn tuning into repeatable, near-baseline throughput.","authors":[{"term_id":1489,"user_id":65,"is_guest":0,"slug":"julia-mink","display_name":"Julia Mink","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/26ce5d4ae17d160425d842da4ea00c56716ffb5d4c58ee0cfb73de57b1de5272?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/comments?post=25436"}],"version-history":[{"count":24,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436\/revisions"}],"predecessor-version":[{"id":29808,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436\/revisions\/29808"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/media\/25452"}],"wp:attachment":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/media?parent=25436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/categories?post=25436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/tags?post=25436"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=25436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}