{"id":25436,"date":"2025-10-10T10:07:52","date_gmt":"2025-10-10T08:07:52","guid":{"rendered":"https:\/\/contabo.com\/blog\/?p=25436"},"modified":"2026-05-28T10:09:38","modified_gmt":"2026-05-28T08:09:38","slug":"maximizing-wireguard-performance","status":"publish","type":"post","link":"https:\/\/contabo.com\/blog\/maximizing-wireguard-performance\/","title":{"rendered":"Maximizing WireGuard Performance: Advanced Tuning and Benchmarking"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"630\" src=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg\" alt=\"Maximizing WireGuard Performance: Advanced Tuning and Benchmarking (head image)\" class=\"wp-image-25452\" srcset=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg 1200w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-600x315.jpg 600w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-768x403.jpg 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This practical guide shows you how to measure and maximize WireGuard performance on a VPS or dedicated server. You&#8217;ll build a reliable baseline vs. tunnel benchmark, fix high-impact variables (MTU\/MSS, parallel streams, GRO\/GSO, CPU tuning), and configure a clean, reproducible server interface. We&#8217;ll then cover some advanced concepts such as offload-aware tunneling, parallelism, NUMA\/frequency, and network topology details, and wrap with a concise FAQ. Follow the checklists and verified commands to turn theory into repeatable results.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d618bbfa\"><h2 class=\"uagb-heading-text\">Introduction: Unlocking WireGuard Performance&nbsp;<\/h2><\/div>\n\n\n\n<p>WireGuard performance can be exceptional when properly configured. While WireGuard is fast by design, achieving peak speeds requires attention to key factors: CPU characteristics, correct MTU settings, and rigorous benchmarking methods. Many WireGuard performance issues stem from simple misconfigurations like an incorrect MTU (Maximum Transmission Unit) that fragments packets, or single-stream tests that miss multi-core capabilities .<\/p>\n\n\n\n<p>Always test after each change to ensure improvements and maintain a clear rollback path.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d3428647\"><h2 class=\"uagb-heading-text\">The Science of WireGuard Speed: Why It&#8217;s Faster&nbsp;<\/h2><\/div>\n\n\n\n<p>WireGuard speed comes from three fundamental design principles: simplicity, modern cryptography, and smart placement in the operating system. Understanding these factors helps explain why WireGuard consistently outperforms traditional VPN protocols.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1001\" height=\"600\" src=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN.png\" alt=\"WireGuard Performance Key Factors\" class=\"wp-image-25449\" srcset=\"https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN.png 1001w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN-600x360.png 600w, https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard-performance-key-factors_EN-768x460.png 768w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/figure>\n\n\n\n<p>WireGuard achieves its performance through several key factors:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lean design<\/strong>: ~4,000 lines of code (compared to OpenVPN&#8217;s tens of thousands), making audits and optimization simpler.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Modern encryption<\/strong>: Uses ChaCha20-Poly1305, which runs efficiently on all processors, unlike AES that requires hardware acceleration (AES-NI) for optimal speed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kernel integration<\/strong>: Processes packets without expensive context switches.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>UDP optimization<\/strong>: Takes advantage of built-in network acceleration features.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Seamless rekeying<\/strong>: Keys rotate automatically via short handshakes every few minutes or after message thresholds, without interrupting flows.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>With multi-queue network cards, different connection flows can be distributed across multiple CPU cores. This means WireGuard can scale performance by using parallel processing instead of hitting single-core limits.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-991458a8\"><h3 class=\"uagb-heading-text\">Performance Verification Commands&nbsp;<\/h3><\/div>\n\n\n\n<p>Before tuning WireGuard performance, verify that your system is using a modern kernel, the WireGuard kernel module, and optimized network offloading features.<\/p>\n\n\n\n<p>Check the kernel version:\u00a0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>uname -r<\/code><\/pre>\n\n\n\n<p>WireGuard is built directly into the Linux kernel starting from version 5.6. Modern kernels (5.15+ or 6.x) typically provide better WireGuard throughput and networking performance.<\/p>\n\n\n\n<p>Verify the WireGuard module:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo modprobe wireguard\nlsmod | grep wireguard\u00a0\u00a0<\/code><\/pre>\n\n\n\n<p>This confirms that the in-kernel WireGuard module is loaded instead of a slower userspace implementation.<\/p>\n\n\n\n<p>Check the network offloads:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -k eth0 | grep -E 'gro|gso|tso'\u00a0<\/code><\/pre>\n\n\n\n<p>GRO, GSO, and TSO reduce packet-processing overhead by batching or segmenting traffic more efficiently. When enabled, they can significantly improve WireGuard throughput and lower CPU usage, especially on high-speed VPS or dedicated server connections.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-c4e7d010\"><h2 class=\"uagb-heading-text\">WireGuard Benchmark: Beyond a Simple Speed Test&nbsp;<\/h2><\/div>\n\n\n\n<p>A useful WireGuard benchmark compares normal network performance with VPN tunnel performance. First, test the connection without WireGuard. Then run the same tests through the WireGuard tunnel. This shows how much performance changes when encryption and tunneling are added.<\/p>\n\n\n\n<p>Use the same setup for both tests: same client, same server, same route, same duration, and the same number of parallel streams. Otherwise, the results are hard to compare.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-395ba722\"><h3 class=\"uagb-heading-text\">Core Testing Methodology&nbsp;<\/h3><\/div>\n\n\n\n<p><code>iperf3<\/code> is the most practical tool for this. Start with a normal TCP test, then repeat it with multiple parallel streams, for example <code>-P 4<\/code> or <code>-P 8<\/code>. Parallel streams are useful because WireGuard performance often depends on how well the system can use multiple CPU cores.<\/p>\n\n\n\n<p>Also test both directions. With <code>iperf3<\/code>, you can use <code>-R<\/code> to run the test in reverse. This matters because upload and download performance may differ.<\/p>\n\n\n\n<p>For UDP testing, use <code>iperf3 -u<\/code> with a defined bandwidth using <code>-b<\/code>. Watch for packet loss, because high UDP throughput is only useful if packets are not being dropped.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-83b93da0\"><h3 class=\"uagb-heading-text\">Result Interpretation&nbsp;<\/h3><\/div>\n\n\n\n<p>During each test, monitor CPU load and packet drops with simple tools such as <code>top<\/code>, <code>mpstat<\/code>, or <code>ip -s link<\/code>. If WireGuard is much slower than the raw network, check MTU\/MSS settings, network offloads such as GRO\/GSO, and whether one CPU core is overloaded.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-0d282fb1\"><h2 class=\"uagb-heading-text\">WireGuard Performance Tuning Variables&nbsp;<\/h2><\/div>\n\n\n\n<p>Good WireGuard performance usually comes from optimizing a few key system and networking settings rather than changing a single parameter.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-56c22fc5\"><h3 class=\"uagb-heading-text\"><strong>What to tune (and how)<\/strong>&nbsp;<\/h3><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Variable<\/strong><\/td><td><strong>Why It Matters<\/strong><\/td><td><strong>Quick Test<\/strong><\/td><td><strong>Fix<\/strong><\/td><\/tr><tr><td>MTU\/MSS<\/td><td>Incorrect MTU values can cause fragmentation, retransmits, and lower throughput<\/td><td>Watch for retransmits or unstable speeds during tests<\/td><td>Adjust MTU for your network path; use MSS clamping if needed<\/td><\/tr><tr><td>Parallelism<\/td><td>Single connections may not fully use available CPU cores<\/td><td>Compare <code>iperf3 -P 1<\/code> vs <code>-P 4<\/code> or <code>-P 8<\/code><\/td><td>Use parallel streams for large transfers and benchmarking<\/td><\/tr><tr><td>GRO\/GSO offloads<\/td><td>Reduces packet-processing overhead and CPU usage<\/td><td>Check offload status with <code>ethtool<\/code><\/td><td>Keep GRO\/GSO enabled unless troubleshooting<\/td><\/tr><tr><td>CPU scaling<\/td><td>WireGuard encryption is CPU-intensive<\/td><td>Monitor per-core CPU usage during tests<\/td><td>Set the CPU governor to <code>performance<\/code> during benchmarking<\/td><\/tr><tr><td>Kernel and drivers<\/td><td>Older kernels and network drivers may limit scaling and throughput<\/td><td>Check kernel version and compare scaling results<\/td><td>Use modern Linux kernels (5.15+ or 6.x preferred) and updated drivers<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-8867e616\"><h3 class=\"uagb-heading-text\">Essential Commands<\/h3><\/div>\n\n\n\n<p>These commands help fix the most common WireGuard performance issues: MTU problems, missing network offloads, and limited system buffering.<\/p>\n\n\n\n<p>Use MSS clamping when WireGuard routes traffic between subnets and TCP connections are slow, unstable, or affected by fragmentation.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -t mangle -A FORWARD -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu&nbsp;<\/code><\/pre>\n\n\n\n<p>This tells TCP connections to use a safe packet size for the tunnel path.<\/p>\n\n\n\n<p>Increase system buffers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat >\/etc\/sysctl.d\/99-wireguard.conf &lt;&lt;'EOF'\nnet.core.rmem_max = 134217728\nnet.core.wmem_max = 134217728\nnet.core.netdev_max_backlog = 250000\nEOF<\/code><\/pre>\n\n\n\n<p>These settings can help on busy or high-throughput systems by allowing Linux to handle larger bursts of network traffic.<\/p>\n\n\n\n<p>Apply the changes with:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sysctl --system<\/code><\/pre>\n\n\n\n<p><strong>Key insight<\/strong>: WireGuard does not let you choose a faster cipher. Its cryptography is fixed by design. <code>PersistentKeepalive<\/code> helps with NAT traversal, not speed. In most cases, the biggest performance gains come from correct MTU settings, enabled offloads, and proper parallel testing before advanced kernel tuning.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-f26055fc\"><h2 class=\"uagb-heading-text\">Configuring the WireGuard Server Interface&nbsp;<\/h2><\/div>\n\n\n\n<p>To configure your WireGuard server for performance, start with a minimal setup and systematically add optimizations.&nbsp;<\/p>\n\n\n\n<p>Note: if you are using the <a href=\"https:\/\/contabo.com\/en\/wireguard-server\/\">Contabo 1-click solution for WireGuard<\/a>, your WGdashboard is already available and configured and you may skip these steps.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-564886ca\"><h3 class=\"uagb-heading-text\">Prerequisites and Key Generation&nbsp;<\/h3><\/div>\n\n\n\n<p>Ensure your Linux server has wireguard-tools installed (kernel 5.6+ preferred) and UDP port 51820 open. Generate server keys with proper permissions:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>umask 077&nbsp;<br><br>wg genkey | tee \/etc\/wireguard\/privatekey | wg pubkey &gt; \/etc\/wireguard\/publickey&nbsp;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-84552fc1\"><h3 class=\"uagb-heading-text\">Minimal Server Config&nbsp;<\/h3><\/div>\n\n\n\n<p>Create <code>\/etc\/wireguard\/wg0.conf<\/code>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Interface]&nbsp;<br>Address = 10.0.0.1\/24&nbsp;<br>PrivateKey = &lt;SERVER_PRIVATE_KEY&gt;&nbsp;<br>ListenPort = 51820&nbsp;<br><br># MTU = 1440 (leave unset for auto-selection, or set after testing)&nbsp;<br><br>&#91;Peer]&nbsp;<br>PublicKey = &lt;CLIENT_PUBLIC_KEY&gt;&nbsp;<br>AllowedIPs = 10.0.0.2\/32&nbsp;<br>PersistentKeepalive = 25 # usually set on the NATed client, not needed on server&nbsp;<\/code><\/pre>\n\n\n\n<p>Replace keys and set a private \/24 network.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-ada4dcf8\"><h3 class=\"uagb-heading-text\">Firewall and Network Configuration&nbsp;<\/h3><\/div>\n\n\n\n<p>Proper firewall configuration is essential for WireGuard performance and connectivity. Set up these rules before starting the service.&nbsp;<\/p>\n\n\n\n<p>Basic firewall setup:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Allow WireGuard UDP port&nbsp;<br><br>sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT&nbsp;<br><br># For internet access through the tunnel, enable IP forwarding and NAT&nbsp;<br><br>echo 'net.ipv4.ip_forward=1' | sudo tee \/etc\/sysctl.d\/99-sysctl.conf sudo sysctl --system sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE&nbsp;<\/code><\/pre>\n\n\n\n<p>Replace&nbsp;<code>eth0<\/code>&nbsp;with your server&#8217;s internet-facing interface.&nbsp;<\/p>\n\n\n\n<p><strong>NAT and firewall traversal<\/strong>:&nbsp;WireGuard handles NAT automatically. Clients behind NAT don&#8217;t need special configuration. If a client needs to receive incoming connections through NAT, add&nbsp;<code>PersistentKeepalive = 25<\/code>&nbsp;to the client&#8217;s peer configuration &#8211; this keeps the NAT mapping active by sending keepalive packets every 25 seconds.&nbsp;<\/p>\n\n\n\n<p><strong>Troubleshooting<\/strong>:&nbsp;If WireGuard connects but clients can&#8217;t reach the internet, verify IP forwarding is enabled with&nbsp;<code>sysctl net.ipv4.ip_forward<\/code>&nbsp;and confirm NAT is working with&nbsp;<code>iptables -t nat -L -v<\/code>.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-ee29bc68\"><h3 class=\"uagb-heading-text\">Enabling and Verifying&nbsp;<\/h3><\/div>\n\n\n\n<p>Start WireGuard and verify connectivity:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now wg-quick@wg0&nbsp;<br><br>sudo wg show&nbsp;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-2e4ab8c5\"><h3 class=\"uagb-heading-text\">MTU Optimization&nbsp;<\/h3><\/div>\n\n\n\n<p>Start simple: Leave MTU unset so <code>wg-quick<\/code> auto-selects; verify with&nbsp;<code>ip link show wg0<\/code>.&nbsp;<\/p>\n\n\n\n<p>If setting manually: Find PMTU to your server&#8217;s public IP using&nbsp;<code>ping -M do -s &lt;size&gt; &lt;server_ip&gt;<\/code>&nbsp;(start with 1472), then subtract encapsulation overhead (~60B IPv4, ~80B IPv6). Set that as MTU in each peer&#8217;s&nbsp;[Interface], restart, and re-run parallel-stream tests (<code>iperf3 -P 4<\/code>, both directions).&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-2e51f165\"><h3 class=\"uagb-heading-text\">Final Checks&nbsp;<\/h3><\/div>\n\n\n\n<p>Confirm handshakes occur with clients and internet routing works as expected. Always benchmark after MTU and firewall changes to measure performance impact.&nbsp;Further information can be found in the official <a href=\"https:\/\/www.wireguard.com\/quickstart\" rel=\"nofollow\">WireGuard Quick Start documentation<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-45853abb\"><h2 class=\"uagb-heading-text\">Advanced Performance Concepts&nbsp;<\/h2><\/div>\n\n\n\n<p>Once basic tuning is complete, additional performance gains usually come from better CPU utilization, modern kernels, and efficient networking drivers.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-1b00ffd3\"><h3 class=\"uagb-heading-text\">Offload-Aware Tunneling&nbsp;<\/h3><\/div>\n\n\n\n<p>WireGuard benefits heavily from Linux networking offloads such as GRO and GSO, which reduce CPU overhead during packet processing.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -k eth0 | grep -E 'gro|gso'<\/code><\/pre>\n\n\n\n<p>In most cases, these features should remain enabled unless you are troubleshooting a specific networking issue.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-d68f4fd3\"><h3 class=\"uagb-heading-text\">Parallelism and CPU Scaling&nbsp;<\/h3><\/div>\n\n\n\n<p>Single connections often cannot fully utilize modern CPUs or high-speed network links. Testing with multiple parallel streams better reflects real-world transfer workloads.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iperf3 -P 4<\/code><\/pre>\n\n\n\n<p>If performance does not improve with parallel streams, check for CPU bottlenecks or overloaded network queues.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-13fd704d\"><h3 class=\"uagb-heading-text\">CPU and System Optimization&nbsp;<\/h3><\/div>\n\n\n\n<p>WireGuard is CPU-bound despite its efficiency. Maintain stable clock speeds using the performance governor during testing:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Set performance governor&nbsp;<br>echo performance | sudo tee \/sys\/devices\/system\/cpu\/cpu*\/cpufreq\/scaling_governor&nbsp;<\/code><\/pre>\n\n\n\n<p>On multi-socket NUMA systems, keep network interrupts and WireGuard endpoints on the same socket to avoid cross-node penalties.\u00a0Please be aware that this command is only available for dedicated servers &#8211; it is unavailable for VMs.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-7a8eb45b\"><h3 class=\"uagb-heading-text\">Kernel and Driver Improvements&nbsp;<\/h3><\/div>\n\n\n\n<p>Newer Linux kernels and updated network drivers typically improve WireGuard throughput and packet handling efficiency. Modern virtio, ENA, and multi-queue NIC drivers generally provide the best scaling results on VPS and dedicated server environments.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-47d0520f\"><h3 class=\"uagb-heading-text\">TCP Performance Inside Tunnels&nbsp;<\/h3><\/div>\n\n\n\n<p>Most WireGuard traffic carries TCP connections inside the encrypted tunnel. High latency or packet loss can reduce TCP performance significantly. In some environments, modern congestion control algorithms such as BBR may improve long-distance throughput.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo 'net.ipv4.tcp_congestion_control=bbr' &gt;&gt; \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n<p>Always benchmark before and after enabling BBR, since results vary depending on network conditions.<\/p>\n\n\n\n<p>Apply the changes with:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sysctl --system<\/code><\/pre>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-1a4eb59e\"><h2 class=\"uagb-heading-text\">WireGuard Performance FAQ<\/h2><\/div>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1779955656000\"><strong class=\"schema-faq-question\"><strong>How does WireGuard work?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">WireGuard creates encrypted peer-to-peer VPN connections using public and private key authentication. On Linux, it runs directly inside the kernel, which helps reduce overhead and improve performance compared to many older VPN protocols.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1779955664464\"><strong class=\"schema-faq-question\"><strong>Does WireGuard use TCP or UDP?<\/strong><\/strong> <p class=\"schema-faq-answer\">WireGuard uses UDP only. This keeps latency and protocol overhead low while allowing Linux networking optimizations such as GRO and GSO. If a network blocks UDP, WireGuard can be wrapped inside TCP or HTTPS tunnels, but this usually reduces performance.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1779955673031\"><strong class=\"schema-faq-question\"><strong>How do I check if WireGuard is working?<\/strong><\/strong> <p class=\"schema-faq-answer\">Run <code>wg<\/code>. A recent \u201clatest handshake\u201d timestamp and increasing transfer counters indicate that the tunnel is active. You can also test connectivity by pinging the peer\u2019s WireGuard IP address.<br>For performance testing, run <code>iperf3<\/code> through the tunnel and compare the results with a baseline test outside the VPN. If the tunnel is not working correctly, check the firewall rules for UDP port <code>51820<\/code>, the <code>AllowedIPs<\/code> settings on both peers, and the MTU or MSS configuration issues.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1779955727931\"><strong class=\"schema-faq-question\"><strong>What MTU should I use with WireGuard?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">In most cases, leave MTU unset and let <code>wg-quick<\/code> choose automatically. If you need to tune it manually, start around <code>1420\u20131440<\/code> and adjust based on your network path and fragmentation testing.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1779955737739\"><strong class=\"schema-faq-question\"><strong>Why is my WireGuard speed lower than baseline?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">The most common causes are incorrect MTU or MSS settings, disabled GRO\/GSO offloads, and CPU bottlenecks from single-stream traffic. Compare baseline and tunnel performance using both single and parallel <code>iperf3<\/code> tests to identify the bottleneck.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>This practical guide shows you how to measure and maximize WireGuard performance on a Contabo VPS or Dedicated Server. Build a reliable baseline-vs-tunnel benchmark, fix MTU\/MSS, verify offloads, and use parallel streams. Clear checklists and minimal commands turn tuning into repeatable, near-baseline throughput.<\/p>\n","protected":false},"author":65,"featured_media":25452,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[18],"tags":[],"ppma_author":[1489],"class_list":["post-25436","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"uagb_featured_image_src":{"full":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"thumbnail":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-150x150.jpg",150,150,true],"medium":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-600x315.jpg",600,315,true],"medium_large":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1-768x403.jpg",768,403,true],"large":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"1536x1536":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false],"2048x2048":["https:\/\/contabo.com\/blog\/wp-content\/uploads\/2025\/10\/blog-head_maximizing-wireguard-performance-1.jpg",1200,630,false]},"uagb_author_info":{"display_name":"Julia Mink","author_link":"https:\/\/contabo.com\/blog\/author\/julia-mink\/"},"uagb_comment_info":0,"uagb_excerpt":"This practical guide shows you how to measure and maximize WireGuard performance on a Contabo VPS or Dedicated Server. Build a reliable baseline-vs-tunnel benchmark, fix MTU\/MSS, verify offloads, and use parallel streams. Clear checklists and minimal commands turn tuning into repeatable, near-baseline throughput.","authors":[{"term_id":1489,"user_id":65,"is_guest":0,"slug":"julia-mink","display_name":"Julia Mink","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/26ce5d4ae17d160425d842da4ea00c56716ffb5d4c58ee0cfb73de57b1de5272?s=96&d=mm&r=g","author_category":"","user_url":"","last_name":"Mink","first_name":"Julia","job_title":"","description":""}],"_links":{"self":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/comments?post=25436"}],"version-history":[{"count":26,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436\/revisions"}],"predecessor-version":[{"id":30812,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/25436\/revisions\/30812"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/media\/25452"}],"wp:attachment":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/media?parent=25436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/categories?post=25436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/tags?post=25436"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=25436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}