Connecting secondary wireguard VPN causes very high latency
Why would adding a secondary VPN massively increase latency?
Suppose I have two Wireguard VPNs, wgA and wgB. Both are from the same provider, used to access the internet in general, so allowed IPs is 0.0.0.0/0 on both. wgA is the default route, wgB is only used for traffic from a specific source subnet (implemented via routing tables).
I test latency by pinging a known commercial server.
- With both VPNs disconnected, I get 40 ms.
- With only wgA connected, I get 170 ms. wgA is on a different continent, so this is reasonable.
- With only wgB connected, I get 70 ms. wgB is one town over.
- With both connected, through wgA I still get 170 ms. Through wgB (using
ping -I 10.0.0.1) get 370 ms.
The routing is quite simple:
- Connections from subnet go to table 100:
ip rule add from 10.0.0.0/24 table 100 priority 1000 - Routing table sends everything to wgB:
ip route add default dev wgB table 100 - There's a few straightforward NAT rules.
How could this cause a latency spike? I've noticed the 370 ms is in the first hop, which shows as the internal IP of wgB.
Also, if I ping the public IP, that takes 350 ms both through wgA and wgB. I would expect it to be fast to at least ping the VPN's own server through itself.
I get that adding more routing introduces overhead but it surely isn't 200 ms of overhead. And no the CPU is not overloaded on the server. I feel like I'm missing something obvious.
0 comment threads