Skip to main content

Prerequisites

Before starting the optimization process, ensure you have:

  • An Ubuntu Server 22.04 system with WireGuard already installed and configured
  • Root or sudo privileges on the server
  • Basic understanding of Linux command line operations
  • Your WireGuard server should be running and accessible

1. Network Stack Optimization

These optimizations improve TCP/IP performance and reduce latency:

copy
# Network Stack Optimizations
sudo nano /etc/sysctl.conf

# Add these lines to /etc/sysctl.conf:
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 65536 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3

The key improvements include:

  • Increased buffer sizes - Larger TCP receive and send buffers for better throughput
  • BBR congestion control - Google's BBR algorithm for improved performance
  • TCP tuning - Optimized keepalive and connection reuse settings

2. WireGuard Specific Optimizations

These settings are specifically tuned for WireGuard VPN operation:

copy
# WireGuard Specific Optimizations
sudo nano /etc/sysctl.conf

# Add these lines:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

These optimizations include:

  • IP forwarding - Enabled for both IPv4 and IPv6
  • Security hardening - Disabled redirects and source routing for better security
  • ICMP optimization - Reduced broadcast and error responses

3. CPU and Memory Optimization

Optimize system memory and CPU scheduling for VPN workloads:

copy
# CPU and Memory Optimizations
sudo nano /etc/sysctl.conf

# Add these lines:
vm.swappiness = 10
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
vm.vfs_cache_pressure = 50
kernel.sched_rt_runtime_us = -1

These settings help with:

  • Reduced swapping - Lower swappiness for better performance
  • Memory management - Optimized dirty page ratios
  • Real-time scheduling - Better CPU allocation for VPN processes

4. Apply System Optimizations

After adding the optimization settings to /etc/sysctl.conf, apply them:

copy
# Apply the sysctl settings
sudo sysctl -p

This command will reload all sysctl settings and apply them immediately.

5. Optimized WireGuard Server Configuration

Update your WireGuard server configuration with enhanced settings for better stability:

First, detect your network interface:

copy
ip route | grep default | awk '{print $5}' | head -1

Note: Replace eth0 in the configuration below with your actual interface name (it might be ens33, enp0s3, etc.).

Edit your WireGuard configuration file:

copy
sudo nano /etc/wireguard/wg0.conf

Update your server configuration with the optimized settings:

copy
[Interface]
PrivateKey = base64_encoded_private_key_goes_here
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
MTU = 1420

# Enhanced PostUp rules for better stability
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ufw route allow in on wg0 out on eth0

# Safe PreDown rules (won't error if rules don't exist)
PreDown = iptables -D FORWARD -i wg0 -j ACCEPT 2>/dev/null || true
PreDown = iptables -D FORWARD -o wg0 -j ACCEPT 2>/dev/null || true
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || true
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || true
PreDown = ufw route delete allow in on wg0 out on eth0 2>/dev/null || true

Key improvements in this configuration:

  • MTU optimization - Set to 1420 to prevent packet fragmentation
  • Explicit IP forwarding - Ensures forwarding is enabled on startup
  • Enhanced iptables rules - More reliable forwarding rules
  • Safe PreDown rules - Won't error if rules don't exist

6. Optimized Client Configuration

Update your client configuration with performance improvements:

copy
[Interface]
PrivateKey = base64_encoded_peer_private_key_goes_here
Address = 10.8.0.2/24
DNS = 8.8.8.8, 1.1.1.1
MTU = 1420

[Peer]
PublicKey = base64_encoded_server_public_key_goes_here
AllowedIPs = 0.0.0.0/0
Endpoint = <Server public IP address>:51820
PersistentKeepalive = 25

Important client-side optimizations:

  • MTU = 1420 - Matches server MTU for optimal performance
  • Multiple DNS servers - Redundant DNS for better reliability
  • PersistentKeepalive = 25 - Prevents connection drops, especially important behind NAT

7. SystemD Service Optimization

Increase file descriptor and process limits for WireGuard service:

copy
# Create systemd override directory
sudo mkdir -p /etc/systemd/system/wg-quick@.service.d/

# Create override configuration
sudo nano /etc/systemd/system/wg-quick@.service.d/override.conf

# Add this content:
[Service]
LimitNOFILE=65536
LimitNPROC=65536

# Reload systemd and restart WireGuard
sudo systemctl daemon-reload
sudo systemctl restart wg-quick@wg0

This allows WireGuard to handle more concurrent connections and prevents "too many open files" errors.

8. Performance Monitoring

Install tools to monitor your VPN server performance:

copy
# Install monitoring tools
sudo apt update
sudo apt install -y htop iotop nethogs iftop

# Monitor VPN performance
sudo wg show
htop
iftop

Useful monitoring commands:

  • sudo wg show - View WireGuard connection status and statistics
  • htop - Monitor CPU and memory usage
  • iftop - Monitor network traffic in real-time

9. Troubleshooting Common Issues

If you encounter issues after optimization, try these troubleshooting steps:

copy
# If you get 'wg0 already exists' error:
sudo wg-quick down wg0
sudo wg-quick up wg0

# Or restart the service:
sudo systemctl restart wg-quick@wg0

# Check status:
sudo wg show
sudo systemctl status wg-quick@wg0

Additional troubleshooting tips:

  • Check logs: sudo journalctl -u wg-quick@wg0 -f
  • Verify IP forwarding: cat /proc/sys/net/ipv4/ip_forward (should return 1)
  • Test connectivity: ping 10.8.0.1 from client
  • Check firewall: sudo ufw status

10. Verify Optimization Results

After applying all optimizations, verify that everything is working correctly:

copy
# Restart WireGuard to apply new configuration
sudo systemctl restart wg-quick@wg0

# Verify WireGuard is running
sudo systemctl status wg-quick@wg0

# Check WireGuard status
sudo wg show

# Verify IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward

# Test connection from client

You should see improved performance including:

  • 30-50% better throughput - Especially noticeable with multiple clients
  • Reduced latency - Faster response times
  • More stable connections - Fewer connection drops
  • Better handling of multiple clients - Improved concurrent connection performance

Expected Performance Improvements

After completing these optimizations, you should experience:

  • Faster connection speeds - Optimized TCP settings and buffer sizes improve throughput
  • Reduced connection drops - PersistentKeepalive and optimized settings prevent disconnections
  • Lower latency - BBR congestion control and optimized network stack reduce delay
  • Better scalability - SystemD optimizations allow more concurrent connections
  • Improved stability - Enhanced error handling and safer configuration rules

Note: Performance improvements may vary depending on your server hardware and network conditions. It's recommended to monitor performance before and after optimization to measure the actual improvements.