Mullvad VPN configuration

Hello, I’ve attempted to create a VPN tunnel to Mullvad’s al-tia-wg-002, but it is very slow.

My goal is to tunnel specific traffic from my TVs through said VPN connection. List of TV addresses to tunnel is in address list “TVs”. List of destinations to tunnel is in address list “YouTube-servers” that is populated automatically using raw prerouting rule. There is also a list “Force-Albania” for testing purposes - so that I can force specific device to access internet through VPN.

Here is the relevant part of the config that I have managed to create:

/interface wireguard
add comment=Mullvad listen-port=44875 mtu=1420 name=wg-albania
/routing table
add disabled=no fib name=Mullvad-Albania-route
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Mullvad endpoint-address=31.171.XXX.YYY endpoint-port=51820 interface=wg-albania public-key=\
    "redacted"
/ip address
add address=10.67.AAA.BBB interface=wg-albania network=10.124.0.212
/ip firewall address-list
add address=10.30.32.11 comment="TV living room" list=TVs
add address=10.30.32.21 comment="TV bedroom" list=TVs
add address=10.30.33.16 comment="My laptop" disabled=yes list=Force-Albania
add address=10.30.33.16 comment="My laptop" disabled=yes list=TVs
add address=10.30.31.0/24 list=Local-all-addresses
add address=10.30.32.0/24 list=Local-all-addresses
add address=10.30.33.0/24 list=Local-all-addresses
add address=10.30.34.0/24 list=Local-all-addresses
add address=192.168.9.0/24 list=Local-all-addresses
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=YouTube-servers new-routing-mark=Mullvad-Albania-route \
    passthrough=yes src-address-list=TVs
add action=mark-routing chain=prerouting dst-address-list=!Local-all-addresses new-routing-mark=Mullvad-Albania-route passthrough=yes \
    src-address-list=Force-Albania
/ip firewall nat
add action=masquerade chain=srcnat comment="Mullvad NAT" ipsec-policy=out,none out-interface=wg-albania
/ip firewall raw
add action=add-dst-to-address-list address-list=YouTube-servers address-list-timeout=none-dynamic chain=prerouting content=\
    .youtube.com dst-address-list=!TVs src-address-list=TVs
add action=add-dst-to-address-list address-list=YouTube-servers address-list-timeout=none-dynamic chain=prerouting content=\
    .youtube.googleapis.com dst-address-list=!TVs src-address-list=TVs
add action=add-dst-to-address-list address-list=YouTube-servers address-list-timeout=none-dynamic chain=prerouting content=.youtu.be \
    dst-address-list=!TVs src-address-list=TVs
add action=add-dst-to-address-list address-list=YouTube-servers address-list-timeout=none-dynamic chain=prerouting content=.ytimg.com \
    dst-address-list=!TVs src-address-list=TVs
add action=add-dst-to-address-list address-list=YouTube-servers address-list-timeout=none-dynamic chain=prerouting content=\
    .googlevideo.com dst-address-list=!TVs src-address-list=TVs
/ip route
add dst-address=0.0.0.0/0 gateway=10.124.0.212 routing-table=Mullvad-Albania-route
/routing rule
add action=lookup-only-in-table routing-mark=Mullvad-Albania-route table=Mullvad-Albania-route

While access through VPN seems to work (when I enable “My laptop” address in “Force-Albania” address list, I’m able to get to the speedtest.net and do a speed test, but results are very poor. First, it takes about 10 seconds to begin loading the page (same behavior for any other website), and then when test begins, speed starts at less than Mbps, and slowly ramps up to about 20Mbps. Upload is always measured as 0Mbps. If I measure the speed to the same test server in Albania without VPN, I consistently get over 300/300Mbps.

Youtube on the PC loads, but very slowly. On TVs YouTube doesn’t load at all.

My question is, have I done something wrong configuring this? I’ve mixed several guides I found online into the config quoted above, but I’m not sure if I’ve configured something wrong, or is it simply a matter of slow VPN server?

I believe adding a firewall rule to clamp the TCP MSS for the outgoing traffic of the Wireguard interface might help.

Looks like fasttrack was a part of the problem. I’ve added !wg-albania as in-interface and out-interface to the existing fasttrack rule, and now on the PC everything is OK-ish (except for the fact that it’s maxing out routerboard cpu at about 50Mbps).

The weird thing is that I can’t get any kind of connection on my TVs, looks like I’ve got to dig deeper.

Edit: I figured it out. TVs didn’t work because I have them on different VLAN, and I had forward drop rule for everything originating from that VLAN that didn’t go to WAN. I expanded the rule to allow forwarding to wg-albania interface as well, and it started working.

Thank you, I’ll try to figure out what this means in the morning, it’s well past midnight here right now…

I’ve tried multiple variations of these, but didn’t notice any different behavior:

/ip firewall mangle add action=change-mss chain=output comment="Clamp MSS to PMTU" out-interface=wg-albania new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp
/ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU" out-interface=wg-albania new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp
/ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU" in-interface=wg-albania  new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp

The one on the chain forward is the one that I thought would help, sorry to hear this wasn’t the case.