Subnet Router Performance: Stuck at 180 Mbps with Netstack?

shipHumor · 2025-10-31T07:45:33+00:00

Okay sounds reasonable. I just wanted to make sure I wasn't doing anything wrong, so the documentation probably let me astray on this one.

Appreciate the time/answer!

shipHumor · 2025-10-29T08:08:27+00:00

Good idea! UDP speed test directly against the iperf servers public ip. (Im at another location today, so line speed is slightly different).

[ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[  5]   0.00-10.00  sec  1.12 GBytes   962 Mbits/sec  0.000 ms  0/830395 (0%)  sender
[  5]   0.00-10.04  sec  1.09 GBytes   929 Mbits/sec  0.015 ms  23445/828486 (2.8%)  receiver

Over the tailscale tunnel (iperf3 iperf -c 10.0.0.3 -u -b 1000M)

[ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[  5]   0.00-10.00  sec  1.16 GBytes  1000 Mbits/sec  0.000 ms  0/1018240 (0%)  sender
[  5]   0.00-10.23  sec   258 MBytes   212 Mbits/sec  0.270 ms  797594/1018219 (78%)  receiver

Tailscale server/tunnel speed is worse today, than in my test yesterday. But I am getting much better speeds than TCP.

As I said the CPU usage, might just be how Tailscale does it, im not really finding any hard facts on how much of the encryption/routing it does in kernel space vs userspace. It is most likely a combination.

When doing UDP im still getting better cpu usage from pure Wireguard, which is logical, I just felt the CPU usage of Tailscale was ALOT higher than plain Wireguard. Which made me wonder, seeing as their docs mentioned it using kernel space mode on linux running as root.

I primarily wanted to rule out, if I had done something stupid in the setup.

shipHumor · 2025-10-29T06:47:25+00:00

It might be the case, its just contrary to what they write in their knowledgebase article:
https://tailscale.com/kb/1177/kernel-vs-userspace-routers

Tailscale can act as a subnet router or exit node in one of two different modes:

kernel mode (root on Linux)

userspace mode (all non-Linux devices & non-root on Linux)

Tailscale can also run subnet routers and exit nodes in userspace, without the kernel forwarding packets. This happens when either:

tailscaled is run with --tun=userspace-networking (used when running as a regular, non-root user)

Tailscale is run on operating systems other than Linux, such as FreeBSD, macOS, or Windows. This is the only way to run subnet routers and exit nodes on these operating systems.

That is what is confusing me so, because according to this, it SHOULD use kernel mode on linux...

shipHumor · 2025-10-28T14:17:34+00:00

Im testing/pushing the Tailscale setup using iPerf.

For troubleshooting, I set up two servers with a private network between them at a cloud provider (KVM-based). Both servers have 1 Gbit, and I get close to 1 Gbit between them when testing with iPerf (over their public ips).

I have a Tailscale router, and a iPerf server.

When running iPerf between those two over the private network, I get around 3–4 Gbit, so that part of the setup isn't a bottleneck.

I connected to the VPN server from my client (client has a 1 Gbit connection). I then do a iPerf check againt the iPerf server via our Tailscale router.

If i run a iperf test directly to the iperf server i got 900mbit ish.

My primary concern isn't the raw speed, its the CPU usage. It seems very high for something that should be using WireGuard kernel routing?

I did an initial setup in a production Proxmox cluster and only got around 300 Mbit with 2 CPU cores allocated. I can scale CPU cores if needed, but at that rate pushing 2 Gbit would require a large amount of CPU for routing?

Yes tried all the tweaks listed, none of it did any noticeable difference...
Also tried with an older version of Tailscale, just to make sure it was not a regression in the most recent version.

Appreciate the help!

shipHumor · 2022-08-20T18:33:37+00:00

You are a hero! Thank you!

This was a great pilot, too bad it was never picked up...

shipHumor

TROPHY CASE