Host-level performance tuning for the VPS data path.
Breaking changes
- Boot service renamed
wg-relay.servicetotunnel-boot.service, since it now reapplies the whole node config on boot, not just WireGuard. The WireGuard interface stayswg-relay.
Features
- New
spec.hostblock to tune the VPS kernel and NIC, separate from the Envoy proxy config:kernelMaxSocketBufferBytes(default 25MB): raises the kernel socket buffer ceiling and setsSO_RCVBUF/SO_SNDBUFon the UDP listeners. UDP needs this set explicitly; TCP keeps autotuning.disableNicOffloads(default false): turns GRO/GSO off on the underlay NIC for encapsulated UDP (tunnel-in-tunnel), where receive coalescing corrupts datagram boundaries. The interface is detected automatically.
enable_reuse_porton all Envoy listeners so they spread across worker threads.
Changes
- Removed
prefer_grofrom the Envoy UDP listeners; GRO is left to the OS, or turned off at the NIC viadisableNicOffloads. - NIC offloads are applied natively without
ethtoolon the VPS, the same way WireGuard and nftables are handled. - New dependency:
github.com/safchain/ethtool(Apache-2.0).