This feels really trippy. Am running iperf3 over WireGuard.
client -> wg server : ok speed
wg server -> server : ok speed
client -> wg server (iptables forwarding) -> server : slow if using single TCP stream; UDP or 16 parallel streams work fine
client -> wg server (socat forwarding) -> server : ok speed
Also tried using SNAT instead of MASQUERADE and switching TCP CCAs, but to no avail.
Running iperf3 -B [wg address] on the wg server works fine.
More info:
iptables rules:
```
-A FORWARD -i %i -j ACCEPT
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
Using tcp_probe to see what Reno is doing (understood Reno the most so decided to poke at it first), cwnd seemed to be stagnant for no apparent reason, with no backoffs observed.
Reducing MSS seemed to reduce throughput quit significantly (though not exactly linear), so this may be somewhat packet constrained.
Still scratching my head...
