VPN with WireGuardNT

What is the problem you are having with rclone?

I think there might be a bug in Rclone in regards to the VPN protocol WireGuardNT. Not WireGuard, but the newest version of the protocol WireGuardNT. It doesn't seem to matter which VPN service I used; as long as it supports WireGuardNT it has the same issue. Using both Google Drive and PCloud, file scanning in order to detect differences was noticeably slower. If a change was detected, and needed to be uploaded, the file upload with start and then quickly get to a speed of zero bps. File transfers are not possible using WireGuardNT. This is not the case if I disconnect from the VPN, or use and older version of the WireGuard protocol. WireGuardNT is the newer form, and it will soon be adopted by most VPNs. Again, this doesn't seem to be backend dependent, or config dependent.

Run the command 'rclone version' and share the full output of the command.

C:\Program Files\rclone>rclone version
rclone v1.57.0

  • os/version: Microsoft Windows 10 Pro 2009 (64 bit)
  • os/kernel: 10.0.22000.527 (x86_64)
  • os/type: windows
  • os/arch: amd64
  • go/version: go1.17.2
  • go/linking: dynamic
  • go/tags: cmount

Are you on the latest version of rclone? You can validate by checking the version listed here: Rclone downloads

Which cloud storage system are you using? (eg Google Drive)

Google Drive and PCloud

The command you were trying to run (eg rclone copy /tmp remote:tmp)

C:\Progra~1\rclone\rclone sync e:\Music pcloud:/Music --transfers 8 --checkers=8 --progress  --fast-list --size-only


C:\Progra~1\rclone\rclone sync d:\School n8ers:/School --progress --checkers 6 --fast-list --size-only

The rclone config contents with secrets removed.

type = drive
client_id = REDACTED
client_secret = REDACTED
scope = drive
token = {"access_token":"REDACTED
root_folder_id = 

type = pcloud
hostname = api.pcloud.com
token = {"access_token":"REDACTED","token_type":"bearer","expiry":"0001-01-01T00:00:00Z"}

A log from the command with the -vv flag

C:\Scripts>C:\Progra~1\rclone\rclone sync d:\School n8ers:/School --progress --checkers 6 --fast-list --size-only -vv
2022/03/06 23:12:42 DEBUG : rclone: Version "v1.57.0" starting with parameters ["C:\\Progra~1\\rclone\\rclone" "sync" "d:\\School" "n8ers:/School" "--progress" "--checkers" "6" "--fast-list" "--size-only" "-vv"]
2022/03/06 23:12:42 DEBUG : Creating backend with remote "d:\\School"
2022/03/06 23:12:42 DEBUG : Using config file from "C:\\Users\\n8chavez\\.config\\rclone\\rclone.conf"
2022/03/06 23:12:42 DEBUG : fs cache: renaming cache item "d:\\School" to be canonical "//?/d:/School"
2022/03/06 23:12:42 DEBUG : Creating backend with remote "n8ers:/School"
2022/03/06 23:12:42 DEBUG : fs cache: renaming cache item "n8ers:/School" to be canonical "n8ers:School"
2022-03-06 23:12:48 DEBUG : CGCCSIF.pdf: Sizes identical
2022-03-06 23:12:48 DEBUG : Desktop.ini: Sizes identical
2022-03-06 23:13:37 DEBUG : Google drive root 'School': Waiting for transfers to finish
Transferred:            8 MiB / 13.116 MiB, 61%, 3 B/s, ETA 2w4d4h4m1s
Checks:              1549 / 1549, 100%
Transferred:            0 / 1, 0%
Elapsed time:      3m27.5s
 *                       Hide.me-Setup-3.9.2.exe: 60% /13.116Mi, 3/s, 436h4m1s


i have used rclone over wireguardnt, never had an issue.
just tested now, no issues.

That's not too helpful. Which VPN. I just right now tried it on Mullvad and WireguardNT had the same issues as described above. After downgrading to WireGuard-go the issues were gone. The same is true for all the other VPNs I've tried; IVPN, hide.me, NordVPN, Surfshark, TorGuard and airVPN. The latter you need to use the beta version for WireGuard, but presents the same issues.

well, you did not post that info in your first post, why go after me???

Since you posed that as a question me add that I did say "It doesn't seem to matter which VPN service I used; as long as it supports WireGuardNT it has the same issue."


is this an issue with your machine?
have you tested on another machine or spun up a vm?

Yeah, I've tried it on three machines each having the same result. When WireGuardNT is active rclone doesn't work. With Mullvad you'll need to run the following command to get rclone to work. It turns off WireGuardNT and downgrades it.

"mullvad tunnel wireguard use-wireguard-nt set off"

With the latest version of Mullvad WireGuardNT became the default.

mullvad vpn log
[2022-03-07 13:34:04.263][talpid_core::tunnel::wireguard][DEBUG] Using WireGuardNT

C:\data\rclone\rclone.exe copy D:\data\iso\veeam\re\en08\20220216\VeeamRecoveryMedia_EN08.iso wasabi01:zork --progress
Transferred:      896.562 MiB / 896.562 MiB, 100%, 26.461 MiB/s, ETA 0s
Transferred:            1 / 1, 100%
Elapsed time:        31.7s

Interesting. By chance could you be using Linux? The term in your log talpid_core suggests you are. I am not, I'm using Windows 11 and had the same issues on Windows 10/ Other than that, I can't see why yours would work find and mine would not. Also, what are your port and mtu settings for Mullvad?

--- your mullvad log is different?
--- wireguardnt runs on linux?

Yes it does. In fact, WireGuard was developed for linux and then ported over to Windows. That's why options like the killswitch in the official wireguard client do not work in Windows but they do in linux.

not sure what the is reply to, as i posted two statements?

[ANNOUNCE] WireGuardNT, a high-performance WireGuard implementation for the Windows kernel
"began as a port of the Linux codebase"

If you're on linux then our log files will be generated differently. But I did run the -vv switch, same as you.

I can't even exclude rclone.exe from the VPN and have it function correctly, as long as WireGuardNT is active. When I try I get the same results.

i have no issue excluding rclone.exe, notice the --bind to my local nic ip address.

rclone.exe copy D:\data\iso\veeam\re\en08\20220216\VeeamRecoveryMedia_EN08.iso gdrive:zork --progress --bind=
Transferred:      896.562 MiB / 896.562 MiB, 100%, 26.327 MiB/s, ETA 0s

maybe there is some issue with your firewalls, antivirus or something else?

I can't imagine what it could be. I use windows' firewall, but disabled it. I disabled DoH. I don't use any anti-malware scanner, other than Windows Security.

You have to be binding to a NIC, not a TAP/TUN, right? Is this a way of forcing an excluded rclone.exe?

in general, you can bind to any local ip address you want.

as a test, i binded to my local nic ip address and rclone ran without error.
that is the proof mullvad excluded rclone.exe

You have to be running a different OS than me, because I couldn't even use the --bind= switch. When I tried GDrive started throwing up all kinds of errors. I couldn't even get rclone to run correctly after adding rclone.exe to Mullvad's split tunnel.

well, you never posted that but based on your posts, i believe we are both running the same version of win11

Oh I did not paste a log for that. However, I may have found something that worked. The key is to exclude rclone.exe Mullvad AND use the --bind= switch. You inadvertently helped me, because I didn't know that switch was even an option. Of course, rclone being excluded means that nothing will be encrypted. But that's another issue. I think I solved the issue.