Is wireguard as good as they hype it up to be? Lets find out!
So I've heard the rumblings about Wireguard getting merged into the linux kernel and rumors about how it outperforms other VPN tech I've been using over the years (IPsec/OpenVPN). So I have decided to check it out for myself.
Server:
~/ cat /etc/openvpn/server/testserver.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client:
~/ cat /etc/openvpn/client/testclient.conf
remote 192.168.1.31
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
Server:
wg genkey | tee peer_A.key | wg pubkey > peer_A.pub
wg-quick up ~/wg0.conf
~/ cat ~/wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = SHnMUqqb6DWmIReIlh3jPuxT26ZEdrIY85kwn5rrqEE=
ListenPort = 51820
[Peer]
PublicKey = PDo/2cujm+eHu785w3OHKDWxFo/2K/qWUHJDBDgp538=
AllowedIPs = 10.0.0.3/32
~/ sudo wg [1]
interface: wg0
public key: m1BvxWF98Sumh5C40fnHLYDV7Jo+wmljruHkykvqFRU=
private key: (hidden)
listening port: 51820
peer: PDo/2cujm+eHu785w3OHKDWxFo/2K/qWUHJDBDgp538=
endpoint: 192.168.1.32:51902
allowed ips: 10.0.0.3/32
latest handshake: 2 seconds ago
transfer: 40.51 GiB received, 10.69 GiB sent
Client:
wg genkey | tee peer_C.key | wg pubkey > peer_C.pub
sudo ip link add dev wg0 type wireguard
sudo ip addr add 10.0.0.3/24 dev wg0
sudo wg set wg0 listen-port 51902 private-key ~/peer_C.key
sudo wg set wg0 peer m1BvxWF98Sumh5C40fnHLYDV7Jo+wmljruHkykvqFRU= endpoint 192.168.1.31:51820 allowed-ips 10.0.0.0/24
sudo ip link set wg0 up
OpenVPN
Latency: avg 1.152ms
--- 10.8.0.1 ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 1002062ms
rtt min/avg/max/mdev = 0.365/1.152/7.204/0.368 ms
Bandwidth: 230 Mbits/sec
~/ iperf -c 10.8.0.1 -t 30 -P 1
Client connecting to 10.8.0.1, TCP port 5001
TCP window size: 166 KByte (default)
[ 3] local 10.8.0.2 port 34730 connected with 10.8.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.0 sec 822 MBytes 230 Mbits/sec
Wireguard
Latency: avg 0.999ms
--- 10.0.0.1 ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 1005784ms
rtt min/avg/max/mdev = 0.283/0.999/10.620/0.730 ms
Bandwidth: 876 Mbits/sec
~/ iperf -c 10.0.0.1 -t 30 -P 1
Client connecting to 10.0.0.1, TCP port 5001
TCP window size: 130 KByte (default)
[ 3] local 10.0.0.3 port 55258 connected with 10.0.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.0 sec 3.06 GBytes 876 Mbits/sec
Wireguard is in fact faster (lower latency, and higher throughput) than OpenVPN.
I also learned that OpenVPN is single threaded so it was only able to use 1 of the 4 cores on each machine. Another advantage to Wireguard. This is especially important if your are:
The only negative aspects for Wireguard for me were: