VPN Performance Testing - OpenVPN vs Wireguard
Summary
Is wireguard as good as they hype it up to be? Lets find out!
So I've heard the rumblings about Wireguard getting merged into the linux kernel and rumors about how it outperforms other VPN tech I've been using over the years (IPsec/OpenVPN). So I have decided to check it out for myself.
Setup:
- For this test we are going to be using a simple One Gigabit Switched Network using an off the shelf dummy layer 2 switch. (nothing fancy - home network)
- Using iperf to generate our TCP traffic (single stream, run in serial fashion)
- Using ICMP (ping) to measure Latency (run in parallel, not during iperf)
- Two Nodes: (Server and Client)
- Server
- eth 192.168.1.31/24
- tun0 10.8.0.1/32
- wg0 10.0.0.1/24
- Client
- eth 192.168.1.32/24
- tun0 10.8.0.2/32
- wg0 10.0.0.3/24
- Server
OpenVPN
Server:
~/ cat /etc/openvpn/server/testserver.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client:
~/ cat /etc/openvpn/client/testclient.conf
remote 192.168.1.31
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
WireGuard
Server:
wg genkey | tee peer_A.key | wg pubkey > peer_A.pub
wg-quick up ~/wg0.conf
~/ cat ~/wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = SHnMUqqb6DWmIReIlh3jPuxT26ZEdrIY85kwn5rrqEE=
ListenPort = 51820
[Peer]
PublicKey = PDo/2cujm+eHu785w3OHKDWxFo/2K/qWUHJDBDgp538=
AllowedIPs = 10.0.0.3/32
~/ sudo wg [1]
interface: wg0
public key: m1BvxWF98Sumh5C40fnHLYDV7Jo+wmljruHkykvqFRU=
private key: (hidden)
listening port: 51820
peer: PDo/2cujm+eHu785w3OHKDWxFo/2K/qWUHJDBDgp538=
endpoint: 192.168.1.32:51902
allowed ips: 10.0.0.3/32
latest handshake: 2 seconds ago
transfer: 40.51 GiB received, 10.69 GiB sent
Client:
wg genkey | tee peer_C.key | wg pubkey > peer_C.pub
sudo ip link add dev wg0 type wireguard
sudo ip addr add 10.0.0.3/24 dev wg0
sudo wg set wg0 listen-port 51902 private-key ~/peer_C.key
sudo wg set wg0 peer m1BvxWF98Sumh5C40fnHLYDV7Jo+wmljruHkykvqFRU= endpoint 192.168.1.31:51820 allowed-ips 10.0.0.0/24
sudo ip link set wg0 up
Results
OpenVPN
Latency: avg 1.152ms
--- 10.8.0.1 ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 1002062ms
rtt min/avg/max/mdev = 0.365/1.152/7.204/0.368 ms
Bandwidth: 230 Mbits/sec
~/ iperf -c 10.8.0.1 -t 30 -P 1
Client connecting to 10.8.0.1, TCP port 5001
TCP window size: 166 KByte (default)
[ 3] local 10.8.0.2 port 34730 connected with 10.8.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.0 sec 822 MBytes 230 Mbits/sec
Wireguard
Latency: avg 0.999ms
--- 10.0.0.1 ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 1005784ms
rtt min/avg/max/mdev = 0.283/0.999/10.620/0.730 ms
Bandwidth: 876 Mbits/sec
~/ iperf -c 10.0.0.1 -t 30 -P 1
Client connecting to 10.0.0.1, TCP port 5001
TCP window size: 130 KByte (default)
[ 3] local 10.0.0.3 port 55258 connected with 10.0.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.0 sec 3.06 GBytes 876 Mbits/sec
Conclusion
Wireguard is in fact faster (lower latency, and higher throughput) than OpenVPN.
I also learned that OpenVPN is single threaded so it was only able to use 1 of the 4 cores on each machine. Another advantage to Wireguard. This is especially important if your are:
- Running a Server (VPN service provider, or your own for personal/production use)
- Workarounds would be running a load balanced setup or multiple processes (both add additional complexity)
- Using on a LAN or are one of those lucky people with a high speed internet link (250Mbps - 1 Gbps)
The only negative aspects for Wireguard for me were:
- Took me a little longer to set up (due to me not having previous experience, and having to wrap my head around it)
- Not yet baked into an LTS kernel (currently I run 5.4 LTS, had to load 5.8 and 5.9 on my respective test machines)
- Next LTS will be 5.10