Hey everyone, for those interested, we put together a speed test of the various VPN tools commonly used by self-hosters, including OpenVPN, ZeroTier, Tailscale, Tinc, Nebula, WireGuard, and Netmaker. I work for the Netmaker team, so definitely take that into account, but we think these results hold up well!
https://medium.com/netmaker/battle-of-the-vpns-which-one-is-fastest-speed-test-21ddc9cd50db
I mean, basically the conclusion is kernel wireguard > go wireguard ( and related ) which is… known.
But hey, still cool
You should use Wireguard unless you can’t. It lives in the Linux kernel, only 2k lines of code, state of art cryptography, audited, really fast, available for all OS, OpenSource, included in new network equipment…
Update: 4k lines of code
Somehow, Netmaker and WireGuard (with MTU adjustments) performed much better than even the default gateway! We thought this might be a fluke, but it was repeatable across tests.
hehe posted about this effect a couple months back but people seemed skeptical
This seems surprising. I’ve had 700+ using OpenVPN in my tests before.also, no IPSEC? I’ve also experienced almost native speeds when using IPSEC
What were the MTU settings you used for Wireguard that got the top results? The article is vague about it.
Anecdotal but I use OpenVPN running in a docker container, using default settings, and my phone (Samsung S10) to my server (i3 6100) gets about 180mbps both ways. That’s testing from my friends house to mine and we’re both on gigabit fibre in the same city. That’s just doing an internet speed test too so that will make a difference due to MTU etc.
That’s probably quite enough for most self hosted scenarios in any case.
The thing about solutions like TailScale and TwinGate is how smooth the setup is. You install the client easily, authenticate, and boom you’re in.
I’m hoping an open source solution will soon manage to get to that level of polish.
I’ll have to look into this. Respect for the upfront disclosure.
netmaker doesn’t support derp unfortunately, which means that it can’t be used with tmobile home internet. i just learned this the hard way last night.
zerotier worked for me, but slowly. i also appreciate that i didn’t need to waste 2 hours setting up the dashboard in a vps and configuring dns records and docker
I use vTun. Where’s that on the list ?
How do I figure out what MTU to use? Any good explanation of MTU?
I’m super impressed with wireguard’s speeds. I’ve seen over 700mb/s (on a ‘gigabit’ internet connection that’s more like 800-900mb/s) while connected to a server hundreds of miles away. It’s WAY faster than anything else I’ve tried before it.
I can’t wait if/when tailscale ever switches to wireguard kernel.
only 2k lines of code
I don’t mean to well actually you but I was really curious about how they managed to do it, so I took a peek at the code… and still have no idea how they do it. Looks like magic to me.
Anyway, I was wondering just how many lines it’s at and ran a check. It looks like they’ve grown a bit: 5000-ish lines, which is still quite ridiculous.
-------------------------------------------------------------------------------
Language files blank comment code
-------------------------------------------------------------------------------
C 17 816 496 4844
C/C++ Header 13 145 93 674
make 1 0 0 17
-------------------------------------------------------------------------------
SUM: 31 961 589 5535
-------------------------------------------------------------------------------
I’m glad we weren’t the only ones! Thought we were crazy.
IPSec should definitely be in our next round of tests. As for OpenVPN, I’m guessing some tuning / more advanced configuration might lead to better speeds. We stuck with a minimal installation of everything for these tests.
When WireGuard got the top results we actually didn’t set MTU at all. We just ran “wg-quick up” and it set the right MTU. On the large AWS machines it set MTU to 8921.
The downside of this approach was that the opposite happened on another set of machines. Again we just ran “wg-quick up” and it set MTU I believe to something similar like 8921, which was waaaaay to high for the machines it was running on that time, causing speed to be < 10Mbps.
Not sure if you prefer open source due to the elements around community building it or cost, but if the latter, Twingate just launched a free starter tier with up to 5 seats. [I currently work there]
The general rule is to use the highest MTU that will work. 1480 is a good default.