Let's talk about VPN performance

I build up a setup as suggested by @egc

Laptop running iPerf Server <-> Router running WireGuard Server <-> Laptop running WireGuard and iPerf Client

and I repeated the test on my WAX206 (the DL-WRX36 is current in use by my kids). The results are interesting in the way that they are acutally slower than before and I needed to reduce the MTU even further to 1210 to get the best results:

Before it was 430 Mbits/s and 611 Mbits/s now I got 345 Mbits/s and 523 Mbits/s. So it's significantly slower. Any ideas what could be the bottle neck? The new iPerf Server is running on my companies developer's laptop, so whatever happens on that machine, I would expect that it should be more than fast enough to handle it without a significant delay. Maybe it's a result of the forwarding from the WAN to the LAN zone and vice versa and the packet filtering involved. What do you think?

C:\Program Files\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.160 -M 1210
Connecting to host 192.168.1.160, port 5201
[  4] local 192.168.3.6 port 54343 connected to 192.168.1.160 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  40.4 MBytes   338 Mbits/sec
[  4]   1.00-2.00   sec  42.4 MBytes   356 Mbits/sec
[  4]   2.00-3.00   sec  41.4 MBytes   347 Mbits/sec
[  4]   3.00-4.00   sec  41.8 MBytes   350 Mbits/sec
[  4]   4.00-5.00   sec  43.0 MBytes   361 Mbits/sec
[  4]   5.00-6.00   sec  41.9 MBytes   351 Mbits/sec
[  4]   6.00-7.00   sec  40.9 MBytes   343 Mbits/sec
[  4]   7.00-8.00   sec  40.8 MBytes   342 Mbits/sec
[  4]   8.00-9.00   sec  40.4 MBytes   339 Mbits/sec
[  4]   9.00-10.00  sec  39.1 MBytes   328 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   412 MBytes   345 Mbits/sec                  sender
[  4]   0.00-10.00  sec   412 MBytes   345 Mbits/sec                  receiver

iperf Done.

C:\Program Files\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.160 -M 1210 -R
Connecting to host 192.168.1.160, port 5201
Reverse mode, remote host 192.168.1.160 is sending
[  4] local 192.168.3.6 port 54345 connected to 192.168.1.160 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  61.4 MBytes   515 Mbits/sec
[  4]   1.00-2.00   sec  63.0 MBytes   529 Mbits/sec
[  4]   2.00-3.00   sec  60.6 MBytes   508 Mbits/sec
[  4]   3.00-4.00   sec  63.2 MBytes   530 Mbits/sec
[  4]   4.00-5.00   sec  63.7 MBytes   534 Mbits/sec
[  4]   5.00-6.00   sec  62.3 MBytes   522 Mbits/sec
[  4]   6.00-7.00   sec  63.4 MBytes   532 Mbits/sec
[  4]   7.00-8.00   sec  59.9 MBytes   502 Mbits/sec
[  4]   8.00-9.00   sec  62.7 MBytes   526 Mbits/sec
[  4]   9.00-10.00  sec  63.7 MBytes   534 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   624 MBytes   523 Mbits/sec                  sender
[  4]   0.00-10.00  sec   624 MBytes   523 Mbits/sec                  receiver

iperf Done.

That is exactly why I was asking. Do you use irqbalance? I'm lazy to see specs, but does you traffic now goes through two ethernet interfaces? In short: run top and see what's hitting your CPU. In my case (separate ethernet interfaces with separate chips) irqbalance makes sense.

1 Like

Same on the Dynalink DL-WRX36, with the Laptop <-> Router <-> Laptop setup I get lower results:

iperf3.exe -c 192.168.1.160 -M 1316:

[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   650 MBytes   545 Mbits/sec                  sender
[  4]   0.00-10.00  sec   649 MBytes   545 Mbits/sec                  receiver

iperf3.exe -c 192.168.1.160 -M 1316 -R:

[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   829 MBytes   695 Mbits/sec                  sender
[  4]   0.00-10.00  sec   829 MBytes   695 Mbits/sec                  receiver

Seeing that results on relatively powerful devices let me doubt that iperf3 in server mode is causing more load than forwarding the data from wan to lan and vice versa. In addition to that, without the -R switch the content should be produced by the iperf client anyway.

From my perspective both scenarios (running iPerf server on the router or on a separate client) are valid scenarios. Many people like me are using VPN mainly to access the internet using their home IP address when they are travelling. In such a scenario the data will never be forwarded to the LAN zone of the device. Others might use VPN to access data in their home networks (e.g. data on their NAS), here the traffic will be forwarded to the LAN.

I also don't think that we should go to invest VPN performance for every device in this thread. It was intended for people to simply post their VPN results so that others can get an overview which maximum VPN performance they can expect from a device. To get people doing that we should keep it simple instead of making in unneccessary complex.

I will also post my OpenVPN results here as soon as they are ready and I hope other people will do the same.

It is because of forwarding from one interface to another.

What about IPsec, the only VPN based on standards by IETF? Libreswan is much less esoteric when compared to strongswan - just in case you decide to include it here too :slight_smile:

NetGear R7800

iperf3 testing wired with multicore PC running on the WAN side used as client with latest WireGuard for Windows app and multicore windows PC running iperf3 as server on the LAN side

Performance Governor
root@R7800-2:~# for CPUGOV in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do cat $CPUGOV;done
performance
performance

irqbalance
root@R7800-2:~# ps | grep [i]rqbalance
4543 root 1000 S irqbalance

But NO packet steer or offload

The router is idling, no other clients attached so this is the maximum throughput, in normal use it will be (way) less

{
"kernel": "5.15.127",
"hostname": "R7800-2",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05-SNAPSHOT",
"revision": "r23396-f445c38263",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05-SNAPSHOT r23396-f445c38263"
}
}

Using patch https://github.com/openwrt/openwrt/pull/13323/commits/c06e79fc3eb8d162465c3cfe33bdad3e222ad334#diff-fcdea625f55b655c72ffd96a2274ec42e736a3c403795db138a4b96cb8300c15
https://github.com/openwrt/openwrt/pull/13323

Baseline LAN<>WAN throughput is around 900 Mb/s running iperf between iperf client on the LAN and iperf server on the WAN

WireGuard

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-20.00  sec   883 MBytes   370 Mbits/sec                  sender
[  4]   0.00-20.00  sec   883 MBytes   370 Mbits/sec                  receiver

OpenVPN AES-256 (OpenVPN 2.5.8, no AES hardware acceleration, no DCO)

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  92.4 MBytes  77.5 Mbits/sec                  sender
[  4]   0.00-10.00  sec  92.3 MBytes  77.4 Mbits/sec                  receiver

OpenVPN CHACHA20 (OpenVPN 2.5.8 no DCO)

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-20.01  sec   202 MBytes  84.7 Mbits/sec                  sender
[  4]   0.00-20.01  sec   202 MBytes  84.7 Mbits/sec                  receiver

Edit: As a rule of thumb WireGuard throughput is around three times that of OpenVPN (assuming there is no AES Hardware acceleration and no DCO)

1 Like

Wow, that's very detailed. I will try to use it as a template. Thank you

Of course, all VPN performance related information is welcome here. However, I personally only use WireGuard and OpenVPN (as a backup) because these are supported by my travel router.

1 Like

... and IPsec is supported by Android (and Apple) without 3rd party software. And it is nice to compare it with WireGuard since it too uses kernel-based encryption. But it is more challenging because of numerous encryption algorithms supported by Linux implementations (clients support very limited subsets, often dated).

Note there is always some fluctuation this is just to give an idea about relative performance :slight_smile:

I too only use WireGuard and as a backup OpenVPN.

As I see how many questions there are about WireGuard and OpenVPN compared to other VPN solutions(both here and on other third party firmware forums) it seems that WireGuard and OpenVPN are by far the more popular VPN's used.

1 Like

IPsec has its benefits because it doesn't require additional software and eats little battery on mobile systems. But for some reason OpenWRT has rather poor documentation on that matter. Libreswan is hardly more complex than Wireguard especially in PSK+XAuth mode.

Technically I would expect better results from IPsec because usually it defaults to AES and those are either employ AESNI (or other hardware acceleration) or ASM-optimized software implementations. As far as I understand most mobile clients do support AES acceleration.

Another thing why I don't like WireGuard - its official apps fail to use IPv6. Come on, it's 2023!

What do you mean by 'fail to use'?

1 Like

Don't assume, verify.

...and 'thanks' to cgNAT, I can only use IPv6 to connect to my roadwarrior-style VPN - so it must be an illusion that wireguard has been working just fine for the last three+ years.

Can you specify IPv6 endpoint address in WG app for Android? Or IPv6 address for client itself? Been awhile since I tried it myself... but you will update me on that.

Yes. You can do both. In my experience, if you're using the IP address directly for the endpoint you will have to enclose it in square brackets before adding the port on the end, but it works just fine.

2 Likes

Checking it...

P.S. Well, turns out it was fixed - https://github.com/angristan/wireguard-install/issues/352

Thanks for updating me on that.

P.S. #2: Probably you can help here then - https://forum.openwrt.org/t/wireguard-peers-cannot-connect-to-lan-devices-via-ipv6-but-can-via-ipv4

Is that not a third party script that generates config files? What does it have to do with the official wireguard apps?

I definitely remember that I couldn't import IPv6 configs to official WG app on Android about a year and a half ago when I tried it last time. I used OpenWRT and it worked fine in server-server mode.

I wonder if anyone will benchmark Openconnect (ocserv) which comes with decent web interface (luci-app-ocserv)...