Introduction
I have been using OpenVPN on my home router for the last 10 years or so, and I finally got around to trying WireGuard tunneling. From what I heard, I was expecting WireGuard to be much faster, as I have seen a huge performance increase when I switched from OpenVPN to WireGuard on my Private Internet Access VPN.
To my surprise, as it turns out OpenVPN is still significantly faster (and better) on my Intel Alder Lake N100 router.
Benchmark
Here are the specs used for the benchmark:
- Intel N100 mini-PC with 8GB RAM 128GB NVMe Intel i226 Dual 2.5G LAN
- pfSense 2.7.2 amd64 (FreeBSD 14.0)
- AES-NI enabled, no QAT, Kernel PTI and MDS Mitigation disabled
- OpenVPN using AES-256-CGM
- pfSense-pkg-WireGuard 0.2.1
- 1Gbps symmetric fiber internet connection
- speedtest.net
and here's the result:
| Un-encrypted | OpenVPN | WireGuard | |
|---|---|---|---|
| Ping | 1ms | 1ms | 1ms |
| Latency (Down) | 16ms | 29ms | 15ms |
| Latency (Up) | 22ms | 38ms | 26ms |
| Download Speed | 912.40Mbps | 914.35Mbps | 636.50Mbps |
| Download CPU usage | 10% | 10% | 21% |
| Upload Speed | 945.48Mbps | 944.01Mbps | 658.27Mbps |
| Upload CPU usage | 63% | 69% | 89% |
Explanation
OpenVPN relies on the underlying OpenSSL library, which provides hardware acceleration for AES instructions. Intel Alder Lake N100 processor is AES-NI enabled, and my pfSense dashboard showed that it's enabled. WireGuard on the other hand, uses ChaCha20-Poly1305 algorithm, which takes advantage of SIMD instructions, which exists on virtually all non-embedded CPUs.
So it appears that the AES hardware acceleration provides significant boost over using SIMD instructions, at least in Intel N100 processor.
Conclusion
For Intel N100 processor based pfSense routers, OpenVPN provides over 43% VPN throughput performance over WireGuard. In fact, the AES-NI acceleration is so effective such that it achieves near 100% ISP throughput with no additional CPU overhead (for 1Gbps connection).
What is really interesting, is that the WireGuard connection works at 50 to 68% lower latency than OpenVPN. As such, WireGuard may be better suited for activities such as gaming and remote desktop access.
In conclusion, for those using Intel Alder Lake N100 for a pfSense router, OpenVPN should be used if your primary goal is to obtain highest throughput with the clients. If your client application is more sensitive to network latency, WireGuard should be used instead.
No comments:
Post a Comment