Sunday, July 7, 2024

Surprising OpenVPN and WireGuard result on Intel Alder Lake N100 pfSense Router

Introduction

I have been using OpenVPN on my home router for the last 10 years or so, and I finally got around to trying WireGuard tunneling. From what I heard, I was expecting WireGuard to be much faster, as I have seen a huge performance increase when I switched from OpenVPN to WireGuard on my Private Internet Access VPN.

To my surprise, as it turns out OpenVPN is still significantly faster (and better) on my Intel Alder Lake N100 router.

Benchmark

Here are the specs used for the benchmark:

and here's the result:

  Un-encrypted OpenVPN WireGuard
Ping 1ms 1ms 1ms
Latency (Down) 16ms 29ms 15ms
Latency (Up) 22ms 38ms 26ms
Download Speed 912.40Mbps 914.35Mbps 636.50Mbps
Download CPU usage 10% 10% 21%
Upload Speed 945.48Mbps 944.01Mbps 658.27Mbps
Upload CPU usage 63% 69% 89%


Explanation

OpenVPN relies on the underlying OpenSSL library, which provides hardware acceleration for AES instructions. Intel Alder Lake N100 processor is AES-NI enabled, and my pfSense dashboard showed that it's enabled. WireGuard on the other hand, uses ChaCha20-Poly1305 algorithm, which takes advantage of SIMD instructions, which exists on virtually all non-embedded CPUs.

So it appears that the AES hardware acceleration provides significant boost over using SIMD instructions, at least in Intel N100 processor.

Conclusion

For Intel N100 processor based pfSense routers, OpenVPN provides over 43% VPN throughput performance over WireGuard. In fact, the AES-NI acceleration is so effective such that it achieves near 100% ISP throughput with no additional CPU overhead (for 1Gbps connection).

What is really interesting, is that the WireGuard connection works at 50 to 68% lower latency than OpenVPN. As such, WireGuard may be better suited for activities such as gaming and remote desktop access.

In conclusion, for those using Intel Alder Lake N100 for a pfSense router, OpenVPN should be used if your primary goal is to obtain highest throughput with the clients. If your client application is more sensitive to network latency, WireGuard should be used instead.