Astounding Speed Improvement with WireGuard Beta

[Strathe 2]

I just enrolled in the WireGuard Beta and decided to run benchmarks to check if there was any performance difference compared with OpenVPN.

Specs:
Ubuntu 20.04 LTS with OpenVPN 2.5.1, WireGuard. CPU has AES-NI but weak single-core performance. 1 Gbps line.

Methodology:
1. Find a server with low load.
2. Connect to it via OpenVPN 2.51 with cipher AES-256-CBC and additional directives --fragment 0 --mssfix 0 --rcvbuf 0 --sndbuf 0.
3. Load 10 well-seeded Linux torrents (Ubuntu, Fedora, Arch Linux, etc.)
4. Observe average and top speeds.
5. Repeat immediately afterwards using WireGuard with the same AirVPN server and torrents.

Results:
OpenVPN: 350 Mbps average, 410 Mbps peak
WireGuard: 800 Mbps average, 1064 Mbps peak

I cannot believe how much faster WireGuard is. Literally a 2.5 times improvement in speed free of charge, and my 1 Gbps line is now the bottleneck.

Edited ... by Strathe

[OpenSourcerer 1435]

Interesting tidbit: I cannot reproduce these finding at all with Arch Linux. It's the other way around for me: OpenVPN full throughput, Wireguard highly crippled.
I'd like to request more info on your setup. Thank you in advance.

$ LANG=C lscpu|grep "Model name"
$ journalctl -k --no-pager | grep -i wireguard
$ wg --version
$ modinfo wireguard
$ lsb_release -r
  # Country and ISP; if not connected use this:
$ curl -s "http://ip-api.com"|grep -E "countryCode|isp"
  # 1 GBit/s FTTH?

.

[Strathe 2]

$ LANG=C lscpu|grep "Model name"
Model name:                      Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz
$ journalctl -k --no-pager | grep -i wireguard
No journal files were found.
$ wg --version
wireguard-tools v1.0.20210315 - https://git.zx2c4.com/wireguard-tools/
$ modinfo wireguard
modinfo: ERROR: Module alias wireguard not found.
$ lsb_release -r
bash: lsb_release: command not found
$ curl -s "http://ip-api.com"|grep -E "countryCode|isp"
  "countryCode"  : "US",
  "isp"          : "AT&T Services, Inc.",
1 GBit/s FTTH: Yes

The improvement in performance is even greater than I had previously thought. Using the same server, I repeated the tests with AirVPN servers in Japan, New Zealand, Switzerland, and the US and was able to easily hit above 600 Mbps with all of them when using WireGuard. Compare this with the all-time high speed of 450 Mbps I was able to achieve with any AirVPN server before WireGuard support was implemented. The difference is night and day. Edited ... by Strathe

[Staff 9972]

Hello!

So far, the All Time High measured with multiple HTTP streams and in a way that line, CPU and peering could not be bottlenecks, and in an agnostic network, are 717 Mbit/s with OpenVPN and 864 Mbit/s with WreGuard. Your claimed peak of 1064 Mbit/s is a new record. Of course some hardware can have more gain, other almost nothing, and other could even have lower performance with WireGuard, as we have seen experimentally.

Remember: use WireGuard only when you have understood perfectly the privacy issues it poses and you are sure that they are not a problem for your threat model.

Kind regards
 

[OpenSourcerer 1435]

4 hours ago, Strathe said:

modinfo: ERROR: Module alias wireguard not found.

I don't quite understand. How can you use Wireguard without the kernel module??

[cqs 5]

10 hours ago, OpenSourcerer said:

Interesting tidbit: I cannot reproduce these finding at all with Arch Linux. It's the other way around for me: OpenVPN full throughput, Wireguard highly crippled.
I'd like to request more info on your setup. Thank you in advance.

$ LANG=C lscpu|grep "Model name"
$ journalctl -k --no-pager | grep -i wireguard
$ wg --version
$ modinfo wireguard
$ lsb_release -r
  # Country and ISP; if not connected use this:
$ curl -s "http://ip-api.com"|grep -E "countryCode|isp"
  # 1 GBit/s FTTH?

.

I use Arch and get 833/34, without VPN ranges from 800-1200 DL, 25-42 UP
https://www.speedtest.net/result/12255398586.png
 

[cqs 5]

https://codeberg.org/1/arch-borealis
My exact configuration; adding some customization to the networking at the moment which isn't there yet.
I'd assume what's interesting regarding Wireguard & OpenVPN is in https://codeberg.org/1/arch-borealis/src/branch/master/scripts/post_chroot.sh

[Strathe 2]

6 hours ago, OpenSourcerer said:

I don't quite understand. How can you use Wireguard without the kernel module??

Sorry, I ran the commands you gave inside of the docker container (with host networking) I used to perform the benchmarks. Here is the result on the host:

$ modinfo wireguard
filename:       /lib/modules/5.11.0-36-generic/kernel/drivers/net/wireguard/wireguard.ko
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.0
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     656B5E368DC04310391A198
depends:        libblake2s,udp_tunnel,curve25519-x86_64,libchacha20poly1305,ip6_udp_tunnel,libcurve25519-generic
retpoline:      Y
intree:         Y
name:           wireguard
vermagic:       5.11.0-36-generic SMP mod_unload modversions 
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        5F:F6:6F:23:86:35:AB:B9:29:CC:24:05:2D:F8:3F:30:B4:4E:49:3D
sig_hashalgo:   sha512
signature:      78:20:DB:67:4E:9C:BD:FB:AB:F6:28:47:C6:39:2E:24:C3:9A:92:02:
		08:FA:C9:44:77:4D:54:A4:E6:C9:8F:A7:8F:5B:7B:E5:3E:58:CD:A6:
		67:6F:34:83:7F:16:6F:B0:5C:97:28:9B:74:75:75:8B:E1:1E:9D:D7:
		F4:AF:9B:AA:F1:D1:3F:CF:7B:C3:E3:56:E0:28:76:12:2F:05:ED:DD:
		A6:58:BF:D2:92:59:7F:42:4F:05:1E:FB:4B:53:03:E1:04:45:17:2C:
		D3:1A:D3:71:EE:DF:70:2B:99:AE:EC:45:FE:57:9A:02:AE:FC:89:B6:
		43:14:26:85:91:58:E7:CE:F8:5B:40:50:65:0F:E9:B7:3A:76:4C:A4:
		59:48:70:0B:B6:31:1D:C0:8B:8E:FF:08:EC:8F:A6:8B:80:0B:A3:AC:
		F0:C6:C1:27:DD:54:3B:72:79:25:D0:7F:96:5F:32:3E:6C:7C:F4:F1:
		43:58:95:58:93:5A:4D:3D:81:11:24:14:CA:A0:30:15:C6:D8:05:73:
		9F:FF:A0:D7:FB:BA:45:1B:99:9B:33:3F:22:2E:47:EB:CD:2B:86:A8:
		49:66:AC:FB:81:BB:5C:A6:76:3A:60:91:7D:A5:5A:9A:7E:77:8B:08:
		83:73:CF:DC:B4:F1:A1:D7:B5:BA:7D:27:04:66:3C:92:7E:E8:AA:FC:
		A6:EA:6D:32:06:86:3D:D8:9F:9C:F4:F0:F3:68:50:FC:EB:44:71:66:
		2F:0D:13:A1:2E:B9:EE:25:CC:0F:94:43:02:82:13:98:7B:A7:02:29:
		00:9C:22:AC:39:53:CD:60:93:CA:D9:E5:77:B7:60:45:FE:0C:2A:CB:
		3C:7B:24:54:45:A3:54:7E:42:4E:DC:EE:1F:60:75:F3:69:53:F8:68:
		E7:78:02:70:A4:60:FC:89:DA:FC:CA:1C:EC:3A:31:D2:D2:D5:0C:14:
		1D:CC:67:84:65:E7:C0:B6:03:FA:0F:A1:68:DC:A6:BA:AE:CC:AF:BB:
		39:6D:57:DB:AC:4E:85:20:53:79:F0:47:6D:09:58:59:52:B6:0D:21:
		9E:17:AB:87:93:88:37:70:18:67:AD:C3:EF:BB:09:53:D9:91:1F:B8:
		A0:D0:A5:3C:C2:81:39:39:4A:B7:EE:5B:B7:33:29:89:AB:09:E9:54:
		27:88:2F:E5:8D:F9:E5:E1:EC:30:A3:38:E6:DD:55:94:A0:0D:F8:36:
		B7:21:BC:AA:E5:3E:61:9C:8A:0C:30:5B:5A:03:97:97:F4:86:CF:68:
		CB:B4:84:86:2B:51:81:1D:3F:DA:A2:CB:A0:60:9E:F3:67:0A:3F:9E:
		83:B8:37:CA:F9:90:8D:F7:BE:30:CE:58
$ lsb_release -r
Release:	20.04

[OpenSourcerer 1435]

An Arch user who is screenshotting terminal output? Outrageous. Thread locked and dustbinned.

Apart from that, you seem to be using the PDS-patched kernel from AUR. Which means you compiled it from source, right? It's something I can try, too, with the Zen kernel. Or a different kernel altogether, maybe the Arch default. Lemme try that, see if it improves the crap of a Wireguard performance I get with speedtest-cli:

Hosted by Spacken.net (Hagen) [141.07 km]: 21.8 ms
Testing download speed................................................................................
Download: 93.87 Mbit/s
Testing upload speed......................................................................................................
Upload: 0.38 Mbit/s

.

[cqs 5]

1 hour ago, OpenSourcerer said:

An Arch user who is screenshotting terminal output? Outrageous. Thread locked and dustbinned.

Apart from that, you seem to be using the PDS-patched kernel from AUR. Which means you compiled it from source, right? It's something I can try, too, with the Zen kernel. Or a different kernel altogether, maybe the Arch default.

My settings are: PDS CPU scheduler, tickless, 500hz, BBRv2 TCP algorithm by default, no CPU yielding, CPU arch specific GCC optimisations
https://github.com/Frogging-Family/linux-tkg
https://codeberg.org/1/arch-borealis/src/branch/master/scripts/installers/TKG_Kernel.sh
https://codeberg.org/1/arch-borealis/src/branch/master/scripts/installers/non-SU/TKG_Kernel-cfg.sh

Images are harder to parse by bots than text, so it became a habit of mine.