Jump to content
Not connected, Your IP: 18.221.167.11
ms2738

ANSWERED OpenVPN vs. Wireguard -fastest protocol on Mac?

Recommended Posts

It's my understanding that Wireguard is generally superior to OpenVPN on most platforms but that macOS doesn't have the benefit of kernel extensions for Wireguard like on other operating systems (I could be wrong)?

In any case, which protocol is currently faster on macOS?  If they both have to run in user space I would guess they're pretty close using the same encryption?  Maybe Wireguard is still faster because it's smaller?

Finally, I know OpenVPN allows selection of encryption, I use Cha-Cha, but is there a way to turn encryption off for traffic that doesn't need it (torrenting)?

Share this post


Link to post
@ms2738

Hello!
 
10 hours ago, ms2738 said:

It's my understanding that Wireguard is generally superior to OpenVPN on most platforms but that macOS doesn't have the benefit of kernel extensions for Wireguard like on other operating systems (I could be wrong)?


That's correct.
 
10 hours ago, ms2738 said:

In any case, which protocol is currently faster on macOS?  If they both have to run in user space I would guess they're pretty close using the same encryption?  Maybe Wireguard is still faster because it's smaller?


We would expect that OpenVPN with AES on Data Channel would be faster than WireGuard (which relies on CHACHA20-POLY1305 for payload encryption) on Intel Mac, because Intel CPUs support AES-NI while M1/M2 do not, but experimentally we see that WireGuard may beat OpenVPN 2 in any case on an agnostic network. On Mac OpenVPN3-AirVPN is remarkably faster than OpenVPN 2 thanks to our optimizations, but even so OpenVPN3-AirVPN struggles to beat WireGuard performance on any Mac.

Please experiment and also consider that tests are on a level playing field only when the network is really neutral. For example, if an ISP shapes UDP, then OpenVPN may easily win by using TCP (while WireGuard can work only in UDP).

A major blow to OpenVPN is provided by the VPN server itself, unfortunately. While WireGuard scales perfectly and is indeed "multithreading", each OpenVPN process in our servers runs in a single core of a single thread. Besides, in VPN servers you see the CPU load increasing with a more than linear growth with the amount of connected clients, while with WireGuard the CPU load increases linearly or less than linearly with the requested bandwidth, and only secondarily with the amount of connected clients. In the VPN servers we have the kernel modules for WireGuard, while with OpenVPN enormous amounts of data are continuously copied from/to kernel space to/from userspace.
 
10 hours ago, ms2738 said:

Finally, I know OpenVPN allows selection of encryption, I use Cha-Cha, but is there a way to turn encryption off for traffic that doesn't need it (torrenting)?

We're sorry, while OpenVPN would allow tunnels without encryption, we do not support the feature. For the purposes of our service, it would be a potentially risky option which might backfire. WireGuard can not even be configured to use no encryption.

Kind regards
 

Share this post


Link to post
10 hours ago, Staff said:
@ms2738
We're sorry, while OpenVPN would allow tunnels without encryption, we do not support the feature. For the purposes of our service, it would be a potentially risky option which might backfire.

For clarification, when you say "we do not support the feature", do you mean that you've blocked/prevented it, or that you simply will not assist ("support") anyone in doing so?  I would think it would actually be beneficial to you as it would reduce server load especially considering the single threaded nature?

Thank you for the explanation, I have wondered why you seem to be very OpenVPN focused when most other VPN providers seem to be all in on Wireguard.

Share this post


Link to post

Just to add what Staff has said, there's very little reason to not use WireGuard on a Mac assuming that UDP traffic isn't being tampered with. I highly encourage using the stock wg client and importing configurations. Even without kernel extensions, it is still quite performant. I may end up considering running OpenVPN again whenever DCO reaches stable and is embraced by the commercial VPN providers I use on Linux, but I doubt it'll change my decisions on other platforms. 

(note: this info is likely outdated and I don't have access to this device anymore, so these are ballpark estimates)
On my Intel Mac, WireGuard outperformed OpenVPN (2.4.x iirc) in every assessment I had done. On my 300 Mb/s network at the time, I remember getting line speeds on wg, while ovpn was usually anywhere from 120->150 Mb/s. I haven't bothered to recheck it vs. 2.5.x/2.6.x on that machine as I switched to Apple Silicon. 

In the present day on AS (500 Mb/s), I saw better performance: 300->350 Mb/s on ovpn, line speed on wg. I found negligible speed differences in my tests between AES-256-GCM and ChaCha20-Poly1305, so I went with the latter. There is AES hardware acceleration in the AS chips but there are still some applications that don't utilize it or have caveats. I haven't refreshed my knowledge on the various TLS libraries in quite some time, but I assume the major ones (OpenSSL, etc.) use the ARMv8 crypto extensions and other Apple-specific hardware options by now.

AirVPN isn't PIA, we like encryption over here :asd:

Share this post


Link to post
15 hours ago, ms2738 said:

For clarification, when you say "we do not support the feature", do you mean that you've blocked/prevented it, or that you simply will not assist ("support") anyone in doing so?  I would think it would actually be beneficial to you as it would reduce server load especially considering the single threaded nature?


Hello!

We mean that the VPN servers do not run any OpenVPN process offering connections to clients without encryption (see also https://airvpn.org/specs ).
 
Quote

Thank you for the explanation, I have wondered why you seem to be very OpenVPN focused when most other VPN providers seem to be all in on Wireguard.


You're welcome. AirVPN infrastructure is based on OpenVPN and WireGuard and in all of AirVPN software you're free to pick either WireGuard or OpenVPN to connect (or you can run any other program which lets you drive either WireGuard or OpenVPN). Choose the one which can provide you with the best performance.

Kind regards
 

Share this post


Link to post
9 hours ago, Snowsuit8087 said:

Just to add what Staff has said, there's very little reason to not use WireGuard on a Mac assuming that UDP traffic isn't being tampered with. I highly encourage using the stock wg client and importing configurations. Even without kernel extensions, it is still quite performant.


Hello!

Remember that you lose the Network Lock feature in this case. Hummingbird 2.0.0 preview for macOS is almost ready and it will let you run WireGuard through wg userspace tool in macOS with Network Lock, if you need it. Stay tuned on the "News" forum.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...