WireGuard expert Tailscale has achieved a breakthrough in the performance of WireGuard-based VPNs, resulting in significant improvements in throughput.
More specifically, the Tailscale team applied optimizations such as UDP segmentation offload, UDP receive coalescing, and checksum unwinding, which led to substantial throughput improvements for VPN clients using the WireGuard Go implementation.
WireGuard is an open-source communication protocol that implements virtual private networks, designed to be leaner and better performing than preceding tunneling standards such as IPsec and OpenVPN.
Tailscale is a company that provides scalable VPN solutions built on top of the WireGuard protocol and which has previously contributed significant optimizations and improvements on the standard to the benefit of all WireGuard users.
10Gbit/s on “Bare Metal” Server
The mentioned improvements applied by Tailscale were identified after carefully studying the WireGuard codebase, locating potential areas where performance could be enhanced.
The three main performance improvements implemented by Tailscale’s engineers are the following:
- UDP Segmentation Offload (GSO): offloads packet segmentation to network hardware, reducing CPU overhead and improving throughput.
- UDP Receive Coalescing (GRO): aggregates multiple smaller packets into a larger one at the receiving end, minimizing CPU usage and enhancing network performance.
- Checksum Unwinding: eliminates redundant checksum calculations, reducing CPU usage and contributing to increased VPN performance.
The team conducted tests using wireguard-go on two different systems: c6i.8xlarge and i5-12400, both with UDP GSO, GRO, and checksum unwinding optimizations. The results indicated a substantial increase in performance, with the c6i.8xlarge system achieving 7.32 Gbps, while the i5-12400 system reached 13.0 Gbps.
This performance enhancement allows Tailscale to join the 10 Gb/s club on bare-metal Linux servers and wireguard-go to surpass the in-kernel WireGuard implementation on the tested hardware. The term “bare metal” refers to physical (non-virtualized) servers that are dedicated to a single tenant, offering consistent and predictable performance results.
WireGuard to Get Speedier for All
This development is crucial for all users of VPNs that rely on WireGuard, as it showcases the potential for improving performance through the application of these optimizations. In our own tests for the WireGuard vs OpenVPN comparison, we’ve also found WireGuard to be significantly faster than legacy protocols.
The increased speed and efficiency achieved by Tailscale are expected to be rolled to the entire community of WireGuard-based VPN users and make the pioneering protocol even more appealing to VPN providers who haven’t adopted it yet. Due to performance and security advantages, there are many VPNs with WireGuard support already available.
Tailscale’s Jordan Whited has already submitted commits for consideration by WireGuard’s core developers and could be implemented upstream very soon. Of course, projects that use WireGuard will see varying levels of performance improvements based on the specific hardware, network conditions, and VPN client implementation.
We will be particularly interested to see whether the relative performance of various WireGuard VPNs changes in comparisons such as these: