Have a Question?
OPNsense WireGuard Performance
Overview
Protectli has a variety of hardware to meet a range of requirements. It is important to provide information regarding various operating system and applications so customers can make an educated decision before purchase. In this article we will cover performance results for the WireGuard plugin available on OPNsense.
WireGuard
WireGuard is a modern, efficient, and secure VPN solution which is relatively easy to configure and deploy compared to OpenVPN and IPsec. For more information on WireGuard please visit the website here https://www.wireguard.com/
Test Configuration
WireGuard supports network topologies such as point-to-point, star, and mesh. For our test configuration we utilized a point-to-point configuration. A LAN network (192.168.20.0) was used as the pseudo WAN connection between the WireGuard tunnel “endpoint A” and “endpoint B”. We used a FW6E (IP address – 192.168.20.12) running OPNsense (LAN address – 10.4.1.0) as WireGuard endpoint A (tunnel A – 10.0.0.1), and the devices under test (IP address 192.168.20.x) running OPNsense (LAN address – 10.4.2.0) as WireGuard endpoint B (tunnel B 10.0.0.2). Client A was a Windows 10 desktop (10.4.1.10) running an iPerf3 server and client B(10.4.2.10) was a Windows 10 laptop running iPerf3 as a client.
See the network diagram below for a visual representation of the network topology
Performance results
The WireGuard implementation on OPNsense is fairly straightforward without many configurable options. WireGuard utilizes the ChaCha20Poly1305 cipher suite. While the tests were done with different versions of OPNsense, the WireGuard package version stayed the same and there were no performance differences.
Performance results are shown in the table below
| Vault Model | Unencrypted (Mbps) "#iPerf3 -c -P4 -f m" | IPSec (pfSense) AES-128-GCM/AES-XCBC/ AES128-GCM "#iPerf3 -c -P4 -f m" | OpenVPN (pfSense 2.7) AES-256-GCM/SHA256 (Mbps) "#iPerf3 -c -P4 -f m" | WireGuard (OPNsense wireguard-go) 256-bit ChaCha20Poly1305 Avg (Mbps) "#iPerf3 -c -P4 -f m" |
|---|---|---|---|---|
| FW2B | ~940 | ~520 | ~114 | ~300 |
| FW4B | ~940 | ~635 | ~134 | ~300 |
| FW4C | ~2300 | ~167 | ||
| FW6A | ~940 | ~875 | ~491 | ~900 |
| FW6Br2 | ~940 | ~875 | ~850 | ~900 |
| FW6C | ~940 | ~875 | ~816 | ~900 |
| FW6D | ~940 | ~875 | ~894 | ~900 |
| FW6E | ~940 | ~875 | ~906 | ~900 |
| VP2410 | ~940 | ~875 | ~371 | ~700 |
| VP2420 | ~2330 | ~1700 | ~450 | |
| VP4630 | ~2340 | ~2100 | ~1240 | ~1750 |
| VP4650 | ~2340 | ~1900 | ~1290 | |
| VP4670 | ~2340 | ~1900 | ~1360 |
For more detailed information, please see the Google spread sheet below.
OPNsense WireGuard Performance Spread Sheet
As always, if you have any questions or concerns please don’t hesitate to reach out to support@protectli.com