Looking for a Specific Topic?
OPNsense WireGuard Performance
Overview
Protectli has a variety of hardware to meet a range of requirements. It is important to provide information regarding various operating system and applications so customers can make an educated decision before purchase. In this article we will cover performance results for the WireGuard plugin available on OPNsense.
WireGuard
WireGuard is a modern, efficient, and secure VPN solution which is relatively easy to configure and deploy compared to OpenVPN and IPsec. For more information on WireGuard please visit the website here https://www.wireguard.com/
Test Configuration
WireGuard supports network topologies such as point-to-point, star, and mesh. For our test configuration we utilized a point-to-point configuration. A LAN network (192.168.20.0) was used as the pseudo WAN connection between the WireGuard tunnel "endpoint A" and "endpoint B". We used a FW6E (IP address – 192.168.20.12) running OPNsense (LAN address – 10.4.1.0) as WireGuard endpoint A (tunnel A – 10.0.0.1), and the devices under test (IP address 192.168.20.x) running OPNsense (LAN address – 10.4.2.0) as WireGuard endpoint B (tunnel B 10.0.0.2). Client A was a Windows 10 desktop (10.4.1.10) running an iPerf3 server and client B(10.4.2.10) was a Windows 10 laptop running iPerf3 as a client.
See the network diagram below for a visual representation of the network topology
Performance results
The WireGuard implementation on OPNsense is fairly straightforward without many configurable options. WireGuard utilizes the ChaCha20Poly1305 cipher suite. Our most recent test was completed September 29th, 2023. This was accomplished on OPNsense 23.7.5. Contrary to what we would have believed, we were getting much faster speeds utilizing the WireGuard-go implementation over the WireGuard kernel implementation. The average speeds were calculated from a 5 minute long iPerf3 test. The throughput may vary while being utilized for extended periods of time.
Performance results are shown in the table below
| Vault Model | Unencrypted (Mbps) "#iPerf3 -c -P4 -f m" | IPSec (pfSense) AES-128-GCM/AES-XCBC/ AES128-GCM "#iPerf3 -c -P4 -f m" | IPSec (OPNsense) 128 bit AES-GCM w/ 128 bit ICV/AES-XCBC/14 [2048 bits] DH/AES128gcm16/No Hash/14 [2048 bits] PFS "#iPerf3 -c -P4 f m" | OpenVPN (pfSense 2.7) AES-256-GCM/SHA256 (Mbps) "#iPerf3 -c -P4 -f m" | WireGuard (OPNsense)256-bit ChaCha20Poly1305 Avg (Mbps) "#iPerf3 -c -P4 -f m" | Wireguard (pfSense® 2.7.2) |
|---|---|---|---|---|---|---|
| FW2B | ~940 | ~520 | ~529 | ~114 | ~280 | |
| FW4B | ~940 | ~635 | ~747 | ~134 | ~290 | |
| FW4C | ~2300 | ~890 | ~807 | ~167 | ~315 | |
| FW6A | ~940 | ~875 | ~785 | ~491 | ~876 | |
| FW6Br2 | ~940 | ~875 | ~814 | ~850 | ~907 | |
| FW6C | ~940 | ~875 | ~821 | ~816 | ~907 | |
| FW6D | ~940 | ~875 | ~879 | ~894 | ~909 | |
| FW6E | ~940 | ~875 | ~879 | ~906 | ~909 | |
| VP2410 | ~940 | ~875 | ~809 | ~371 | ~733 | |
| VP2420 | ~2330 | ~1700 | ~1320 | ~450 | ~1200 | |
| VP4630 | ~2340 | ~2100 | ~1790 | ~1240 | ~2100 | |
| VP4650 | ~2340 | ~1900 | ~1910 | ~1290 | ~2160 | |
| VP4670 | ~2340 | ~1900 | ~2200 | ~1360 | ~2200 | |
| V1210/V1410 | ~2340 | ~1.15Gbps | ~800 | ~347 | ~1.1Gbps | ~1.2Gbps |
| V1610 | ~2340 | ~1.90Gbps | ~2.02Gbps | ~550Mbps | ~1.96Gbps | ~1.62Gbps |
For more detailed information, please see the Google spread sheet below.
OPNsense WireGuard Performance Spread Sheet
As always, if you have any questions or concerns please don't hesitate to reach out to support@protectli.com