Recently I needed some extra performance on the VPN I’m using to SSH into most of my systems, mainly to transfer large-ish files to/from a system behind NAT.

The result with the current setup using OpenVPN (UDP) was, to say the least, disappointing.

The VPN server and peers were configured like this:

[WireGuard]    +--------+      [OpenVPN]
               | Peer 1 |
               +--------+
172.32.0.211     |    |     172.31.0.211
                 |    |
                 |    |
               +--------+
  172.32.0.1   | Server |   172.31.0.1
               +--------+
                 |    |
                 |    |
172.32.0.210     |    |     172.31.0.210
               +--------+
               | Peer 2 |
               +--------+

Then I copied a large-ish file over scp from one peer to the other.

user@sys:~> time scp install69.iso 172.31.0.210:~/
install69.iso        100%  384MB 183.4KB/s   35:44

real    35m46.318s
user    0m5.932s
sys     0m3.076s

35 minutes for a 384MB ISO file!

VPN server has a 1Gbit connection, while the peers are both connected via different 1Gbit ISP domestic connections, so barely hitting 1Mbit of throughput is, to say the least, a disappointment, so I decided to set up a WireGuard server on the exact same VPN machine, and setting up WireGuard on the exact same peers and connections. The result speaks for itself:

user@sys:~> time scp install69.iso 172.32.0.210:~/
install69.iso        100%  384MB   3.3MB/s   01:57

real    1m59.191s
user    0m5.884s
sys     0m2.489s

2 minutes, or ~6% the time it took on the other VPN tunnel.

I think I’m switching to WireGuard, at least for the throughput-sensitive tasks, while I’ll probably keep using OpenVPN for remote admin since it seems to play nicer with NAT and firewalls. Still, pretty disappointed on how bad OpenVPN performed here.