WireGuard expert Tailscale has achieved a breakthrough in the performance of WireGuard-based VPNs, resulting in significant improvements in throughput.
More specifically, the Tailscale team applied optimizations such as UDP segmentation offload, UDP receive coalescing, and checksum unwinding, which led to substantial throughput improvements for VPN clients using the WireGuard Go implementation.
WireGuard is an open-source communication protocol that implements virtual private networks, designed to be leaner and better performing than preceding tunneling standards such as IPsec and OpenVPN.
Tailscale is a company that provides scalable VPN solutions built on top of the WireGuard protocol and which has previously contributed significant optimizations and improvements on the standard to the benefit of all WireGuard users.
10Gbit/s on “Bare Metal” Server
The mentioned improvements applied by Tailscale were identified after carefully studying the WireGuard codebase, locating potential areas where performance could be enhanced.
The three main performance improvements implemented by Tailscale’s engineers are the following:
UDP Segmentation Offload (GSO): offloads packet segmentation to network hardware, reducing CPU overhead and improving throughput. UDP Receive Coalescing (GRO): aggregates multiple smaller packets into a larger one at the receiving end, minimizing CPU usage and enhancing network performance. Checksum Unwinding: eliminates redundant checksum calculations, reducing CPU usage and contributing to increased VPN performance.
The team conducted tests using wireguard-go on two different systems: c6i.8xlarge and i5-12400, both with UDP GSO, GRO, and checksum unwinding optimizations. The results indicated a substantial increase in performance, with the c6i.8xlarge system achieving 7.32 Gbps, while the i5-12400 system