This research aims to compare the performance of two protocols, SSL VPN, and its relationship with the routing distance. SSLVPN is available on any physical firewall and WireGuard is available on Linux kernel 5.6 and above. The devices used in these tests are Linux machines, two physical and one virtual, and a Fortigate Firewall for WAN interface and SSL VPN controller illustrated in the following diagram:
| WAN | ASN | Upload | Download |
|---|---|---|---|
| A | 3243 | 250 Mbps | 1 Gbps |
| B | 3243 | 100 Mbps | 200 Mbps |
| C | 8866 | 1Gbps | 500 Mbps |
The internet speeds were checked with speedtest.net
| Device | OS | NIC | Protocol | Specs |
|---|---|---|---|---|
| Fortigate 200E | FortiOS 6.0.11 | 1 Gbps | SSL VPN | note1 |
| Linux VM Wireguard | Centos 8 kernel 5.10 | 1 Gbps | WireGuard | 2 vCPU, 4GB RAM |
| Linux machines | Centos 8 kernel 5.10 | 1 Gbps | SSL + WG | note2 |
note1: Fortinet announces 900 Mbps SSL VPN throughput and 20 Gbps Firewall throughput. Source: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_200E_Series.pdf
note2: Linux machines have at least 6 Core Intel CPU, 16 GB RAM and SSD hard drives.
- Iperf3 tests are run from the linux client acting as iperf3 client and NAS acting as a iperf server.
- Iperf3 download test is run with -R flag from the client
- Download test consist in a file with 1.7 GBytes downloaded from the linux client through an share of the NAS running NFS v4 protocol
- Every test was run three times and get the best time of the three
- All tests were runned outside internet rush hours - https://en.wikipedia.org/wiki/Internet_rush_hour
Linux machines connecting to Fortigate using openfortivpn software version 1.14.1 - https://github.com/adrienverge/openfortivpn
| Device | iperf3 upload | iperf3 download | Download time | Download speed |
|---|---|---|---|---|
| Linux 1 | 114 Mbps | 207 Mbps | 1m10.028s | 200.81 Mbps |
| Linux 2 | 36 Mbps | 77 Mbps | 3m10.638s | 73.92 Mbps |
Linux machines connecting to Linux VM using wireguard kernel module
| Device | iperf3 upload | iperf3 download | Download time | Download speed |
|---|---|---|---|---|
| Linux 1 | 117 Mbps | 210 Mbps | 1m7.913s | 206.67 Mbps |
| Linux 2 | 292 Mbps | 89 Mbps | 2m29.269s | 94.06 Mbps |
- Wireguard protocol seems to be faster then SSL VPN.
- Routing distance factor is more important than the speed of the links. You will have a better performing tunnel on a slower link if the nodes are closer in routing distance versus higher speed links if the nodes have a greater routing distance.