Tailscale vs Wireguard performance

1

Any reason I should expect iperf3 speeds to be much slower on Tailscale than Wireguard? Windows runs tailscale in userspace same as Wireguard right? CPU isn’t maxed out on any test.

On a gigabit 1ms local connection with packet size small enough to fit within each application’s packet window size:

Wireguard: 317mbps

PS C:\Program Files\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.99.2 -l 1200
[  4] local 192.168.99.1 port 52674 connected to 192.168.99.2 port 5201


[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  38.4 MBytes   322 Mbits/sec
[  4]   1.00-2.01   sec  36.1 MBytes   300 Mbits/sec
[  4]   2.01-3.00   sec  39.9 MBytes   338 Mbits/sec
[  4]   3.00-4.00   sec  36.9 MBytes   309 Mbits/sec
[  4]   4.00-5.00   sec  38.8 MBytes   325 Mbits/sec
[  4]   5.00-6.00   sec  38.2 MBytes   320 Mbits/sec
[  4]   6.00-7.00   sec  37.3 MBytes   312 Mbits/sec
[  4]   7.00-8.00   sec  39.0 MBytes   328 Mbits/sec
[  4]   8.00-9.00   sec  36.3 MBytes   304 Mbits/sec
[  4]   9.00-10.00  sec  37.3 MBytes   313 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   378 MBytes   317 Mbits/sec                  sender
[  4]   0.00-10.00  sec   378 MBytes   317 Mbits/sec                  receiver

Tailscale (Direct): 275mbps

PS C:\Program Files\iperf-3.1.3-win64> .\iperf3.exe -c 100.96.118.106 -l 1200
[  4] local 100.118.125.44 port 52722 connected to 100.96.118.106 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  36.5 MBytes   306 Mbits/sec
[  4]   1.00-2.00   sec  34.9 MBytes   293 Mbits/sec
[  4]   2.00-3.00   sec  35.5 MBytes   297 Mbits/sec
[  4]   3.00-4.00   sec  37.7 MBytes   316 Mbits/sec
[  4]   4.00-5.01   sec  29.0 MBytes   242 Mbits/sec
[  4]   5.01-6.00   sec  30.2 MBytes   255 Mbits/sec
[  4]   6.00-7.00   sec  31.1 MBytes   260 Mbits/sec
[  4]   7.00-8.00   sec  30.4 MBytes   256 Mbits/sec
[  4]   8.00-9.00   sec  28.7 MBytes   241 Mbits/sec
[  4]   9.00-10.00  sec  34.9 MBytes   293 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   329 MBytes   276 Mbits/sec                  sender
[  4]   0.00-10.00  sec   328 MBytes   275 Mbits/sec                  receiver

Native: 352

PS C:\Program Files\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.24.24 -l 1200
[  4] local 192.168.24.167 port 57833 connected to 192.168.24.24 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.01   sec  43.4 MBytes   359 Mbits/sec
[  4]   1.01-2.00   sec  40.9 MBytes   348 Mbits/sec
[  4]   2.00-3.00   sec  41.5 MBytes   347 Mbits/sec
[  4]   3.00-4.00   sec  41.6 MBytes   350 Mbits/sec
[  4]   4.00-5.00   sec  42.3 MBytes   354 Mbits/sec
[  4]   5.00-6.00   sec  44.7 MBytes   376 Mbits/sec
[  4]   6.00-7.00   sec  43.2 MBytes   361 Mbits/sec
[  4]   7.00-8.00   sec  40.4 MBytes   339 Mbits/sec
[  4]   8.00-9.01   sec  39.7 MBytes   329 Mbits/sec
[  4]   9.01-10.00  sec  42.7 MBytes   363 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   420 MBytes   353 Mbits/sec                  sender
[  4]   0.00-10.00  sec   420 MBytes   352 Mbits/sec                  receiver

Allowing an unlimited window grows the difference even more:

Tailscale

[  4] local 100.118.125.44 port 60113 connected to 100.96.118.106 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  37.0 MBytes   310 Mbits/sec
[  4]   1.00-2.01   sec  30.9 MBytes   257 Mbits/sec
[  4]   2.01-3.00   sec  32.2 MBytes   273 Mbits/sec
[  4]   3.00-4.00   sec  29.1 MBytes   244 Mbits/sec
[  4]   4.00-5.00   sec  29.5 MBytes   248 Mbits/sec
[  4]   5.00-6.00   sec  24.0 MBytes   202 Mbits/sec
[  4]   6.00-7.00   sec  33.4 MBytes   280 Mbits/sec
[  4]   7.00-8.00   sec  20.0 MBytes   168 Mbits/sec
[  4]   8.00-9.00   sec  14.8 MBytes   124 Mbits/sec << high variability too here.
[  4]   9.00-10.01  sec  13.4 MBytes   111 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.01  sec   264 MBytes   221 Mbits/sec                  sender
[  4]   0.00-10.01  sec   264 MBytes   221 Mbits/sec                  receiver

Wireguard

[  4] local 192.168.99.1 port 60174 connected to 192.168.99.2 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  62.2 MBytes   521 Mbits/sec
[  4]   1.00-2.00   sec  60.6 MBytes   509 Mbits/sec
[  4]   2.00-3.00   sec  64.4 MBytes   540 Mbits/sec
[  4]   3.00-4.00   sec  65.1 MBytes   546 Mbits/sec
[  4]   4.00-5.00   sec  65.5 MBytes   550 Mbits/sec
[  4]   5.00-6.00   sec  62.4 MBytes   523 Mbits/sec
[  4]   6.00-7.00   sec  63.9 MBytes   536 Mbits/sec
[  4]   7.00-8.00   sec  60.4 MBytes   506 Mbits/sec
[  4]   8.00-9.00   sec  63.4 MBytes   532 Mbits/sec
[  4]   9.00-10.00  sec  61.9 MBytes   519 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   630 MBytes   528 Mbits/sec                  sender
[  4]   0.00-10.00  sec   630 MBytes   528 Mbits/sec                  receiver

Wireguard with standard window size is more than twice as fast.

Over a higher latency internet connection between two nodes the differences seems to also remain.

Tailscale Subnet Router
Reverse mode, remote host VPNHost is sending

[  4] local 100.118.125.44 port 61180 connected to 192.168.###.### port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  9.49 MBytes  79.6 Mbits/sec
[  4]   1.00-2.00   sec  8.49 MBytes  71.2 Mbits/sec
[  4]   2.00-3.00   sec  7.03 MBytes  58.8 Mbits/sec
[  4]   3.00-4.00   sec  6.86 MBytes  57.7 Mbits/sec
[  4]   4.00-5.00   sec  8.99 MBytes  75.4 Mbits/sec
[  4]   5.00-6.00   sec  6.40 MBytes  53.7 Mbits/sec
[  4]   6.00-7.00   sec  9.73 MBytes  81.4 Mbits/sec
[  4]   7.00-8.00   sec  8.63 MBytes  72.5 Mbits/sec
[  4]   8.00-9.00   sec  7.96 MBytes  66.8 Mbits/sec
[  4]   9.00-10.00  sec  6.82 MBytes  57.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  80.6 MBytes  67.6 Mbits/sec                  sender
[  4]   0.00-10.00  sec  80.5 MBytes  67.6 Mbits/sec                  receiver

Wireguard & iptables

Reverse mode, remote host VPNHost is sending
[  4] local 192.168.###.### port 51546 connected to 192.168.###.### port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.01   sec  13.0 MBytes   108 Mbits/sec
[  4]   1.01-2.00   sec  13.3 MBytes   112 Mbits/sec
[  4]   2.00-3.00   sec  12.5 MBytes   104 Mbits/sec
[  4]   3.00-4.00   sec  12.7 MBytes   107 Mbits/sec
[  4]   4.00-5.00   sec  13.5 MBytes   113 Mbits/sec
[  4]   5.00-6.00   sec  11.8 MBytes  98.8 Mbits/sec
[  4]   6.00-7.00   sec  13.3 MBytes   111 Mbits/sec
[  4]   7.00-8.00   sec  13.4 MBytes   113 Mbits/sec
[  4]   8.00-9.00   sec  13.0 MBytes   109 Mbits/sec
[  4]   9.00-10.00  sec  12.8 MBytes   107 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   129 MBytes   109 Mbits/sec                  sender
[  4]   0.00-10.00  sec   129 MBytes   109 Mbits/sec                  receiver

Wireguard is >50% faster

With MTU size constraints:

Tailscale Subnet Router (Linux)

PS C:\Program Files\iperf-3.1.3-win64> .\iperf3.exe -c VPNHost -R -l 1200
[  4] local 100.118.125.44 port 57918 connected to 192.168.###.### port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  92.0 MBytes  77.2 Mbits/sec                  receiver

Wireguard & iptables

PS C:\Program Files\iperf-3.1.3-win64> .\iperf3.exe -c VPNHost -R -l 1200
[  4] local 192.168.###.### port 52597 connected to 192.168.###.### port 5201

[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   152 MBytes   128 Mbits/sec                  receiver

Wireguard is nearly twice as fast.

  • Gavin
2

Did you ever find an answer here? I too can get hundreds of Mbps with wireguard and yet barely break 50Mbps with Tailscale direct.

3

My guess is that is has to do with the fact that Tailscale uses wireguard in Go rather than in assembly. The tradeoff is platform compatibility over performance.