Performance Analysis of VPN Gateways

VPNs play an important role in today's Internet architecture. We investigate different architectures for software implementations of VPN gateways and their effect on performance. Our case study compares OpenVPN, Linux IPsec, and WireGuard. We also implement a WireGuard-compatible VPN benchmarking example application with three different software architectures inspired by the evaluated open-source solutions. Our implementation allows benchmarking of individual effects and optimizations in isolation. We find that WireGuard is the most promising software VPN implementation from an architectural viewpoint. Our implementation of WireGuard's pipeline architecture on top of DPDK achieves 6.2Mpps and 40Gbit/s, the fastest of all evaluated VPN implementations. We find that the main bottleneck for scaling software VPNs are data structures and multi-core synchronization - a problem that can be tackled with an architecture based on pipelining and message passing.