Newbie question here and apologies if it has been answered elsewhere… Are there any published performance benchmarks comparing Ziti to other popular mesh networks? Something like this…
We do have some data - https://netfoundry.io/benchmark/benchmarking%20open%20source%20networking.pdf.
It is an area which we are working on more to show how OpenZiti compares to other popular mesh networks. The example you give is in fact one such configuration we want to copy for a side-by-side benchmark.
Is there a reason why you are curious about this?
- OpenZiti compares favourably as we use a lightweight protocol, ChaCha20-Poly1305 for E2E encryption, the same as Wireguard which is much lighter weight and has less overhead than options such as IPSec.
- Unlike Wireguard, OpenZiti is based on TCP. This has advantages, e.g., no networks block it. It also means rather than using STUN/ICE, OpenZiti uses its embedded identity to build outbound only connections into the mesh overlay (effectively a TURN used by solutions such as Tailscale to get around UDP blocked issues). This ‘extra hop’ can introduce extra latency which is probably why Tailscale compares poorly above as they only have then in about 20 DCs. OpenZiti has the ability deploy these fabric routers into any location, if you have a good distribution then you may actually be able to increase performance by finding paths which deliver lower latency than BGP. The OpenZiti overlay is automatically calculating this E2E latency cost and shifting traffic dynamically for optimal performance and resiliency. It is due to this reason, that performance tests can be subjective based on the configuration.
- My general gut feel would be, that OpenZiti is a lower speed than the internet and Wireguard/Netmaker in a scenario where BGP reduction cannot be exploited. It still wipes the floor with Nebula, Tailscale, ZeroTier, Tinc and OpenVPN. If there is a configuration where smart routing can be exploited then it may be better than all others.
We have a few developments in the pipeline to increase performance further. They are probably landing later this year or early next, progressively, not all at once too.
Great, that link is exactly the type of documentation I was looking for.
Maybe I read your PDF chart wrong, but are you saying WireGuard had the slowest bitrate of all the tools (23 Mbits/s)? Not sure I understand…
Network performance should always be a top design consideration when developing a VPN
For your next benchmark run, some options to consider: VPN options · GitHub
Hi @mrbluecoat, nice to see you on discourse! Welcome!
The graph you cited originally was on a nicely written article that stated quite clearly that wireguard “out of the box” was shockingly slow. They were able to tweak MTUs and ‘fix’ it. I’m not sure which article you found your graph on but the one I saw was from here: Which VPN is fastest? A speed test | netmaker . The graph you show is shockingly similar, which makes me think one or the other is reusing data… If you read that article you’ll see it cites the MTU, but I’ll cite it here for you too
#1: With the wrong MTU, WireGuard is slow
MTU makes a huge difference for WireGuard. With wg-quick’s default MTU, WireGuard performed abysmally slow. However, adjusting this value made it the fastest option of all. See the difference between tests with and without adjustment in the chart.
It seems quite likely we didn’t tweak the MTU to fit. In general we were (OpenZiti) usually hitting “~25-50%+” of the raw internet in these tests. I’ve seen other tests in the past that looked more similar to the netmaker/wireguard results where it was basically equal to the internet. Not sure if we’ve had a slowdown at some point. We agree that performance is important. We have initiatives planned to see where we can speed things up.
Hol up - OpenZiti isn’t on your list yet??? Should I put a PR up for you???
Oh I found it under “Ziti” - my bad!
Same essential source: https://www.netmaker.org/ homepage (half-way down the page)
P.S. I updated my list to use OpenZiti for brand standardization