In the past few weeks I’ve been extensively testing the performance of OpenVPN and Tailscale in a variety of circumstances.
OpenVPN and Tailscale were installed on the same DS220+ and all tests were done under the same circumstances for each of the VPNs. I tested on high speed and low speed networks, using different laptops, Macs, iPad and iPhone. Tests were done with benchmarks like iPerf3 and OpenSpeedtest but also with real world applications like doing backups and file transfers. I made sure Tailscale made a direct connection and not using a relay.
My conclusion from all the tests: OpenVPN outperformed Tailscale pretty consistently by about 30% for throughput speed. No matter if it was on high or low speed/latency networks. OpenVPN latency was also noticeably lower, although the difference varied a lot so I don’t have a % for that.
Of course your experience may vary, so I’m wondering if anybody else ever tested this and can confirm my findings?
Tailscale’s wireguard impl is userspace while openvpn does its crypto in kernelspace, so this is expected. Your throughput on Tailscale will be heavily bottlenecked by cpu capacity.
A more apples-to-apples comparison would be testing the kernel wireguard impl against ovpn, where you should see comparable results.
Generally though - if throughput is your main concern, Tailscale is not the best VPN solution for you. Its value proposition lies more in the management/control plane than dataplane.
This is an interesting test, as most stuff I’ve read has indicated that Wireguard (Tailscale) is much faster than OpenVPN. I personally prefer OpenVPN over Tailscale just because it’s completely self-hosted without dependencies on a third-party company or external login. Might try to get base Wireguard set up someday too.
The main point is, Wireguard needs to install kernel headers to run in kernel mode, but this is not possible on Synology, instead Tailscale decided to put the Wireguard running in userspace which introduces performance impact.
OpenVPN is usually faster because it is self hosted and doesn’t rely on any dependencies, at the cost of configuring it yourself. Tailscale, is a bit slower, but comes at the ease of use.
If I want my grandma to watch movies from my server, I use Tailscale. If I, or a friend who knows what a VPN is and they want to watch movies and can configure it, I use OpenVPN.
Kernel headers would be something you would use to build a kernel module — and you don’t install headers, on the opposite, you need to find headers exactly matching the kernel binary and then use them to build a module.