Benchmarking Self-Hosted VPN Nodes: From Single-Thread to Multi-User Concurrency Analysis

5/2/2026 · 2 min

Test Environment and Configuration

The tests were conducted using two Alibaba Cloud ECS instances, one as server and one as client, each with 2 vCPUs, 4 GB RAM, and a 5 Mbps bandwidth cap, running Ubuntu 22.04 LTS. The server deployed both WireGuard and OpenVPN. The client used iperf3 and flent for network performance testing. Tools included iperf3 (single/multi-thread throughput), flent (latency and throughput mixed tests), and netperp (concurrent connections).

Single-Thread Performance Baseline

Single-thread scenarios simulate typical personal user patterns such as web browsing and file downloads. Results:

  • WireGuard: TCP throughput stable at 4.8 Mbps (near bandwidth limit), UDP throughput 4.9 Mbps, latency increase ~2 ms.
  • OpenVPN (UDP mode): TCP throughput 4.2 Mbps, UDP throughput 4.5 Mbps, latency increase ~5 ms.
  • OpenVPN (TCP mode): TCP throughput 3.1 Mbps, UDP throughput 3.5 Mbps, latency increase ~8 ms.

WireGuard shows clear performance advantages in single-thread scenarios, mainly due to its lean kernel-space implementation and lower encryption overhead.

Multi-User Concurrency Analysis

Simulated 10, 50, and 100 concurrent users, each running one iperf3 TCP stream. Results:

  • 10 concurrent: WireGuard total throughput 4.7 Mbps, average per stream 0.47 Mbps; OpenVPN (UDP) total 4.0 Mbps, average 0.40 Mbps.
  • 50 concurrent: WireGuard total 4.5 Mbps, average 0.09 Mbps; OpenVPN (UDP) total 3.2 Mbps, average 0.064 Mbps.
  • 100 concurrent: WireGuard total 4.2 Mbps, average 0.042 Mbps; OpenVPN (UDP) total 2.1 Mbps, average 0.021 Mbps.

WireGuard maintains higher total throughput under multi-user loads, while OpenVPN degrades significantly as concurrency increases, mainly limited by user-space process scheduling and encryption context switching.

Latency and Jitter Tests

Using flent for RRUL (Realtime Response Under Load) tests, measuring ICMP latency distribution under background traffic:

  • No VPN: average latency 1.2 ms, jitter 0.3 ms.
  • WireGuard: average 3.5 ms, jitter 1.1 ms.
  • OpenVPN (UDP): average 6.8 ms, jitter 2.5 ms.
  • OpenVPN (TCP): average 12.4 ms, jitter 5.6 ms.

WireGuard significantly outperforms OpenVPN in latency and jitter control, making it especially suitable for real-time applications like VoIP and online gaming.

Optimization Recommendations

  1. Protocol selection: Prefer WireGuard unless legacy client compatibility is required.
  2. Kernel tuning: Increase net.core.rmem_default and wmem_default to 262144 to boost throughput.
  3. Multi-core utilization: WireGuard supports multi-queue; bind different CPU cores to handle different tunnels.
  4. QoS configuration: Use the tc tool to prioritize VPN traffic and ensure real-time flow performance.

Conclusion

Self-hosted VPN node performance is significantly affected by protocol implementation, concurrency model, and system tuning. WireGuard excels in both single-thread and multi-user scenarios, making it the current preferred choice for self-hosted VPNs. OpenVPN offers compatibility advantages but has performance bottlenecks. It is recommended to select and optimize based on actual user scale and business type, using test data for guidance.

Related reading

Related articles

The Truth Behind VPN Speed Degradation: The Real Impact of Protocol Choice and Server Distance on Performance
This article delves into the root causes of VPN speed degradation, focusing on protocol choice and server distance. By comparing performance differences among mainstream protocols like OpenVPN, WireGuard, and IKEv2, and quantifying the impact of physical server distance on latency and throughput, it provides practical advice for optimizing VPN speed.
Read more
VPN Speed Testing Methodology: How to Accurately Assess Real-World Performance
This article presents a systematic methodology for VPN speed testing, covering test variable control, multi-protocol comparison, and separate evaluation of latency and throughput, helping users avoid common pitfalls and obtain truly comparable performance data.
Read more
Multi-Protocol VPN Node Load Balancing: Hybrid Architecture Design with WireGuard and Trojan
This article explores how to deploy WireGuard and Trojan protocols on the same VPN node with intelligent load balancing to achieve high availability and low latency. It covers architecture design, routing strategies, health checks, and performance optimization.
Read more
Enterprise VPN Performance Benchmarking: How to Quantify and Evaluate Connection Speed and Stability
This article provides a comprehensive guide to VPN performance benchmarking for enterprise IT managers. It details the key metrics, testing methodologies, tool selection, and result interpretation for quantifying connection speed and stability, aiming to help businesses establish a scientific evaluation framework and optimize network investments and user experience.
Read more
In-Depth Analysis of VPN Connection Stability: From Protocol Selection to Network Optimization
This article provides an in-depth exploration of the key factors affecting VPN connection stability. It covers a technical comparison of VPN protocols (such as WireGuard, OpenVPN, IKEv2), server selection strategies, optimization of local network environments, and advanced troubleshooting techniques. The goal is to offer users a comprehensive guide for building stable and reliable VPN connections.
Read more
Remote Work Network Optimization: A Practical Configuration Guide to Improve VPN Connection Speed
This article provides a comprehensive configuration guide for remote workers to optimize VPN connection speed. It details practical steps and techniques, from protocol selection and server picking to local network settings, to enhance VPN performance and deliver a smoother, more stable remote work experience.
Read more

FAQ

Which performs better for self-hosted VPN nodes, WireGuard or OpenVPN?
According to benchmarks, WireGuard significantly outperforms OpenVPN in both single-thread and multi-user concurrency scenarios, with lower latency and higher throughput. WireGuard is recommended unless legacy client compatibility is required.
How can I improve multi-user concurrency on a self-hosted VPN node?
Use WireGuard protocol, tune kernel network buffer parameters (e.g., rmem_default/wmem_default), and leverage multi-queue features to bind different CPU cores to different tunnels. Additionally, configure QoS policies to prioritize real-time traffic.
Why did OpenVPN in TCP mode perform the worst in tests?
OpenVPN in TCP mode encapsulates TCP traffic within another TCP tunnel, causing double TCP congestion control, which exacerbates retransmissions and latency. UDP mode is strongly preferred.
Read more