Comparison to other VPNs
Basic information
| Software | Version | Operating systems Linux / Windows / MacOS / BSD | Mobile apps Android / iOS |
|---|---|---|---|
| VpnCloud | 2.2.0 | ✅ / ❌ / ❌ / ❌ | ❌ / ❌ |
| Tinc | 1.0.35 | ✅ / ✅ / ✅ / ✅ | ✅ / ✅ |
| Nebula | 1.3.0 | ✅ / ✅ / ✅ / ✅ | ✅ / ✅ |
| OpenVpn | 2.4.11 | ✅ / ✅ / ✅ / ✅ | ✅ / ✅ |
| Wireguard | 1.0 | ✅ / ✅ / ✅ / ✅ | ✅ / ✅ |
VpnCloud: Support for other platforms is planned.
Networking features
| Software | Device types TUN / TAP | Multiple modes | Auto meshing | NAT traversal | Multi-hops | Protocol |
|---|---|---|---|---|---|---|
| VpnCloud | ✅ / ✅ | ✅ | ✅ | ✅ | ❌ | UDP |
| Tinc | ✅ / ✅ | ✅ | ✅ | ✅ | ✅ | UDP+TCP |
| Nebula | ✅ / ❌ | ❌ | (✅) | ✅ | ❌ | UDP |
| OpenVpn | ✅ / ✅ | ❌ | ❌ | (✅) | (✅) | UDP/TCP |
| Wireguard | ✅ / ❌ | ❌ | ❌ | (❌) | ❌ | UDP |
Tinc uses UDP and TCP for connections. There is no option to only use the more efficient UDP.
OpenVPN is server based. Clients support NAT traversal but the server can't be NATed. Client-to-client communication is only possible via the server and needs to be enabled.
Security features
| Software | Symmetric ciphers | Cipher selection | Public key mechanism | Certificates / Shared key | PFS |
|---|---|---|---|---|---|
| VpnCloud | AES256, AES128, ChaCha20 | auto | Curve25519, ECDH | ✅ / ✅ | ✅ |
| Tinc | AES256, (all OpenSSL) | auto | RSA | ✅ / ❌ | ✅ |
| Nebula | AES256, ChaCha20 | manual | ECDH | ✅ / ❌ | ✅ |
| OpenVpn | AES256 (OpenSSL) | auto | RSA | ✅ / ❌ | ✅ |
| Wireguard | ChaCha20 | fixed | Curve25519, ECDH | ✅ / ❌ | ✅ |
Tinc requires users to create a key pair for each node and then exchange the public keys with all other nodes.
Nebula has a centralized take on security: It introduces a central authority that issues certificates for all nodes. The certificates also contain an allowed IP address, that will be enforced by other nodes. Nebula supports two symmetric ciphers (AES256 and ChaCha20) but the cipher has to be the same for the whole network.
Performance
The performance measurements have been done on AWS. Please refer to the performance measurements for details. All VPN software was run and configured with default settings (except stated otherwise).
Added Latency
(lower is better)
Throughput
(higher is better)
Wireguard achieves its high throughput because it uses a kernel module to do the heavy lifting.
Tweaks for maximum throughput
For VpnCloud, the encryption was disabled to get the best throughput.
I didn't find a way to tweak Tinc's performance.
For Nebula, the MTU was manually set to 8900 to get the best throughput.
For OpenVPN, the MTU was manuall set to 8900 and mssfix and fragment was set to 0.