Logo Peer-to-peer VPN

Comparison to other VPNs

Basic information

SoftwareVersionOperating systems
Linux / Windows / MacOS / BSD
Mobile apps
Android / iOS
VpnCloud2.2.0✅ / ❌ / ❌ / ❌❌ / ❌
Tinc1.0.35✅ / ✅ / ✅ / ✅✅ / ✅
Nebula1.3.0✅ / ✅ / ✅ / ✅✅ / ✅
OpenVpn2.4.11✅ / ✅ / ✅ / ✅✅ / ✅
Wireguard1.0✅ / ✅ / ✅ / ✅✅ / ✅

VpnCloud: Support for other platforms is planned.

Networking features

SoftwareDevice types
TUN / TAP
Multiple modesAuto meshingNAT traversalMulti-hopsProtocol
VpnCloud✅ / ✅UDP
Tinc✅ / ✅UDP+TCP
Nebula✅ / ❌(✅)UDP
OpenVpn✅ / ✅(✅)(✅)UDP/TCP
Wireguard✅ / ❌(❌)UDP

Tinc uses UDP and TCP for connections. There is no option to only use the more efficient UDP.

OpenVPN is server based. Clients support NAT traversal but the server can't be NATed. Client-to-client communication is only possible via the server and needs to be enabled.

Security features

SoftwareSymmetric ciphersCipher selectionPublic key mechanismCertificates / Shared keyPFS
VpnCloudAES256, AES128, ChaCha20autoCurve25519, ECDH✅ / ✅
TincAES256, (all OpenSSL)autoRSA✅ / ❌
NebulaAES256, ChaCha20manualECDH✅ / ❌
OpenVpnAES256 (OpenSSL)autoRSA✅ / ❌
WireguardChaCha20fixedCurve25519, ECDH✅ / ❌

Tinc requires users to create a key pair for each node and then exchange the public keys with all other nodes.

Nebula has a centralized take on security: It introduces a central authority that issues certificates for all nodes. The certificates also contain an allowed IP address, that will be enforced by other nodes. Nebula supports two symmetric ciphers (AES256 and ChaCha20) but the cipher has to be the same for the whole network.

Performance

The performance measurements have been done on AWS. Please refer to the performance measurements for details. All VPN software was run and configured with default settings (except stated otherwise).

Added Latency

(lower is better)

Throughput

(higher is better)

Wireguard achieves its high throughput because it uses a kernel module to do the heavy lifting.

Tweaks for maximum throughput

For VpnCloud, the encryption was disabled to get the best throughput.

I didn't find a way to tweak Tinc's performance.

For Nebula, the MTU was manually set to 8900 to get the best throughput.

For OpenVPN, the MTU was manuall set to 8900 and mssfix and fragment was set to 0.