Edit: Benchmarks on Hetzner Cloud (1vCPU, 2GB)
$ iperf3 -c kube1 Connecting to host kube1, port 5201 [ 4] local 10.0.1.2 port 57622 connected to 10.0.1.1 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 77.2 MBytes 647 Mbits/sec 79 1.37 MBytes [ 4] 1.00-2.00 sec 78.8 MBytes 661 Mbits/sec 0 1.51 MBytes [ 4] 2.00-3.00 sec 81.2 MBytes 681 Mbits/sec 0 1.62 MBytes [ 4] 3.00-4.00 sec 85.0 MBytes 713 Mbits/sec 134 1.20 MBytes [ 4] 4.00-5.00 sec 80.0 MBytes 671 Mbits/sec 0 1.28 MBytes [ 4] 5.00-6.00 sec 77.5 MBytes 651 Mbits/sec 0 1.33 MBytes [ 4] 6.00-7.00 sec 88.8 MBytes 745 Mbits/sec 0 1.37 MBytes [ 4] 7.00-8.00 sec 73.8 MBytes 619 Mbits/sec 0 1.39 MBytes [ 4] 8.00-9.00 sec 78.8 MBytes 661 Mbits/sec 0 1.41 MBytes [ 4] 9.00-10.00 sec 80.0 MBytes 671 Mbits/sec 0 1.42 MBytes
Also regarding Wireguard, I really like how tinc will find a new path and allows you to route over other nodes as needed. Wireguard can't really do that out of the box, every link is 1:1. You can of course setup something on top of that, but I miss the ease with which tinc does this.
Can you comment on how stable a Wireguard tunnel is? Did you manage to get the link/VPN to stay up permanently with little to no maintenance?
I've been using ZeroTier to give a common backplane to my Hetzner servers, DO droplets and AWS instances.
Hetzner has been great overall. They've been very very helpful in documenting me reacting to abuse emails too when I got into some user-generated-content related legal trouble.
From my understanding, this statement is not quite correct, as Hetzner allows you to set up VLANs:
> With the vSwitch feature, you can connect your dedicated root servers in multiple locations to each other using VLAN via the administration interface Robot.
You probably still want to encrypt the traffic passing through those VLANs.
They also offer the option to install custom hardware, so you might even be able to get a second NIC connected to your own private switch.
We’re experimenting with Wireguard on all internal hosts and disabling SSL.
Since the goal was to have a private network between your own boxes, the encryption was only really "required" to protect private data because it had to transit the public network in Hetzner. Since DO provides a private network natively there's (in theory) no justification for the encryption, which means you'd get native performance, hence the advantage.