BlastWave BlastShield ZTNA

Performance vs. OpenVPN, Perimeter 81, Tailscale, and Twingate

Executive Summary

Organizations are migrating away from traditional, hardware-based VPNs for many reasons including poor performance, management, and lack of flexibility. Instead, there is a movement toward secure access service edge (SASE) solutions based on a cloud-hosted, proxy gateway architecture. But, there is another way: peer-to-peer with both direct connectivity and fullmesh networking.  BlastWave commissioned Tolly to benchmark the performance of the BlastWave BlastShield software solution and compare its performance to similar ZTNA solutions from OpenVPN, Perimeter 81, Tailscale, and Twingate. (ZTNA solutions are also referred to as software-defined perimeter, or SDP systems.) Testing included client-to-application, and siteto-site scenarios where supported.  BlastWave BlastShield outperformed all competing solutions in all tests.

The Bottom Line

BlastWave BlastShield delivers:

  1. Client-to-app throughput of 2.5 Gbps for three clients; 2x to 34x the throughput of the other solutions
  2. Site-to-site throughput of 2.6 Gbps; more than six times the throughput of Tailscale and OpenVPN
  3. Efficient use of bandwidth, virtually no wasted bandwidth
Client-to-Application ZTNA Performance Graph, Showing that BlastShield performs significantly better.


Traditional VPNs vs. SASE

Traditional VPNs have limitations that make them less-than-ideal for organizations today. Performance limitations, key and authentication management, lack of microsegmentation, and visibility of public IPs are foremost among these issues.   Because of these constraints, many customers have embraced the cloud-based SASE approach. SASE vendors include the aforementioned competitors along with solutions such as Cisco Umbrella, Palo Alto Networks Prisma Access, and Zscaler.  Hierarchical SASE solutions can have their own challenges. Public IPs are visible, shared gateways can become a bottleneck, and one must rely on the performance of the cloud transport network.


BlastWave BlastShield implements a peerto-peer network architecture thus making it an alternative to SASE. BlastShield can support both direct and full-mesh connectivity making it inherently reliable and scalable.

Test Results


This series of tests measured the throughput  of multiple clients to a server via the gateway or cloud orchestrator of each solution under test.  Tests were run with up to three clients to illustrate both maximum performance with that number of clients and to illustrate the scaling of throughput as clients were added. See Figure 1 on the previous page for all results.  

BlastShield illustrated not only the highest per-client throughput but also the highest overall throughput.  As shown in Figure 1, BlastShield’s overall throughput was from 2.2x to 34x that of the competing solutions.  

BlastShield delivered approximately 1 Gbps of throughput for each of the first two clients and then an additional 500Mbps of throughput with the third client.  

Tailscale delivered second-best throughput that scaled as clients were added but its throughput results, topping out at ~1.1 Gbps, were less than half those of BlastShield.

Twingate achieved ~500 Mbps with two clients but, when the third client was added, aggregate throughput actually declined slightly.  

With OpenVPN, the aggregate throughput of ~380 Mbps remained unchanged whether one, two, or three clients were running thus demonstrating potential scalability issues.  Perimeter 81 finished a distant last with its three-client aggregate of 74 Mbps. Unlike the other vendors, Perimeter 81 offers a choice of VPN tunnel protocols of either WireGuard or OpenVPN. Both VPN 1 protocols were tested. Results were uniformly poor.

Site-to-Site ZTNA Tunnel Throughput Performance Graph, Showing that BlastShield performed much better than other solutions.


This series of tests measured the throughput  of a single client across a siteto-site VPN tunnel thus mimicking the role of a traditional VPN tunnel. Neither OpenVPN nor Perimeter 81 support this configuration so only three solutions were tested. See Figure 2 on the previous page for all results.  

BlastShield delivered the highest throughput of 2.67 Gbps. This was 6.6x the throughput of OpenVPN and 6.2x the throughput of Tailscale.

When running this test, engineers noticed that the test tool was reporting a significant retry count for the competing vendors. The retry count was recorded for each vendor.  BlastShield had very few retries. Retries not only reduce throughput but waste bandwidth when packets have to be sent multiple times to reach the other side.

The inset in Figure 2 shows the retransmission rates  when compared to BlastShield as 1. Fewer retransmissions are better. Tailscale had 700 retransmissions for each BlastShield retransmission, and OpenVPN had 60 to each BlastShield retransmission.

Test Setup & Methodology

The focus of the test was to benchmark the performance of software-based ZTNA solutions. Solutions under test are listed in Table 1.

The various solutions have different network architectures. See Figures 3-7 for a diagram of each solution.  

Two test scenarios were benchmarked. In the first scenario, clients communicated with the application server across the test environment. The testing was run with a single client, then two clients, and finally, three clients. Each test was run for three minutes and the average results were reported. All solutions were tested.

Perimeter 81 offers two different transport protocols, WireGuard and OpenVPN, and both were tested.  

In the second scenario, a site-to-site tunnel was configured and the test was run across the tunnel. This test mirrored the function of a traditional, site-to-site VPN.  Each test was run for five minutes and the average results were reported. Twingate and Perimeter 81 did not support this configuration and, thus, could not be tested.  

Table 2 provides the details of the virtual instances used for testing.  

Open source iPerf3 was used for all testing. See Table 3.

1 WireGuard is marketed as an “… extremely simple yet fast and modern VPN…” See:

Graph of BlastShield's Topology
Graph of OpenVPN's Topology
Perimeter 81 Topology
Tailscale Topology
Twingate Topology
Details of the standardized test used for each vendor.

About BlastWave

BlastWave is a leading provider of zero trust networking solutions that simplify the security stack without sacrificing performance.

BlastShield allows businesses of all sizes to create a software-defined perimeter (SDP) that makes any IP-connected device invisible to external attackers.

Using its patented peer-to-peer architecture, BlastShield outperforms other VPN and cloudbased secure access service edge (SASE) solutions. Implemented as an overlay to existing networks, BlastShield protects IT, OT, and IoT devices, applications, and containers.

With our cloud-based or on prem orchestration platform, BlastShield is easy to install and manage. Our solution enables IT administrators to eliminate VPNs, firewalls, secure web gateways, cloud access security brokers (CASB), and SDWAN technologies. BlastShield integrates with enterprise identity platforms, Azure Active Directory, SSO, and SIEM platforms.

For more information, visit

About Tolly

The Tolly Group companies have been delivering world-class IT services for more than 30 years. Tolly is a leading global provider of third-party validation services for vendors of IT products, components and services.

You can reach the company by E-mail at, or
by telephone at +1 561.391.5610.

Visit Tolly on the Internet at:

Terms of Usage

This document is provided, free-of-charge, to help you understand whether a given product, technology or service merits additional investigation for your particular needs. Any decision to purchase a product must be based on your own assessment of suitability based on your needs.  The document should never be used as a substitute for advice from a qualified IT or business professional.  This evaluation was focused on illustrating specific features and/or performance of the product(s) and was conducted under controlled, laboratory conditions. Certain tests may have been tailored to reflect performance under ideal conditions; performance may vary under real-world conditions. Users should run tests based on their own real-world scenarios to validate performance for their own networks.  

Reasonable efforts were made to ensure the accuracy of the data contained herein but errors and/or oversights can occur. The test/ audit documented herein may also rely on various test tools the accuracy of which is beyond our control. Furthermore, the document relies on certain representations by the sponsor that are beyond our control to verify. Among these is that the software/ hardware tested is production or production track and is, or will be, available in equivalent or better form to commercial customers. Accordingly, this document is provided "as is," and Tolly Enterprises, LLC (Tolly) gives no warranty, representation or undertaking, whether express or implied, and accepts no legal responsibility, whether direct or indirect, for the accuracy, completeness, usefulness or suitability of any information contained herein. By reviewing this document, you agree that your use of any information contained herein is at your own risk, and you accept all risks and responsibility for losses, damages, costs and other consequences resulting directly or indirectly from any information or material available on it. Tolly is not responsible for, and you agree to hold Tolly and its related affiliates harmless from any loss, harm, injury or damage resulting from or arising out of your use of or reliance on any of the information provided herein.  

Tolly makes no claim as to whether any product or company described herein is suitable for investment.  You should obtain your own independent professional advice, whether legal, accounting or otherwise, before proceeding with any investment or project related to any information, products or companies described herein. When foreign translations exist, the English document is considered authoritative. To assure accuracy, only use documents downloaded directly from No part of any document may be reproduced, in whole or in part, without the specific written permission of Tolly.  All trademarks used in the document are owned by their respective owners.  You agree not to use any trademark in or as the whole or part of your own trademarks in connection with any activities, products or services which are not ours, or in a manner which may be confusing, misleading or deceptive or in a manner that disparages us or our information, projects or developments.

Tolly Certification Image

Download the Tolly report today!

Understand how BlastShield™ offers a simple, effective, and cost-efficient way to protect against cyberattacks.

Our Privacy Policy applies.