VPN Overhead Calculator
VPN protocols add encryption headers and encapsulation to every packet, reducing the effective throughput available for your actual data. Understanding VPN overhead helps network engineers size WAN circuits correctly when deploying VPN concentrators, and helps remote workers understand why their VPN connection appears slower than their base internet speed. This calculator takes your base connection speed, chosen VPN protocol, and packet size to compute the protocol overhead percentage, effective throughput in Mbps, and the recommended circuit size to achieve your desired usable throughput through the VPN tunnel.
VPN overhead formula
eff_throughput = base_speed * (1 - overhead_pct/100)
throughput_loss = base_speed - eff_throughput
required_circuit = desired_throughput / (1 - overhead_pct/100)
VPN protocol overhead comparison
- WireGuard: 60 bytes per packet overhead, approximately 3-5% on standard MTU.
- OpenVPN (UDP): 69 bytes per packet, approximately 5-7%.
- IPsec ESP (tunnel mode): 50-90 bytes depending on cipher and authentication, approximately 4-7%.
- SSL/TLS VPNs: 20-60 bytes per record, approximately 5-10%.
- All protocols also add CPU overhead for encryption; WireGuard uses ChaCha20 which is exceptionally efficient on CPUs without AES-NI hardware acceleration.
Frequently asked questions
How much overhead does a VPN add?
VPN overhead comes from two sources: protocol encapsulation headers (adding 20-100 bytes per packet depending on the protocol) and encryption/decryption CPU cost. WireGuard adds about 60 bytes per packet overhead; OpenVPN (UDP) adds about 69 bytes; IPsec ESP in tunnel mode adds 50-90 bytes. On a 1,500-byte MTU, this translates to 3-6% bandwidth overhead.
Which VPN protocol has the lowest overhead?
WireGuard has the lowest overhead of modern VPN protocols, using ChaCha20-Poly1305 encryption and a minimal protocol design. It typically adds 3-5% bandwidth overhead and 20-40% less CPU overhead than OpenVPN. WireGuard is now included in the Linux kernel as of version 5.6.
Does VPN encryption reduce internet speed?
VPN encryption reduces speed primarily through CPU usage for encryption/decryption and the increased packet size overhead. On modern hardware with AES-NI acceleration, encryption overhead is minimal. The larger speed impact typically comes from routing your traffic through the VPN server, which adds latency and may have a slower uplink than your direct connection.
What is MTU fragmentation and why does it hurt VPN performance?
MTU fragmentation occurs when VPN-encapsulated packets exceed the MTU of the underlying network, forcing them to be split into smaller fragments. Fragmentation increases processing overhead and can cause packet loss. Set the VPN tunnel MTU to account for protocol headers (e.g., 1,420 bytes for WireGuard, 1,450 bytes for IPsec) to avoid fragmentation.
How does a site-to-site VPN differ from a remote-access VPN in terms of overhead?
Both site-to-site and remote-access VPNs use the same underlying protocol overhead. The difference is in the traffic volume: site-to-site VPNs carry all inter-site corporate traffic continuously, so overhead adds up to significant bandwidth cost over time. Remote-access VPNs serve individual users and the overhead is typically negligible relative to the user's internet speed.
Official sources
- IETF: RFC 4303 - IP Encapsulating Security Payload (ESP).
- NIST: SP 800-77 Rev 1 - Guide to IPsec VPNs.
Reviewed by the CalculatorHub team, edited by James Graham, 14 June 2026. See our methodology.