VPN Encryption Overhead Calculator

Estimate the extra bandwidth consumption and packet size increase caused by VPN tunneling and encryption protocols (IPsec, OpenVPN, WireGuard).

Original Packet Payload Size (bytes)

Available Bandwidth (Mbps)

VPN Protocol

Packets Per Second (PPS)

Encapsulated Packet Size:
encap_size = payload_bytes + overhead_bytes

Overhead Percentage:
overhead_pct (%) = (overhead_bytes / payload_bytes) × 100

Effective Throughput:
effective_throughput (Mbps) = bandwidth × (payload_bytes / encap_size)

Overhead Bandwidth at Given PPS:
overhead_bw (Mbps) = (overhead_bytes × 8 × PPS) / 1,000,000

IPsec CBC Padding (average):
padding = block_size − (payload mod block_size), minimum 1 byte (block_size = 16 for AES)

IPv4 outer headers assumed (20 bytes); IPv6 would add 20 extra bytes.
IPsec in Tunnel Mode (RFC 4303): includes inner IP header (20 bytes), ESP header (8 bytes), IV, padding, and ICV.
HMAC-SHA-256 ICV truncated to 128 bits (16 bytes) per RFC 4868; HMAC-SHA-1 ICV truncated to 96 bits (12 bytes).
AES-GCM (OpenVPN, WireGuard) is an AEAD cipher — no block-alignment padding required.
WireGuard overhead per the WireGuard Whitepaper (J. A. Donenfeld, 2017): 60 bytes total.
Standard Ethernet MTU = 1500 bytes; payloads producing encap_size > 1500 require IP fragmentation or PMTUD.
Throughput loss is purely due to header/trailer overhead; CPU encryption latency is not modeled here.
References: RFC 4303 (ESP), RFC 4868 (HMAC-SHA-2 for IPsec), RFC 2104 (HMAC), OpenVPN 2.x protocol documentation, WireGuard whitepaper.

In the network