Wireguard's lower-level than the solutions that were benchmarked - in fact, Netmaker and Tailscale themselves use Wireguard as their backing technology.

But even with them both using Wireguard, there are choices involved that affect performance, for instance whether to use the Wireguard kernel model or userspace implementation, how to configure routing, packet filtering, firewalls, etc.

In any case, they are bumping against their NIC's performance, so they'd have to test using a 40GbE or 100GbE interface to show a difference.

Or links with large and variable delays. You know, domestic links, public wifis, mobile.

What is purpose of mesh on one physical segment?

To measure the intrinsic overhead of the mesh VPN, but your point is well-takem, robustness to latency is also an important consideration, probably more important when they are all within spitting distance.

Yes that's why I was curious on a comparison to Wireguard, because for some the advantage that the mesh/managed VPN setup brings may not be worth the performance trade-off.

I think you misunderstand how mesh VPNs work. Their primary purpose is as a control plane - introducing peers to each other so they can either communicate directly or via a relay (eg DERP) via per-node encryption. They should have no overhead compared to a single point to point encrypted tunnel like wireguard, because the “mesh” features are not in the data path.

The only real difference here is how the vpn product implements wireguard: userspace or kernel space, and how well tuned that implementation is. It might make sense to compare wireguard implementations, but (afaik) all are using one of several open source ones. Tailscale did some work to improve performance that they blogged about here https://tailscale.com/blog/more-throughput

Neither Nebula nor ZeroTier is based on Wireguard.

What they compare in the article are systems that provide some form of ACL, which is why bare Wireguard is not included. That means there are features in the data path that could have significant performance implications versus a simple tunnel. The impact of using ACL features isn't really a focus of the presented benchmarks, but they do mention a separate test of using iptables to bolt on access controls.

This looks like a full VPN service for me. Since wireguard is only the session part of a VPN service, i.e. missing session management and key distribution, this would not be a proper comparison IMHO