You’ve probably heard a lot lately about WireGuard. Some claim it marks the beginning of the end for OpenVPN. However, this view is a little simplistic. In fact, there are even some situations where the 20-year-old VPN protocol outperforms its newer rival.
To give you a better understanding of these open-source VPN protocols, we’ll take a deep dive into what makes each unique. This means exploring the ins and outs of their encryption systems, seeing how well they perform over long distances, and looking at the ways they attempt to avoid detection in places with strict digital censorship. Before we begin, though, here’s a short overview of each:
OpenVPN and WireGuard history
OpenVPN was first released in May 2001. Although the PPTP protocol had been around for five years already at this point, OpenVPN became popular because it offered stronger encryption without too much of a drop in speed. Over the years, vulnerabilities were patched and new clients were developed that brought OpenVPN support to a greater range of devices. This previously unseen level of versatility no doubt contributed to OpenVPN becoming the default protocol for most commercial VPN apps until just a few short years ago.
WireGuard is much newer, having only launched its first stable release in 2020. However, that same year, it was accepted into the Linux and Windows kernels. The main draw of WireGuard is that it’s significantly faster and more efficient than most rival protocols, while maintaining a high level of data security. However, despite its rapid adoption, WireGuard remains in development and is not yet fully integrated with platforms like OpenBSD or FreeBSD.
OpenVPN vs WireGuard: Which is better?
It’s not quite that simple. OpenVPN and WireGuard both have areas where they excel and others where they fall flat. In other words, what is right for one user might not be suitable for another.
To create as fair and impartial a comparison as possible, we have to take a more granular approach. Below, we’ve listed a few key areas of operation and highlighted the differences in how OpenVPN and WireGuard perform in each.
First off, you should note that your base internet speeds will limit how fast your connection is while using a VPN. Additionally, every VPN provider is configured differently, so two services using the same protocol could deliver wildly different speeds.
OpenVPN has historically been seen as “fast enough”. It wasn’t as quick as PPTP or IPSec but delivered decent speeds, with about a 30 percent reduction considered standard. This means that as long as your base connection was at least 40 Mbps, your VPN should still be speedy enough for any day-to-day task.
WireGuard burst onto the scene all at once, with major services quickly adopting it, citing its significantly higher speeds as a key selling point. While not entirely attributable to WireGuard (since network upgrades and optimization are always ongoing), we saw providers like IPVanish and CyberGhost more than double their average speed shortly after introducing support for the WireGuard protocol.
There are a few reasons why WireGuard was able to deliver such high speeds. First of all, its code base was much more streamlined, at around 4,000 lines. For comparison, OpenVPN sits at around 70,000 lines of code as a result of over two decades of development. Additionally, WireGuard supports multi-threading, meaning it can process data using several CPU cores at once.
OpenVPN might be quite a bit older than WireGuard but the fact that it’s gone so long without being compromised actually backs up its security credentials. This protocol supports more encryption ciphers than its rival including CHACHA20-POLY1305, which is what WireGuard uses. Further, it can run on either TCP or UDP, meaning it’s more flexible and theoretically, usable with a wider range of systems.
The problem is that, with so much code to analyze, OpenVPN is extremely difficult to audit. A professional review was performed in 2017 and identified some key vulnerabilities that were promptly patched. However, a lot can change in half a decade, so it’d be good to see more frequent audits. Additionally, supporting so many different ciphers and devices increases the number of options an attacker has. Still, as long as your implementation remains up-to-date, OpenVPN presents minimal risk.
WireGuard’s code was designed to be easily understood by individuals, but it has also been professionally audited (most recently in 2020). This turned up no vulnerabilities but with development ongoing, it’s always possible some will crop up in the future.
One of the other advantages of this protocol is that it’s easy to combine with other obfuscation tools and algorithms. This is important because by default, WireGuard stores the user’s source IP address on the server. Still, VPN providers with WireGuard support usually take steps to prevent this, whether it’s by clearing all logs when a session ends or creating replacement authentication processes (such as NordVPN’s double NAT system, NordLynx).
Ability to go undetected
VPN-blocking is increasingly common. After all, being able to detect when a user is connected to a VPN allows websites to ensure nobody is circumventing bans, streaming services to restrict content by region, and authoritarian governments to prevent citizens from browsing otherwise inaccessible content online.
Straight off the bat, OpenVPN has a slight advantage here. It can be configured to use either TCP or UDP, two different methods of sending data. UDP is faster, but extremely easy to block because, by default, all of its traffic is sent via port 1194. However, OpenVPN sends TCP data over port 443, which is the same port that HTTPS traffic uses. In short, trying to block this port will mean users can’t access any sites that encrypt user traffic (roughly 95 percent of all sites suggested by Google at the time of writing).
That said, this method isn’t foolproof. More determined organizations can use a technique known as deep packet inspection (DPI) to examine your data packets, which will reveal patterns that closely correspond to OpenVPN traffic. VPNs have to obfuscate the traffic further in order to prevent this, but not every provider does.
WireGuard was not designed to obfuscate user traffic to this degree, and only supports UDP. This means that a simple, standalone WireGuard connection is easy to detect. However, as WireGuard is so extensible, most VPN providers have added their own obfuscation methods on top. The efficacy of these varies, but we’ve seen services with WireGuard support that even work in China, so the protocol clearly isn’t a limiting factor in this regard.
Level of support
OpenVPN is currently available in just about every consumer VPN and is relatively easy to manually install because it’s supported by all major router firmware. Crucially, most reputable VPN providers allow users to download OpenVPN configuration files, meaning you don’t have to create your own VPN just to protect your home network.
WireGuard is less common at the moment but its popularity continues to grow. There are two main issues where support is concerned, though. First of all, very few VPNs provide the configuration files required to use this protocol on a router. Second, when WireGuard is available, it’s usually supplemented in some way, which means that, even if config files were available, routers that support regular WireGuard traffic may not work with proprietary protocols like NordLynx.
WireGuard vs OpenVPN conclusion
Ultimately, there’s no one best VPN protocol. Until WireGuard can be easily installed on routers and evade detection without the need for additional obfuscation tools, OpenVPN will remain a viable choice.
Rather, users must choose the right tool for the task at hand. If you’re having difficulty getting around stubborn geo-blocking, a TCP-based OpenVPN connection might be the better choice, whereas if you’re looking to maximize speeds, WireGuard is likely a stronger option.
See also: Best VPNs with Wireguard
Frequently asked questions
Is OpenVPN still safe to use?
Yes, while OpenVPN is more than 20 years old, it remains safe and secure. While it’s possible that there are undiscovered vulnerabilities, the same is true of any software. Given how widespread this technology’s usage is, you can rest assured that if a vulnerability was found, it’s likely to be patched immediately.
Does WireGuard support site-to-site connections?
It’s relatively easy to set up a WireGuard VPN that will connect multiple networks or servers. This will allow you to secure traffic to, from, and across the new network. There’s a good level of support for WireGuard site-to-site connections, though many firewall providers still don’t allow you to use this protocol (Sonicwall and Barracuda are two that do).
It’s significantly easier to link two routers, though, with major firmware like OpenWRT, DD-WRT, pfSense, and Asus all offering WireGuard configuration guides on their respective websites.
Is WireGuard better than L2TP?
L2TP has speeds roughly comparable to OpenVPN, so it’s a fair bit slower than WireGuard. However, it’s supported by far more devices and most major VPNs have configuration guides readily available in the help section of their websites. Both protocols send data over fixed ports, which means it’s easy to block their traffic outright unless other obfuscation tools are used.
Which VPN protocol is fastest?
WireGuard is the fastest modern VPN protocol, with higher speeds than OpenVPN and IKEv2 even across long distances. You could argue that PPTP is extremely quick as well, but this is because it is far less secure. In fact, its encryption is trivially simple to crack, meaning it effectively offers no security benefits at all.