OpenVPN vs. WireGuard

WireGuard is a relatively new VPN protocol that has quickly gained popularity among security and privacy enthusiasts. While OpenVPN has been around for many years and it is considered the de facto standard in VPN industry, the question is whether WireGuard can be a better alternative and why. We will cover the most relevant differences and advantages of each of these two VPN protocols so you can make an informed decision on what is the best for you.

Compatibility

Both OpenVPN and WireGuard come as standard packages on most modern Linux distributions, so if you are using Linux you can easily set them without the need to compile them from source. On Linux, WireGuard support has been recently embedded into the kernel.
On Windows, Mac and the mobile platforms iOS and Android they aren’t available by default, but supported using 3rd party clients/apps such as those provided by VPN companies or the vanilla OpenVPN and WireGuard clients.
On Windows, both are using a 3rd party virtual network adapter: Tun or Wintun.

On routers, neither OpenVPN or WireGuard benefit from large support out of the box. Asus routers running AsusWRT are supporting OpenVPN out of the box, but not WireGuard. WireGuard is supported on routers running 3rd party firmware: DD-WRT, OpenWRT. It is also worth noting that WireGuard is supported on Mikrotik routers using their latest beta firmware.

Security and Privacy

From a security standpoint, WireGuard is arguably a better choice because it doesn’t rely on external libraries such as OpenSSL like OpenVPN does. OpenSSL had many security flaws in the past, some of them like Heartbleed being critical. Such vulnerabilities in cryptographic libraries could also affect any software relying on the libraries and OpenVPN is no exception.
OpenVPN is a lot more complex than WireGuard and has a huge code-base to support all kind of features like various authentication types, ability to run pre/post connect scripts, plugins and so on. Larger complexity results in a higher attack surface. On the other hand, WireGuard is simple and effective by design.
Quoting from WireGuard website:

Minimal Attack Surface

WireGuard has been designed with ease-of-implementation and simplicity
in mind. It is meant to be easily implemented in very few lines of
code, and easily auditable for security vulnerabilities. Compared to
behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the
gigantic codebases is an overwhelming task even for large teams of
security experts, WireGuard is meant to be comprehensively reviewable
by single individuals.

Both are using strong encryption ciphers and there are no weaknesses in any of the strong encryption ciphers used by OpenVPN or WireGuard. OpenVPN is more flexible when it comes to encryption settings since it gives the ability to choose different algorithms, encryption key length and more.
Both have been audited by security experts.

From a privacy perspective, a weakness comes in both cases by design and it is related to the connection info on servers. Both OpenVPN and WireGuard are logging the users IP addresses and this can be easily disabled completely in OpenVPN, though not as easy on WireGuard. By design, WireGuard will keep the user IP stored on the server side indefinitely and save it along with the user encryption public key in its config file. This can’t be disabled, but there are various workarounds to overcome this weakness. If you are using WireGuard with a VPN service claiming to store no connection logs, check carefully the details they provide on how these connection logs are being handled.

Speed

When it comes to network performance, WireGuard is faster than OpenVPN. On high speed connections like gigabit, connecting on modern hardware using Linux/Mac, WireGuard can come close or even saturate the gigabit link. OpenVPN would reach half of that speed in best case scenarios.
On Windows, the biggest problem with OpenVPN is the Tun virtual network driver that would limit the speed due to its poor design. WireGuard uses its own Tun driver called Wintun and it is much better speed-wise. The good news is that OpenVPN can also use the same Wintun driver since a recent update, resulting in higher throughput. The ability to use the Wintun driver with OpenVPN connections is available using OpenVPN GUI as long as it is up to date, by adding the setting “windows-driver wintun” in the OpenVPN config file. Some VPN providers have added support for the Wintun driver in their Windows apps.

On mobile devices, WireGuard is faster and more reliable having better mobility support. In most cases, the battery consumption would be significantly lower using WireGuard than OpenVPN.

The biggest speed difference between OpenVPN and WireGuard speed is seen on routers. Due to its design, WireGuard is much faster on routers than OpenVPN. For comparison, a mid-range router with a 800 MHz CPU would reach 15-20 Mbps speed with OpenVPN and 100 Mbps with WireGuard. So using WireGuard on compatible routers is a no-brainer.

Anti-censorship support

Using a censorship-resistant VPN technology in high censoring countries like China, UAE and more is essential.
By default, using their standard configuration, both OpenVPN and WireGuard connections can be easily flagged and blocked using DPI technologies implemented at a large scale by ISPs.

But OpenVPN has a big advantage over WireGuard when it comes to obfuscation support – a technique to disguise the VPN connection with an additional layer so that the VPN traffic is stealthier against DPI. There are numerous obfuscation techniques implemented using plugins or code modifications making OpenVPN a better choice: TLS tunneling, Obfsproxy, ShadowSocks to name just a few.
Another big advantage of OpenVPN is that it can use the TCP protocol on any ports, while WireGuard uses UDP only. TCP connections can by-pass firewalls much easier than UDP. For instance, UDP traffic can be blocked completely in restricted networks without impacting common traffic (web, email etc.).

Conclusions

Both WireGuard and OpenVPN are very secure when it comes to encryption strength: WireGuard being secure by default, OpenVPN requiring the use of a non-default configuration to enable strong cipher and RSA or EC keys.
WireGuard is more secure regarding potential code vulnerabilities.

Speed wise, WireGuard is better than OpenVPN if you have a high speed ISP connection of over 300-500+ Mbps. On routers, WireGuard is much faster than OpenVPN and can achieve even 10x faster speed than OpenVPN on the same hardware.

If you are living in a high-censoring country or connect from a restrictive network (even hotel networks can be considered highly restrictive), OpenVPN is the clear winner due to its obfuscation capabilities and TCP support.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

3 thoughts on “OpenVPN vs. WireGuard”

  1. OpenVPN is officially supported on FreshTomato open source router firmware.
    WireGuard is operational, but not officially supported.

    Reply
  2. Wireguard is the way to go on routers. On my cheap TP-Link Archer C7 I get close to 100 Mbps speed, compared to 15 Mbps with OpenVPN.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.