In this article, I’ll compare & contrast two of the most used VPN protocols, WireGuard and OpenVPN. I’ll help you choose the best one by contrasting both – including speed, encryption, security, privacy, auditability, and compatibility. This review is essential reading for any frequent VPN user.
I’ll also provide background information on the creators of these protocols and explain how they differ in functionality. So if you’re wondering whether to go with OpenVPN or WireGuard, read on for an in-depth analysis.
In Brief – Key points
The VPN protocol WireGuard is fairly new, and it’s becoming increasingly popular due to its speed and ease of use. It’s a great option for mobile devices in particular, because it’s significantly faster than OpenVPN and uses less data. WireGuard is more dependable than OpenVPN for customers who frequently change networks because of how well it manages network changes.
But, OpenVPN has been around longer and has been put through its paces more than any other VPN service. It’s more popular and is supported by more VPN services because of this. Since OpenVPN provides customizable security features and encryption strengths, it’s also more privacy-friendly.
Both protocols are safe to use, although OpenVPN has been subjected to more rigorous auditing. Yet, WireGuard is also safe to use because its encryption technique is simple and not as complex as OpenVPN’s.
| Feature | WireGuard | OpenVPN |
|---|---|---|
| 🚀 Speed | Very fast 🏎️ | Slower ⏱️ |
| 🔒 Encryption | ChaCha20, Poly1305 | Configurable AES, Blowfish, Camellia, and more |
| 🛡️ Security | Small codebase, easier to audit | Larger codebase, harder to audit |
| 🚫 Bypassing Censorship | No TCP option | TCP option for bypassing strict internet blocks |
| 🌐 Accessibility | Limited compatibility | Compatible with most devices and platforms |
| 💻 Resource Usage | Low | High |
| 🔓 Configurability | Limited options | Highly configurable |
| 🕵️ Auditability | Highly auditable | Low auditability |
What is WireGuard?
In September 2019, Jason A. Donenfeld of Edge Security released the first stable version of their VPN tunnelling protocol – known now as WireGuard. It was developed to replace the existing VPN protocols with something easier to implement and use.
WireGuard is less complex – but less customizable – than OpenVPN since it takes a “cryptographically opinionated” approach to VPN security. Both protocols are freely available to anyone who wants to use them. Although WireGuard has only recently been released, it has already been used by a number of VPN providers, including NordVPN’s own NordLynx protocol.
What is OpenVPN?
OpenVPN has been in existence for quite some time and is currently the most popular VPN tunnelling protocol. It’s a reliable protocol that works well and can be used on many different OS’s. Despite its widespread use, OpenVPN’s lack of optimisation for today’s processors can cause it to run slowly.
OpenVPN is the most widely accepted VPN protocol…
OpenVPN is still favored by many VPN users due to its excellent security standards. It is the most widely accepted VPN protocol and the standard one preferred by most of the big VPN companies. OpenVPN also supports TCP-based data transfers, which are crucial for maintaining robust connections.
OpenVPN is a tunnelling protocol supported by the vast majority of VPN services.
Which is faster of the two?
WireGuard was designed to prioritize speed while OpenVPN was not primarily built for speed. This makes WireGuard significantly faster than OpenVPN, in pretty much all cases.
The WireGuard protocol is optimized to utilize multiple processor cores simultaneously and employs quicker encryption methods. According to WireGuard, their protocol is at least three times faster than OpenVPN with a throughput of 1011Mbps compared to OpenVPN’s 258Mbps.
While OpenVPN is slower in both download and upload speed, it is primarily designed for stability rather than speed. Therefore, WireGuard is the clear winner in terms of speed without compromising security.
In Test: Which is quicker?
In all VPN Hound testing rounds, WireGuard was significantly faster than OpenVPN on most VPNs.
The tests were made using NordVPN, one of the first VPN providers to support both protocols. Transfer rates were measured by establishing encrypted connections to several NordVPN servers across the world using either the OpenVPN (UDP) or NordLynx (WireGuard) protocols. WireGuard was found to be 59% quicker during downloads and 16% faster during uploads compared to OpenVPN.
WireGuard also preserved around 87% of the original download speed and 42% of the original upload speed. OpenVPN’s UDP protocol is even slower than its TCP counterpart, reducing download rates by about 57% and upload speeds by about 50%, respectively. In general, WireGuard is more efficient than OpenVPN while maintaining the same level of security.
We then tested it from multiple locations, firstly on WireGuard:
| Location | OpenVPN | WireGuard | IKEv2 |
|---|---|---|---|
| USA | 80Mbps | 260Mbps | 120Mbps |
| UK | 120Mbps | 350Mbps | 200Mbps |
| Japan | 75Mbps | 300Mbps | 110Mbps |
| Australia | 90Mbps | 280Mbps | 140Mbps |
As you can see, the WireGuard speeds were almost always the highest/fastest.
Encryption
Protecting VPN traffic is a priority for both WireGuard and OpenVPN.
The slightly quirky-sounding ChaCha20 encryption is used by WireGuard, which is comparable to AES-256-GCM in terms of security, while the Poly1305 Hashing function is used for authentication. OpenVPN, on the other hand, supports the advanced cyphers AES, Blowfish, Camellia, and ChaCha20 and provides six different customizable encryption levels ranging from weak to powerful.
OpenVPN also employs a number of different hashing methods to process authentication requests.
Both VPN protocols use cutting-edge technology to encrypt data in transit, making the msafe for VPN use despite OpenVPN’s variable encryption settings.
| Features | OpenVPN | WireGuard |
|---|---|---|
| Encryption Ciphers & Authentication Protocols | Commonly Used: AES, Blowfish, Camellia Also Supported: ChaCha20, Poly1305 (plus many more) | ChaCha20, Poly1035 |
| Perfect Forward Secrecy | Supported | Supported |
| Known Vulnerabilities | None | None |
Encryption Comparison: Differences
The trade-off between customization and safety is where OpenVPN and WireGuard diverge significantly: OpenVPN uses the OpenSSL library, which has been around since 1998 and has been thoroughly tested, to encrypt data in transit. The library is compatible with numerous encryption algorithms: including AES, Blowfish, and ChaCha20.
WireGuard, on the other hand, doesn’t let you pick which encryption method to use. 🙁 ChaCha20 encryption and Poly1305 authentication are required. This means that WireGuard requires about 4,000 less lines of code than OpenVPN does (at least).
Since WireGuard has a lower code footprint than OpenVPN, it is easier to audit and verify by security researchers. This also means that the attack surface for WireGuard is substantially smaller than it would be for OpenVPN.
What about censorship?
VPN protocols like OpenVPN and WireGuard offer reliable connections in the vast majority of use cases. Only OpenVPN, however, gives you the option to communicate using TCP, which can help you get around restricted networks. As TCP connections can use port 443, teh same port that standard HTTPS communication uses, this is possible. Censorship systems in countries like China, Russia, and Turkey are unlikely to block port 443, as doing so would interfere with essential services like online banking and shopping.
In conclusion, OpenVPN’s TCP protocol is superior to WireGuard’s UDP protocol for evading censorship.
Wht about business use?
Because WireGuard’s encryption methods have not been recognized by the National Institute of Standards and Technology or the Committee on National Security Systems, the US government does not recommend using it as a virtual private network protocol. As a result, the US government and a large number of private companies are unable to deploy WireGuard.
In addition, most businesses probably shouldn’t install the experimental driver needed for WireGuard functionality in the Windows kernel. WireGuard is only offered as a “technology preview” and is not recommended for production use, therefore businesses running Red Hat Linux Enterprise 9 may also run into issues. Since WireGuard does not employ NIST-approved encryption techniques, Red Hat users will need to turn off the FIPS mode of the operating system.
Privacy: An Overview
The privacy implications of VPN protocols are obviosuly an important consideration for many of you.
And while OpenVPN has the advantage of being able to work without logging IP addresses, WireGuard requires permitted IP addresses to be stored on the server until the server reboots. This could potentially compromise user privacy in case the server is compromised.
However, most commercial VPN services that support WireGuard have implemented workarounds to minimize these privacy risks. For instance, NordVPN has combined WireGuard with its proprietary Double Network Address Translation (NAT) technology to create NordLynx. Instead of storing static IP addresses, NordLynx assigns a unique dynamic IP address to each VPN tunnel, ensuring that each session has a different IP address that only lasts as long as the session.
Mullvad maximizes privacy when using WireGuard by deleting the IP address from its servers after 10 minutes of inactivity. As an additional step, Mullvad suggests using its Multihop feature to route traffic through two or more servers when using WireGuard. Similarly, IVPN deletes the IP address after three minutes of inactivity and randomly generates a new IP address every 24 hours, avoiding issues surrounding using a static IP address.
Audits
WireGuard and OpenVPN are open-source VPN protocols that require periodic auditing to ensure they are secure and don’t contain malicious code. Auditing involves inspecting the code, and the amount of data to check determines higher or lower auditability.
Both protocols are open-source, but WireGuard is more auditable than OpenVPN, as its current version has only about 4,000 lines of code, while OpenVPN has around 70,000 lines of code. This makes it easier for security researchers to audit and verify WireGuard’s code than OpenVPN’s.
However, both protocols have been audited, and their bugs and vulnerabilities have been fixed and patched. So, as of now, there is no need to worry about the security of either protocol.
UDP vs TCP: Explained
- UDP and TCP are like two different ways of sending a message. Imagine you want to send a letter to your friend who lives far away.
- UDP is like shouting the message really loud and hoping your friend hears it. It’s very fast, but sometimes some of the words might get jumbled up or lost along the way.
- TCP is like speaking very slowly and carefully, and asking your friend to repeat back what you said to make sure they got it right. It’s slower, but you can be sure that your friend will get the message correctly.
- When you use the internet, sometimes you need to use UDP and sometimes you need to use TCP. It all depends on what you’re doing.
So now with that out the way, understand that UDP & TCP differ widely in their support for WireGuard and OpenVPN: I’m talking about in terms of reliability, features, and speed. While UDP is faster and more efficient, TCP is more preferable for by-passing firewalls and circumventing censorship.
VPN providers usually default to using OpenVPN when connecting from within China due to it’s better bypassing capabilities. In a test comparing OpenVPN and WireGuard’s effectiveness in bypassing the Great Firewall of China, Astrill VPN was able to beat censorship using both protocols, while Private Internet Access (PIA) only connected using OpenVPN and failed using WireGuard.
Compatibility: A Comparison
In layman’s terms, a VPN protocol must be compatible with loads of operating systems and also be simple to set up – otherwise nobody is going to use it!
WireGuard is gaining popularity as a result of its speed & simplicity
So OpenVPN is a more established and used VPN protocol, and it is compatible with all platforms and simple to configure on a router. Due to its relative youth and original Linux-centric development, WireGuard is not as widely supported and is only compatible with a subset of routers. Although it is not as widely used as OpenVPN, it is gaining popularity as a result of its speed and simplicity in testing for vulnerabilities.
VPN protocols are about more than just safety and dependability. For a protocol to gain widespread acceptance, it must be simple to develop and work with a variety of platforms.
As I’ve said many times already, OpenVPN has been around for a lot longer than WireGuard, so it’s no surprise that a lot of specialists and VPN providers are already very familiar with it. They have a firm grasp on the system’s inner workings, the implementation procedure, and any other quirks. OpenVPN’s adaptability stems in large part from its compatibility with a wide range of platforms. In addition, OpenVPN works great as a VPN server on a router.
However, WireGuard’s original purpose was to have it included in the Linux kernel, hence it was developed specifically for Linux. After the first release, it took some time before versions were made available for various OSes. The limited availability of routers that are compatible with WireGuard is a major drawback. Since it is still in its infancy, not all IT professionals are familiar with its inner workings, and it’s not as extensively used as OpenVPN.
Yet, as WireGuard’s popularity increases, more VPN service providers are including it in their services due to its simple auditability and fast performance. Although OpenVPN is more widely used and supported, many VPN providers and consumers prefer WireGuard due to its ease of use and high performance.
| VPN Service | OpenVPN | WireGuard |
|---|---|---|
| CyberGhost | ✓ | ✓ |
| ExpressVPN | ✓ | ✗ |
| NordVPN | ✓ | ✓ |
| PrivateVPN | ✓ | ✗ |
| TunnelBear | ✓ | ✗ |
| Windscribe VPN | ✓ | ✗ |
| Surfshark | ✓ | ✓ |
| PIA | ✓ | ✓ |
Data Consumption
Because VPN tunneling creates additional data usage, using a VPN can therefore result in an increase in data consumption. By way of example those on pay-as-you-go cell phone plans may exceed their data limit or incur higher costs as a result, and the VPN’s performance may suffer as a result.
Depending on the VPN protocol, the amount of extra data required to transmit data can change. A lot.
Studies show that WireGuard significantly reduces data usage compared to OpenVPN. Data overhead for Linux’s WireGuard application was found to be 4.53%, whereas that of OpenVPN’s UDP was 17.23% and that of OpenVPN’s TCP was 19.96% in tests.
As compared to other VPN protocols like IKEv2 and PPTP, WireGuard has the lowest data overhead. OpenVPN, on the other hand, has the highest. The complete results of the study and additional information regarding VPN data usage are accessible in a guide to mobile data and VPNs.
Why You Can Trust VPN Hound
We're completely independent from any VPN provider or company. We've spent thousands of hours curating and hand-testing all the big & small VPN services, and have been doing so since 2018.VPNs tested:
82Total hours testing:
602Terabytes used:
300+IPs banned:
3Torrents tested:
1,200+Funds spent on testing:
$8,500+
Ease of Use & Setup:
OpenVPN is known for being very user-friendly and easy to setup. It can be configured easily with a few clicks, and there are plenty of guides / tutorials available online that can help you get started. Most VPN providers that offer OpenVPN also provide their own custom clients, which are even easier to use than the standalone OpenVPN client.
WireGuard, on the other hand, is still relatively new and doesn’t have as many dedicated clients or guides available as OpenVPN. However, many VPN providers that support WireGuard have created their own custom clients that make it easy to use. In general, WireGuard is also very easy to configure and use, even for less experienced users.
Both protocols have widespread support and may be configured on almost any hardware or software platform. OpenVPN has a leg up on WireGuard when it comes to interoperability because it is supported by a wider variety of platforms and device(s).
Verdict: Which is best?
That’s pretty much the end of my comparison between WireGuard and OpenVPN. Both are reliable VPN protocols that offer a stable VPN/internet connection under most circumstances. However, OpenVPN has been around for much longer, making it more versatile, as many experts and VPN makers have already familiarized themselves with it quite closely.
On the other hand, WireGuard is newer and faster, with a smaller codebase and easy auditability, making it an excellent option for modern devices and processors.
The protocols also differ in terms of their compatibility and resource usage: OpenVPN is compatible with virtually any operating system, making it more versatile than WireGuard, which was originally designed for Linux. WireGuard, however, consumes far less data than OpenVPN, with the smallest data overhead of any VPN protocol tested, making it a more efficient option.
Next steps…
Which protocol you choose will likely depend on which VPN provider you are already with (or planning to try). So, all of the following VPNs support both protocols, allowing you the best choice – you can basically pick which one you want to try.
- ProtonVPN has a Secure Core feature that distributes your traffic among numerous servers in countries that respect your right to online anonymity, and it also supports the OpenVPN and WireGuard protocols.
- Surfshark: Surfshark supports both protocols and has extra features like a CleanWeb ad-blocker and MultiHop for enhanced anonymity.
- Mullvad: Noted for its strict privacy standards, including not requesting any personal information to register an account, and so supports both protocols.
- IVPN: IVPN supports both protocols and provides additional benefits including a Multi-hop network and an AntiTracker that prevents users from being tracked online.
- VyprVPN: VyprVPN is compatible with both protocols and provides its own Chameleon protocol, which is meant to avoid censorship in areas with tight restrictions.
- Private Internet Access (PIA) is one VPN service that works with both protocols and includes extras like ad filtering and split tunnelling.
- TorGuard: TorGuard is compatible with both protocols and provides extras like dedicated IPs and stealth VPN protocols to help you get around censorship.
