WireGuard vs. OpenVPN: Side-by-Side Comparison

OpenVPN was the gold standard of virtual private network (VPN) protocols until WireGuard hit the cybersecurity market in 2019. WireGuard promised to solve common VPN issues, including low connection speed, high data overheads, and complicated implementation. But does it make OpenVPN obsolete? We’ve created this review to determine how the new kid on the block stacks up against the more established OpenVPN. 

Our Recommendation = Get OpenVPN

WireGuard is undoubtedly a solid VPN protocol making waves in the cybersecurity landscape. But OpenVPN remains the de facto leader where VPN solutions are concerned. If nothing else, it has proven its efficacy in protecting online browsers for more than 18 years.

While some commercial VPN services use both protocols, OpenVPN is the default option nine times out of ten. There are many reasons to favor OpenVPN, including its ability to bypass region-restricted firewalls, robust security, extensive community support, runs on nearly all platforms, and supports various cryptographic algorithms.

OpenVPN is also the right choice for users who value privacy. Unlike WireGuard, OpenVPN is a true zero-log platform. This means that it doesn’t record or store your browsing, traffic, or activity data while using the VPN. Most security experts favor OpenVPN, so it makes sense that you might too. 

WireGuard does have its advantages. But it’s not quite at OpenVPNs level yet, though things may change in the coming years. 

When to Get WireGuard Instead

There are, of course, instances when it makes more sense to go with WireGuard. This protocol has reliably proven to be faster than OpenVPN in independent tests. This advantage is especially pronounced when optimized for a VPN service. It’s a top choice for users and organizations that prioritize fast time to connect.

WireGuard is also a top choice for users browsing on the move. Again, the protocol has proven its superiority in handling network changes. So it is the best choice for users needing to switch networks frequently.

WireGuard is also a superior choice for mobile devices. Most VPN services prefer alternative protocols like IKEv2 over OpenVPN for mobile browsing. WireGuard offers a third and even better alternative for mobile security. Unlike IKEv2, it is open source. Plus, it handles network changes seamlessly, making it perfect for mobile use.

Lastly, WireGuard is easier to manage for organizations that perform VPN security audits. WireGuard uses just 4,000 lines of code, compared to OpenVPN’s 70,000+. WireGuard is also easier to implement and work with, given its light codebase.

While WireGuard is considered to be a work in progress, it is a notable improvement to pre-existing protocols and an attractive option for people who like to use the latest technology. Its cryptography is undoubtedly newer. There’s every reason to believe that WireGuard will only get better. It is not far-fetched to think that it might become the world standard in the future.

Pricing – Is WireGuard or OpenVPN the Better Offer?                                               

Winner = Draw

WireGuard and OpenVPN are both open-source, meaning that it doesn’t cost anything to implement their software. However, you’ll still need to pay for a VPN service, although some free options exist. 

Alternatively, you can download the free source code and manually set up your own VPN. WireGuard is the better option in this scenario with its light codebase. Manual configuration is much more complicated with OpenVPN, even for advanced users.

Nevertheless, it is difficult to say which option is the better deal, given that WireGuard and OpenVPN products can vary depending on the merchant.  

Encryption & Security 

Winner = OpenVPN

You’d be surprised at how easy it is for people to snoop on your internet traffic and data. These actors may include cybercriminals, government agencies, and even your internet service provider (ISP). Encryption scrambles your data, so third parties can’t make sense of it if it falls into the wrong hands. Therefore, it is a crucial consideration when comparing VPNs.

WireGuard Encryption & Security 

WireGuard uses state-of-the-art ciphers and algorithms to secure your data. Its minimalist codebase also gives it some security advantages over OpenVPN. WireGuard has around 4000 lines of code compared to OpenVPN’s 70,000 lines. That means it’s easier for security teams to audit and find vulnerabilities in the codebase. The codebase also has a significantly smaller attack surface compared to OpenVPN.

However, there is a downside to WireGuard’s codebase. For instance, WireGuard uses a limited set of cryptographic algorithms, including ChaCha20 for encryption and Poly1035 for authentication. While ChaCha20 remains unbroken, there is still an inherent risk if the VPN runs into a new threat that is yet to be discovered.

Additionally, you’d need to update all your endpoints to a newer version of WireGuard if a vulnerability is detected in the VPNs. Again, this contrasts with OpenVPN, which can be quickly configured to use a different algorithm.

While there are no known vulnerabilities in WireGuard, the cyber threat landscape is constantly evolving. Therefore, it would be a nightmare for WireGuard users if a new threat manages to crack WireGuard’s protocols or ciphers.

Nevertheless, WireGuard’s encryption offers some advantages over OpenVPN. WireGuard is not crypto-agile, meaning that it can’t switch between encryption methods and security protocols. The implication is that there is a significantly lower possibility for man-in-the-middle attacks. The design also implies less frequent vulnerabilities.  

OpenVPN Encryption & Security 

OpenVPN relies on the OpenSSL library for encryption. This library supports a host of encryption ciphers, including ChaCha20, Blowfish, Poly1305, Camellia, GOST 28147, and AES. As a result, OpenVPN is far more agile and flexible. It can use different algorithms to conform to any given threat landscape.

OpenVPN has also been through numerous third-party audits over the last 18 years, making it a conservative from a security perspective.

On the downside, OpenVPN’s code is a nightmare to audit. You’d need a dedicated team of experts and plenty of man-hours. In contrast, one engineer could audit WireGuard’s entire code in just a few hours. OpenVPN is also notoriously complicated to update in case a vulnerability is detected.

Nevertheless, OpenVPN has been audited numerous times by some of the best security teams. You can rely on these audits for peace of mind that your connection is always secure. OpenVPN also has a much more robust open-source community, so it may take some time for WireGuard to catch up. 

Privacy – WireGuard vs. OpenVPN

Winner = OpenVPN

The main idea behind using a VPN is so that nobody can track your browsing activity. But not all VPNs can guarantee online anonymity, as is the case with WireGuard.

By default, WireGuard maps allowed IP and public keys. This means that your IP address is stored on the VPN server until rebooted. The design makes WireGuard simpler to use and manage. But it raises serious privacy concerns. Theoretically, someone could link your IP address to your browsing activity if they broke into the server.

By contrast, OpenVPN follows the zero-log principle. As a result, the protocol doesn’t need to log an IP address. The platform doesn’t keep any records of your browsing activity

However, most VPN services that use WireGuard have designed ways to get around this problem. For example, Nord’s  NordLynx technology uses a proprietary Double Network Address Translation (NAT). Here, the VPN assigns each VPN tunnel a unique IP address. The IP address is only stored for the duration of the session.

Mullvad, another WireGuard-based VPN, allows you to route your traffic through additional servers using its Multihop feature. In addition, the VPN service automatically deletes your IP address from its server after 10 minutes of inactivity.

These workarounds aren’t foolproof. For example, it is far better if the server didn’t log your IP address at all. So OpenVPN is the better option from a privacy perspective.  This is especially true when browsing from a country that prosecutes VPN users.

Speed – WireGuard vs. OpenVPN

Winner = WireGuard                                        

Most people use VPNs for security and privacy. But speed remains an important consideration when choosing a VPN. You want to be reconnected to your VPN quickly if the VPN tunnel breaks or you lose your connection. WireGuard is the clear winner in most cases and wins most independent speed test comparisons.

It is easy to see why this is the case. First, WireGuard has a clean codebase, making it faster than the competitor. Furthermore, WireGuard uses newer and faster encryption methods, giving it an edge over OpenVPN. Finally, WireGuard’s protocol is optimized to run on multiple processor cores simultaneously.

The speed difference is also significant. For instance, OpenVPN can take up to 8 seconds to connect, while WireGuard takes an average of 100 milliseconds. You’ll also experience less frequent random or sudden disconnections with WireGuard. 

The speed difference isn’t just for enterprise users either. Streamers and gamers would also see a significant speed improvement by switching to WireGuard VPNs. 

However, WireGuard isn’t always the faster option. The technology is still new, and some servers aren’t optimized for WireGuard. Most notably, Private Internet Access (PIA) VPN servers aren’t optimized for WireGuard so OpenVPN would be the faster choice in this instance.

It is also worth mentioning that the VPN connection speed also depends on your internet speed and bandwidth. So you may not see a significant difference if your internet speed is slow, to begin with.

Performance – WireGuard vs. OpenVPN

Winner = WireGuard

Using a VPN can have specific implications for your data usage. You’ll typically see a spike in your data usage since you need to send additional information during the tunneling process. Data overhead can be an essential factor if you’re on a metered connection.

Generally, WireGuard has significantly smaller data overhead than any VPN protocol, including OpenVPN.  OpenVPN introduces significant data overhead, so if you have a data limit or pay based on the bandwidth you use, this is something to think about.

WireGuard is also more efficient than OpenVPN but requires significant processing power. This can be an issue for older or low-end hardware. Also, OpenVPN drains mobile batteries faster.

However, OpenVPN has the edge over WireGuard for compatibility. OpenVPN has been around for a long time. It is compatible with virtually all platforms, including more obscure options like ChromeOS, QNX, and Solaris. WireGuard still covers the basics, including Linux, Windows, Android, and iOS. But it is not as versatile as its competitor. 

This scenario is likely to change in the coming years. Remember, WireGuard was only compatible with Linux systems when it first came out. 

Anti-Censorship Capabilities – WireGuard vs. OpenVPN

Winner = OpenVPN

Anti-censorship may not be a deal-breaker for many people. But, it’s a top consideration if you need to use a VPN in a censorship country. OpenVPN is arguably the best protocol for navigating censorship regimes, including China’s infamous “Great Firewall.”

Essential services such as online banking use port 443. Therefore, censorship countries are reluctant to block this port. Port 443 offers a great backdoor into these firewalls that VPNs exploit. However, WireGuard doesn’t support the Transmission Control Protocol (TCP) communications that provide port 443. Instead, WireGuard can only be used with User Datagram Protocol (UDP). This setup makes WireGuard a poor choice for accessing restricted websites.

Furthermore, since WireGuard stores IP address information, it would be risky to use in a censorship country. There is still a possibility of these regimes tracking your online activity even while using a VPN, no matter how slim.

However, WireGuard’s limitation isn’t absolute. Theoretically, you could use obfuscation techniques to boost the protocol’s ability to bypass censorship. Some WireGuard-based VPNs like Astrill VPN are known to work well in China and other censorship regions.

Mobility – WireGuard vs. OpenVPN

Winner = WireGuard

Using a VPN on the move can be challenging. You’ll need to switch between networks frequently, so you need an option that quickly adapts to these changes.

OpenVPN is well known for its inefficiency when switching between networks. So much so that many VPN service providers use alternatives like IKEv2 for mobile. WireGuard’s popularity for mobile VPNs is also rising steadily.

WireGuard quickly and easily changes between mobile and WiFi networks, making it a top choice for mobility.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira