OpenVPN and WireGuard rank among the best VPN protocols you can use to create tunneled connections today.
While OpenVPN has been around for twenty years, WireGuard is a relatively recent protocol that is rapidly making its way to the offerings of VPN providers.
This article compares OpenVPN and WireGuard side-by-side and identifies areas where one performs better than the other.
Table of contents
TL;DR
A little background
OpenVPN vs WireGuard: Five comparisons
Verdict
TL;DR
Quick summary of our comparison of OpenVPN and WireGuard:
- Overall, WireGuard is the faster of the two protocols. OpenVPN, if configured in UDP mode, will offer similar latency, but it will still require higher data usage. Note that WireGuard runs only in UDP mode.
- Both OpenVPN and WireGuard use strong unbroken ciphers.
- There are no known vulnerabilities in either OpenVPN or WireGuard.
- Both VPN protocols are open-source, but WireGuard’s low codebase makes it easier to audit than OpenVPN.
- Both OpenVPN and WireGuard support all major platforms, though OpenVPN is more broadly supported among routers and firewalls.
| OpenVPN | WireGuard | |
|---|---|---|
| Speed | High (TCP), very high (UDP) | Very high |
| Encryption | Excellent | Excellent |
| Security | Excellent | Excellent |
| Auditability | Good | Very good |
| Compatibility | Very good | Good |
Tab. 1 – A high-level comparison of OpenVPN and WireGuard
A little background
Before diving into the comparison, let’s take a look at what a VPN protocol is, and where OpenVPN and WireGuard came from.
What is a VPN protocol?
A VPN protocol is a set of rules that determines how a device that participates in the virtual private network (VPN), e.g. a computer, router, or smartphone, communicates with the VPN server. Details include the method of encryption or data routing.
Depending on these rules, different protocols deliver different speed, reliability, and security, which means that different protocols are naturally suited for different uses.
Both OpenVPN and WireGuard are highly versatile protocols because they are configurable to serve different purposes; i.e. you can set them up for speed, security, or long-distance connectivity.
To learn more about VPN protocols in general, read this article.
OpenVPN overview
OpenVPN is one of the most widespread among VPN protocols. It is open-source and is regularly audited and tested for vulnerabilities.
You can configure OpenVPN to run in both TCP and UDP mode, and choose whether it emulates network layer 2 or 3. It is supported by most VPN providers today.
Users often rely on OpenVPN to provide online anonymity, as it can bypass firewalls, ISP filters, and other network restrictions. It runs on all major platforms and is supported by most routers and firewalls, which means many devices can be configured to serve as a VPN gateway using OpenVPN.
WireGuard overview
WireGuard is a newer open-source protocol developed by Jason Donnenfeld and released in 2018 (WireGuard is a registered trademark of Jason Donnenfeld). It was originally developed for Linux, but nowadays is supported on all major OS platforms. However, few routers currently support it.
It has a very lightweight, low-code architecture, which means it is very fast, easy to set up, and hard to spot thanks to a small attack surface. However, vanilla WireGuard lacks some advanced features, like RADIUS authentication, which have to be added extra, if required.
All the same, WireGuard is held in high regard in the VPN industry and could soon replace most of older protocols, including OpenVPN.
OpenVPN vs WireGuard: Five comparisons
Speed
The speed of a protocol means how quickly it establishes a connection and how much traffic it can carry without throttling.
The table below compares the two protocols in terms of speed. We measured the latency of connections made from Central Europe while connecting to gateways in increasingly more distant locations. Each number is the mean value of three measurements.
| OpenVPN (TCP) | OpenVPN (UDP) | WireGuard | |
|---|---|---|---|
| Nearest gateway | 73 | 27 | 28 |
| +1 time zone | 165 | 57 | 58 |
| +2 time zones | 183 | 107 | 98 |
| +3 time zones | 161 | 141 | 114 |
| +5 time zones | 194 | 146 | 119 |
| +10 time zones | 456 | 373 | 331 |
| +12 time zones | 834 | 412 | 407 |
Tab. 2 – Speed comparison between WireGuard and OpenVPN (TCP and UDP mode). The figures are an average of three ping measurements representing mean latency in milliseconds.
Fig. 1 – Speed comparison between WireGuard and OpenVPN (TCP and UDP mode).
The figure shows that WireGuard is faster than OpenVPN, whether the latter is configured in TCP or UDP mode. Note that UDP, while faster, is less reliable.
Related to speed is also the fact that WireGuard has a smaller data overhead, which is beneficial to mobile users who will see smaller data usage with WireGuard.
Encryption
Encryption here refers to the cryptographic algorithms (ciphers) the protocol uses to render data illegible to unauthorized parties.
OpenVPN uses the OpenSSL library of algorithms, which provides a wide choice of ciphers, hashes, and key exchanges. A few examples:
- Encryption and authentication: AES, Blowfish, Camellia, ChaCha20, Poly1305, and more
- Hashing: SHA-256, among many
- Key exchange: RSA, DSA, SM2, and more
In addition, OpenVPN can be configured in both TCP and UDP mode, which helps optimize, for example, speed over short- and long-distance connections.
This variety and customizability makes OpenVPN highly flexible, and can be made to fit many different circ*mstances. You can even configure it to use older, less secure ciphers, if you so choose.
A downside of this flexibility is that the protocol is rather code-heavy, which is one of the main reasons why OpenVPN tends to be slower than WireGuard.
WireGuard takes the opposite approach to cryptography. It uses just one set of up-to-date algorithms instead of a library as is the case of OpenVPN.
Algorithms used by WireGuard include:
- Encryption and authentication: ChaCha20, Poly1305
- Hashing: BLAKE2s, SipHash24
- Key agreement and derivation: Curve25519, HKDF
Though WireGuard lacks some of the flexibility of OpenVPN, using a limited set of ciphers significantly reduces its complexity and shrinks the exploitable attack surface.
Security
The security of a VPN protocol denotes how well it can perform its primary function: in-transit data encryption and identity obfuscation.
In this sense, OpenVPN is a highly secure protocol. It contains no known vulnerabilities, and over its long existence has been thoroughly audited many times by independent security experts from around the world.
WireGuard is likewise very secure. It uses the latest cryptographic algorithms and secure ciphers, and is built for easier auditing thanks to its low-code build.
In addition, if a vulnerability is found in any of the inner mechanisms of WireGuard, all endpoints will be required to upgrade to ensure no one will communicate with a potentially compromised host that uses insecure code.
Auditability
Auditability refers to how easy it is for security experts to review and assess the protocol for vulnerabilities. This requires transparency and full access to its codebase.
Auditability is key for the protocol to gain trust among users.
OpenVPN is open-source, which makes it auditable but not very easily. It contains hundreds of thousands of lines of code, which means auditing the OpenVPN protocol takes a long time and requires a team of auditors.
WireGuard is also open-source, but much more lightweight. With around 4,000 lines of code, auditing WireGuard is much easier, and can be done by a single person.
This means that out of the two open-source protocols, WireGuard is the more auditable one.
Compatibility
Compatibility, as understood here, relates to how many different platforms the VPN protocol supports.
According to its official website, OpenVPN runs on:
- Linux,
- Windows XP/Vista/7 and higher,
- macOS X
- OpenBSD,
- FreeBSD,
- NetBSD,
- Solaris.
In addition, OpenVPN supports mobile platforms, i.e.:
- iOS 6 or later,
- Android 4.0 or later.
Similarly, WireGuard currently supports:
- Linux,
- Windows 7 or later,
- macOS,
- FreeBSD,
- NetBSD,
- OpenBSD,
And out of mobile platforms
- iOS,
- Android.
OpenVPN is also supported by most routers and firewalls, whereas WireGuard only by a few.
Therefore, though OpenVPN and WireGuard are comparable in terms of compatibility, OpenVPN is the more widely-supported protocol between the two.
Verdict
OpenVPN and WireGuard are both excellent VPN protocols, each with different benefits and tradeoffs.
OpenVPN is a proven and reliable protocol that is compatible with a wide range of devices and operating systems. Being open-source, it is also highly auditable, which is how it earns trust among businesses that prioritize security.
WireGuard, on the other hand, is a newer protocol designed for speed, efficiency, and increased security. It uses modern encryption algorithms and has a smaller codebase than OpenVPN, which simplifies its auditing and makes vulnerabilities easier to find.
In terms of security and encryption, OpenVPN and Wireguard are equal. However, there are areas where one or the other has the upper hand:
- Businesses that prioritize speed and efficiency may at present be better off with WireGuard.
- Businesses that require a proven and highly compatible protocol should go with OpenVPN.
