OpenVPN or WireGuard: Which protocol is better?

In this article, we will be comparing two popular security protocols, OpenVPN and WireGuard, used by Virtual Private Networks (VPNs) to provide a secure connection to the Internet.

1. Performance and speed

WireGuard's speed is significantly higher than OpenVPN with a throughput of 1011 Mbps compared to 258 Mbps when connected to a 1 Gbps port. WireGuard operates at the kernel level, which results in less strain on the system's processor, while OpenVPN operates at the user level, limiting its ability to increase speed. Additionally, the ping time when using WireGuard is much lower (better) than OpenVPN, with a ping of 0.403 ms compared to 1.541 ms. Speed tests show that when connecting to global servers in the UK via a server with a port speed of 350 Mbps using UDP, WireGuard performs faster than OpenVPN.

Server Location

OpenVPN (UDP)

WireGuard

United Kingdom

135 Mbit/s

286 Mbit/s (112% faster)

Germany

131 Mbit/s

277 Mbit/s (111% faster)

USA

142 Mbit/s

254 Mbit/s (79% faster)

Japan

139 Mbit/s

269 ​​Mbit/s (94% faster)

Australia

118 Mbit/s

207 Mbit/s (75% faster)

Comparison of OpenVPN and WireGuard throughput

Throughput-test-between-OpenVPN-and-WireGuard-1

Comparison of response time (ping) for OpenVPN and WireGuard

Ping-test-between-OpenVPN-and-WireGuard-1

2. Encryption and Library Support

OpenVPN uses cryptographic algorithms that are rooted in the OpenSSL library, offering a variety of encryption techniques, such as AES, Blowfish, Camellia, ChaCha20, Poly1035, DES, Triple DES, and others, for authentication purposes. For hashing, MDS, MD4, SHA-1, SHA-2, BLAKE2, and others are utilized. Key generation is supported by RSA, DSA, X25519, and other methods. Additionally, you can choose between two transport-layer protocols: UDP or TCP.

WireGuard differs from OpenVPN in that it has a limited selection of algorithms. It uses ChaCha20 for encryption, Poly1035 for authentication, BLAKE2s for hashing following RFC7693, SipHash24 for key hashes, and offers support for both UDP and perfect forward secrecy.

Additionally, WireGuard uses public key cryptography and has strict authentication. It has a secure key generator and automates key management. The pre-exchange of keys also enhances security. Conversely, OpenVPN uses certificates and a private key for identification and encryption.

To summarize: WireGuard offers improved speed and a smaller potential for security breaches due to its limited algorithm options. OpenVPN, while offering a wider range of algorithms, has more complex authentication and key management systems.

OpenVPN utilizes encryption and authentication based on the OpenSSL library, which has a long history and has been extensively tested. On the other hand, WireGuard only employs its own encryption type ChaCha20 with Poly1305 authentication.

Furthermore, OpenVPN utilizes RSA and AES for its data and control channels, reducing the risk of password and encryption key cracking attacks. The maximum encryption key length supported by OpenVPN is 4096 bits, whereas WireGuard only supports a maximum key length of 256 bits. Currently, neither OpenVPN nor WireGuard has any significant known vulnerabilities.

3. Security and Privacy

OpenVPN is considered a safe choice, but it requires proper setup. The code of OpenVPN has been audited by experts and is well-supported. WireGuard, on the other hand, has easily verifiable code and currently, there are no known vulnerabilities. It is highly secure, quick, and difficult to hack due to its utilization of cutting-edge cryptographic algorithms. In the event of a vulnerability being discovered, endpoints are immediately updated to a new version, avoiding the use of compromised code.

To ensure the protection of your data, OpenVPN is a top choice. It does not retain any personal details of its users, such as IP addresses. On the other hand, the WireGuard Cryptokey Routing algorithm temporarily saves user IP addresses on the VPN server until the server is restarted. However, there are currently ways to enhance the privacy of WireGuard.

Conclusions: WireGuard is a relatively new protocol, but it can provide the same security as OpenVPN, which has been around longer, has passed more third-party security audits, and has a longer track record than WireGuard. WireGuard's maturity will be even more appealing due to its minimal code base and updated encryption algorithms.

The conservative choice is OpenVPN. However, WireGuard is constantly improving by introducing updated encryption algorithms. WireGuard is a more modern option using the latest technology.

4. Mobility and compatibility

Users today often switch between Wi-Fi and mobile networks when using their devices, so it's important that your VPN software also supports this capability. WireGuard is great for mobility because it supports easy switching between devices and networks. It's also compatible with Windows, Android, macOS, iOS and popular Linux distributions. 

OpenVPN has some mobility issues because it does not always keep up with network switches, but it is compatible with most computer platforms. In addition to the systems mentioned above, it can be used on Solaris, QNX, Maemo, FreeBSD and ChromeOS. OpenVPN works with almost any platform, which is why it is the most popular among many manufacturers who implement it in their routers, firewalls, etc. WireGuard is too young for many manufacturers to integrate it into their hardware, but you can still build your own server on any popular Linux distribution.

Conclusions: WireGuard provides better mobility than OpenVPN. While OpenVPN has historically struggled with network changes, WireGuard handles them seamlessly. For mobile devices, VPN services use a different protocol, IKEv2, a good protocol but closed-source. Hence, WireGuard is a great open source solution when choosing a VPN protocol for mobile devices.

5. Censorship circumvention

OpenVPN and WireGuard are both great protocols for VPNs, but OpenVPN offers something WireGuard doesn't - the ability to work over TCP. TCP is more reliable than UDP, so it's suitable for circumventing strict censorship regimes. This is because TCP port 443 is the same port that HTTPS uses. In this case, OpenVPN remains the most secure and stable.

Conclusions: UDP is faster and more stable when used with VPN tunnels, but TCP is preferable for circumventing censorship. It is unlikely that any country will block port 443, which is used for all major activities such as e-commerce and banking. OpenVPN with the TCP protocol works more effectively for bypassing censorship regimes than WireGuard.

6. Authentication methods

When using OpenVPN, three different methods can be used to authenticate to a VPN server:

  • Using server-generated pre-generated shared keys
  • Using certificate based authentication (more secure).
  • Using user name and password.

In the case of WireGuard, authentication is done simply by exchanging your public and private keys. With its own secret key, the server can identify user lists. The client side also provides the secret key and the server's public key that you use to establish the connection.

Pros and cons of OpenVPN

Pros:

  1. OpenVPN is a well-established and highly recommended encryption program by many experts.
  2. It uses the OpenSSL library and TLS, encrypting all data, and is the leading standard in cryptography.
  3. It can work over both UDP and TCP protocols.

Cons:

  1. Performance, ping, and speed are significantly, and sometimes times, inferior to Wireguard.
  2. OpenVPN is more vulnerable to attacks than WireGuard.
  3. Manual configuration is difficult for OpenVPN and can be a hassle even for experienced users.

Pros and cons of WireGuard

Pros:

  1. WireGuard is a secure and fast VPN with top-notch cryptography that is much faster than OpenVPN.
  2. WireGuard is also suitable for increasing the battery life of your device because it consumes less power.
  3. WireGuard is easier to install and configure than OpenVPN.

Cons:

  1. WireGuard's development is not yet fully completed, but it should be a great VPN protocol in the future.
  2. One of the main drawbacks of WireGuard is that it does not use port 443 and does not support the TCP protocol. This makes it not a good choice for bypassing content restrictions.
  3. WireGuard is supported by major operating systems, but still not by all unlike OpenVPN.

Order Personal VPN and Socks 5 proxy, in which we provide ready-to-use configurations of both OpenVPN (UDP and TCP) and WireGuard, as well as other protocols.