Blog article

OpenVPN vs WireGuard: Top Two VPN Protocols Side By Side

OpenVPN and WireGuard are the top 2 VPN protocols out there. WireGuard excels at speed and efficiency, while OpenVPN offers more compatibility and configuration flexibility.

Petr Pecha

11

Min read

VPN
Network Security
Table of Contents
This is also a heading
This is a heading
GoodAccess VPN. Super-easy. Cloud-delivered

OpenVPN and WireGuard rank among the best VPN protocols you can use to create tunneled connections today.

While OpenVPN has been around for twenty years, WireGuard is a relatively recent protocol that is rapidly making its way to the offerings of VPN providers.

This article compares OpenVPN and WireGuard side-by-side and identifies areas where one performs better than the other.

Table of contents

TL;DR

A little background

OpenVPN vs WireGuard: Five comparisons

Verdict

TL;DR

Quick summary of our comparison of OpenVPN and WireGuard:

  • Overall, WireGuard is the faster of the two protocols. OpenVPN, if configured in UDP mode, will offer similar latency, but it will still require higher data usage. Note that WireGuard runs only in UDP mode.
  • Both OpenVPN and WireGuard use strong unbroken ciphers.
  • There are no known vulnerabilities in either OpenVPN or WireGuard.
  • Both VPN protocols are open-source, but WireGuard’s low codebase makes it easier to audit than OpenVPN.
  • Both OpenVPN and WireGuard support all major platforms, though OpenVPN is more broadly supported among routers and firewalls.


OpenVPN WireGuard
Speed High (TCP), very high (UDP) Very high
Encryption Excellent Excellent
Security Excellent Excellent
Auditability Good Very good
Compatibility Very good Good

Tab. 1 – A high-level comparison of OpenVPN and WireGuard

A little background

Before diving into the comparison, let’s take a look at what a VPN protocol is, and where OpenVPN and WireGuard came from.

What is a VPN protocol?

A VPN protocol is a set of rules that determines how a device that participates in the virtual private network (VPN), e.g. a computer, router, or smartphone, communicates with the VPN server. Details include the method of encryption or data routing.

Depending on these rules, different protocols deliver different speed, reliability, and security, which means that different protocols are naturally suited for different uses.

Both OpenVPN and WireGuard are highly versatile protocols because they are configurable to serve different purposes; i.e. you can set them up for speed, security, or long-distance connectivity.

To learn more about VPN protocols in general, read this article.

OpenVPN overview

OpenVPN is one of the most widespread among VPN protocols. It is open-source and is regularly audited and tested for vulnerabilities.

You can configure OpenVPN to run in both TCP and UDP mode, and choose whether it emulates network layer 2 or 3. It is supported by most VPN providers today.

Users often rely on OpenVPN to provide online anonymity, as it can bypass firewalls, ISP filters, and other network restrictions. It runs on all major platforms and is supported by most routers and firewalls, which means many devices can be configured to serve as a VPN gateway using OpenVPN.

WireGuard overview

WireGuard is a newer open-source protocol developed by Jason Donnenfeld and released in 2018 (WireGuard is a registered trademark of Jason Donnenfeld). It was originally developed for Linux, but nowadays is supported on all major OS platforms. However, few routers currently support it.

It has a very lightweight, low-code architecture, which means it is very fast, easy to set up, and hard to spot thanks to a small attack surface. However, vanilla WireGuard lacks some advanced features, like RADIUS authentication, which have to be added extra, if required.

All the same, WireGuard is held in high regard in the VPN industry and could soon replace most of older protocols, including OpenVPN.

OpenVPN vs WireGuard: Five comparisons

Speed

The speed of a protocol means how quickly it establishes a connection and how much traffic it can carry without throttling.

The table below compares the two protocols in terms of speed. We measured the latency of connections made from Central Europe while connecting to gateways in increasingly more distant locations. Each number is the mean value of three measurements.


OpenVPN (TCP) OpenVPN (UDP) WireGuard
Nearest gateway 73 27 28
+1 time zone 165 57 58
+2 time zones 183 107 98
+3 time zones 161 141 114
+5 time zones 194 146 119
+10 time zones 456 373 331
+12 time zones 834 412 407

Tab. 2 – Speed comparison between WireGuard and OpenVPN (TCP and UDP mode). The figures are an average of three ping measurements representing mean latency in milliseconds.

Fig. 1 – Speed comparison between WireGuard and OpenVPN (TCP and UDP mode).

The figure shows that WireGuard is faster than OpenVPN, whether the latter is configured in TCP or UDP mode. Note that UDP, while faster, is less reliable.

Related to speed is also the fact that WireGuard has a smaller data overhead, which is beneficial to mobile users who will see smaller data usage with WireGuard.

Encryption

Encryption here refers to the cryptographic algorithms (ciphers) the protocol uses to render data illegible to unauthorized parties.

OpenVPN uses the OpenSSL library of algorithms, which provides a wide choice of ciphers, hashes, and key exchanges. A few examples:

  • Encryption and authentication: AES, Blowfish, Camellia, ChaCha20, Poly1305, and more
  • Hashing: SHA-256, among many
  • Key exchange: RSA, DSA, SM2, and more

In addition, OpenVPN can be configured in both TCP and UDP mode, which helps optimize, for example, speed over short- and long-distance connections.

This variety and customizability makes OpenVPN highly flexible, and can be made to fit many different circumstances. You can even configure it to use older, less secure ciphers, if you so choose.

A downside of this flexibility is that the protocol is rather code-heavy, which is one of the main reasons why OpenVPN tends to be slower than WireGuard.

WireGuard takes the opposite approach to cryptography. It uses just one set of up-to-date algorithms instead of a library as is the case of OpenVPN.

Algorithms used by WireGuard include:

  • Encryption and authentication: ChaCha20, Poly1305
  • Hashing: BLAKE2s, SipHash24
  • Key agreement and derivation: Curve25519, HKDF

Though WireGuard lacks some of the flexibility of OpenVPN, using a limited set of ciphers significantly reduces its complexity and shrinks the exploitable attack surface.

Security

The security of a VPN protocol denotes how well it can perform its primary function: in-transit data encryption and identity obfuscation.

In this sense, OpenVPN is a highly secure protocol. It contains no known vulnerabilities, and over its long existence has been thoroughly audited many times by independent security experts from around the world.

WireGuard is likewise very secure. It uses the latest cryptographic algorithms and secure ciphers, and is built for easier auditing thanks to its low-code build.

In addition, if a vulnerability is found in any of the inner mechanisms of WireGuard, all endpoints will be required to upgrade to ensure no one will communicate with a potentially compromised host that uses insecure code.

Auditability

Auditability refers to how easy it is for security experts to review and assess the protocol for vulnerabilities. This requires transparency and full access to its codebase.

Auditability is key for the protocol to gain trust among users.

OpenVPN is open-source, which makes it auditable but not very easily. It contains hundreds of thousands of lines of code, which means auditing the OpenVPN protocol takes a long time and requires a team of auditors.

WireGuard is also open-source, but much more lightweight. With around 4,000 lines of code, auditing WireGuard is much easier, and can be done by a single person.

This means that out of the two open-source protocols, WireGuard is the more auditable one.

Compatibility

Compatibility, as understood here, relates to how many different platforms the VPN protocol supports.

According to its official website, OpenVPN runs on:

  • Linux,
  • Windows XP/Vista/7 and higher,
  • macOS X
  • OpenBSD,
  • FreeBSD,
  • NetBSD,
  • Solaris.

In addition, OpenVPN supports mobile platforms, i.e.:

  • iOS 6 or later,
  • Android 4.0 or later.

Similarly, WireGuard currently supports:

  • Linux,
  • Windows 7 or later,
  • macOS,
  • FreeBSD,
  • NetBSD,
  • OpenBSD,

And out of mobile platforms

  • iOS,
  • Android.

OpenVPN is also supported by most routers and firewalls, whereas WireGuard only by a few.

Therefore, though OpenVPN and WireGuard are comparable in terms of compatibility, OpenVPN is the more widely-supported protocol between the two.

Verdict

OpenVPN and WireGuard are both excellent VPN protocols, each with different benefits and tradeoffs.

OpenVPN is a proven and reliable protocol that is compatible with a wide range of devices and operating systems. Being open-source, it is also highly auditable, which is how it earns trust among businesses that prioritize security.

WireGuard, on the other hand, is a newer protocol designed for speed, efficiency, and increased security. It uses modern encryption algorithms and has a smaller codebase than OpenVPN, which simplifies its auditing and makes vulnerabilities easier to find.

In terms of security and encryption, OpenVPN and Wireguard are equal. However, there are areas where one or the other has the upper hand:

  • Businesses that prioritize speed and efficiency may at present be better off with WireGuard.
  • Businesses that require a proven and highly compatible protocol should go with OpenVPN.

Let’s get started

See why your peers choose GoodAccess. Create your free account today and enjoy all premium features for 14 days, hassle-free.
Create Free Account
Book 1-1 call
Trusted by 1300+ customers

Remote work

What is a backup gateway and why do you need one?

A backup gateway provides redundancy in case an unexpected outage or performance issues impact the primary gateway. This ensures business continuity and reduces the cost of downtime.

Learn more

4

Min read

Release news

Out Now: GoodAccess Linux App

The GoodAccess Linux app enables simple configuration and management of Linux devices connecting to the GoodAccess secure environment.

Learn more

2

Min read

Network security

What Is Content Filtering?

Content filtering is a mechanism that prevents access to dangerous or objectionable sites or messages. It is broadly used by users on their own devices, companies to enforce their content policies, or governments to control access to certain information.

Learn more

11

Min read

In GoodAccess, we invest our passion into developing a cybersecurity platform that is easy to deploy, easy to manage, and easy to use.

Education
VPN with Static IP Explained
What is Business Cloud VPN
What is IP Whitelisting
DNS Filtering Explained
Zero Trust Network Access
35+ Gateways Worldwide
How secure is GoodAccess
Compliance Made Easy
Platform
Free business VPN
Business VPN
Zero trust network access
Software defined perimeter
Secure web gateway
Remote access VPN
Features
Dedicated VPN gateway
Static IP address
Central dashboard
Zero-trust access control
DNS filtering
Multi-factor authentication
Network access control
Split tunneling
Access logs
IP whitelisting
SSO
Resources
Product tour
Blog
Events & webinars
Support portal
Customers
Integrations
SLA
Company
About us
Careers
Newsroom
Contact us
Partner Programs
Become a partner
Become an affiliate
Pricing
Plans
Small teams
Starter
Download App
Windows
Mac
Android
iOS
Linux
Chrome OS

Copyright ©2024
GoodAccess

Facebook icon LinkedIn iconTwitter icon
Acceptable Usage Policy
Term & Conditions
Privacy Policy