OpenVPN has long been accepted as the industry standard tunneling protocol for VPN services. With no other modern protocol to challenge the position of OpenVPN as the desired VPN tunnel, it was easy for it to claim the top spot in terms of both security and performance among all the protocols.
Enter WireGuard, a nascent VPN tunneling protocol that promises to do everything better than the outdated PPTP, L2TP etc. while hinting to supplant OpenVPN.
However, the question remains, which protocol works better between WireGuard vs OpenVPN?
To short answer is – both protocols have their own pros and cons but WireGuard is a clear winner on account of speed, security and auditability.
Without further ado, let us start comparing these VPN protocols in detail:
WireGuard vs OpenVPN: Key Differences
Here is a summary of major attributes of WireGuard and OpenVPN:
|Compatibility||Windows, Android, Linux, iOS||All devices|
|P2P File Sharing||Yes||Yes|
|Ease of Setup||Yes||No|
What is WireGuard?
WireGuard is an innovative VPN protocol striving hard to deliver more secure, simpler and faster solution to its users than prevailing protocols. The protocol runs over UDP and offers small code size of almost 3,700 lines.
Many of the key features of this protocol stem from this simplicity of code, which facilitates easy implementation, faster performance, and fewer bugs.
- It applies state of the art cryptography to deliver secure online connections
- It is relatively faster than OpenVPN protocol
- It may decrease battery consumption and enhance roaming support on mobile devices
- Uses modern cryptographic primers and has small attack surface
- It only supports UDP protocol and does not use 443 port (HTTPS traffic port)
- The protocol is considered as a work in progress product
- It only works well on Linux distributions
Which VPNs support WireGuard?
There are only a handful of VPN services that have started supporting WireGuard protocol. These VPNs are:
- Private Internet Access (PIA)
What is OpenVPN?
OpenVPN is a VPN protocol cum software that applies VPN techniques to protect point-to-point as well as site-to-site connections. Currently, OpenVPN provides the best balance of speed and security. However, it is quite complex, having over 600,000 lines of code and not easy to implement.
- It is an established open source VPN tunneling protocol that has the endorsement of a large number of security experts and auditors
- It uses OpenSSL encryption library and TLS as the primary cryptographic standard
- The protocol delivers decent performance in terms of speed and security
- Users may face connection issues due to strong encryption
- The manual configuration of the protocol may become difficult at times on few platforms
- It needs third-party apps to run
- Uses outdated cryptographic primers and has very large attack surface
Which VPNs support OpenVPN?
Here are some of the most prominent VPNs in the industry that support an OpenVPN protocol:
Comparing WireGuard and OpenVPN
Both these protocols i.e. WireGuard and OpenVPN are free and open sourced. I will compare these protocols by focusing on the factors of performance, cryptography, ease of use, and auditability.
WireGuard performs much better than OpenVPN protocol.
|Throughput||1011 Mbps||258 Mbps|
|Ping||0.403 ms||1.541 ms|
OpenVPN is not the best protocol out there in terms of performance. It is considerably slower than its earlier counterparts i.e. L2TP and PPTP, but this difference wasn’t really important until multi-threaded processing became practical.However, computers today are capable of supporting multi-threaded processing and higher throughput.
This is where OpenVPN is unable to keep up with the demand for faster speeds, because it is integrated in the user space, placing a limit on its throughput and CPU usage. WireGuard is integrated in the kernel space and is much less complex.
This allows it to be faster and utilize multi-threading capabilities of modern CPUs much more efficiently. As such, WireGuard can outperform OpenVPN in terms of pings and throughput. Benchmark tests have revealed the real extent to which OpenVPN lags behind WireGuard:
The difference is clearly outstanding. Not only does WireGuard almost touches the 100% throughput of a 1Gbps connection, it does so without maxing out the CPU. On the other hand, a CPU running OpenVPN completely maxes out at a mere 258 Mbps.
This is a testament to the superior efficiency of WireGuard. However, this is not the only metric on which WireGuard excels. Take a look at ping test below:
WireGuard records a ping time that is less than half of OpenVPN’s. The thing to note is that WireGuard is already producing excellent performance results even though it is still in the development phase.
Therefore, WireGuard is seriously challenging OpenVPN on the performance front.
In terms of security, WireGuard holds an edge over OpenVPN protocol.
If we compare both these protocols, OpenVPN uses secure encryption techniques. The OpenSSL library allows for a highly secure cryptographic primers.
Moreover, its usage of RSA and AES for data and control channels rules out the probability of brute-force attacks. The maximum encryption key length that OpenVPN supports is 4096 bits. That is more than you’ll ever need. On the other hand, WireGuard supports a maximum of 256 bits of key length.
The difference is doubtless too great to be ignored. But we live in the realm of practicality and a 256 bit key length is more than enough as it is. Anything greater is simply overkill.
As far as authentication goes, OpenVPN uses HMAC authentication code. For encryption, it uses AES and RSA. However, WireGuard uses a completely different set of encryption. These include ChaCha20, Curve25519, SipHash24, and BLAKE2s. Now comparing cryptographic primers and algorithms is by no means a simple matter.
But you can’t argue against the general rule that an algorithm is more secure the more modern it is. While OpenVPN uses strong encryption, it is a little outdated. Moreover, it has a significantly larger attack surface as compared to WireGuard, owing to higher code length.
Since WireGuard uses more recent cryptographic methods that are trusted by cryptographers, it affirms its place as the more secure protocol of the two.
3. Ease of Use
WireGuard is easier to setup than OpenVPN manually.
OpenVPN is built on a complex code with hundreds of thousands of lines. Modifying this code takes a lot of effort and time on the part of a developer. Moreover, its compatibility for certain platforms is wanting, especially on mobile phones (as iOS users might be well-aware).
In contrast, the lean code on which WireGuard is built allows for excellent usability and cross-platform compatibility. Although it hosts a basic interface, it is nonetheless more powerful than any other existing protocol can offer.
Another important characteristic that lends superior usability to WireGuard is that it is a versioned protocol. As compared to WireGuard, OpenVPN is a certificate-based protocol.
The OpenVPN encryption can be modified based on user preference. For technical reasons, this requires the use of security certificates. However, WireGuard disregards cryptographic agility, instead focusing on versions specific to each type of encryption specifications.
This reduces overheads that result when a VPN connection is made as well as during re-connection. Since every version of WireGuard will have a specific encryption configuration, establishing connection with servers will be twice as easy because the server would know in advance what to expect from the client.
As a result, WireGuard is easy to implement and configure for different devices, rendering it considerably easy to use as compared to OpenVPN.
WireGuard is easily auditable as compared to OpenVPN protocol. This is the toughest attribute for this comparison because OpenVPN is the most widely audited VPN protocol. OpenVPN has earned the trust of security experts and cryptographers by virtue of the various degrees of auditing it has undergone.
The protocol has been in existence for 17 years now and that has given software engineers a lot of time to review, verify, and, audit it. Its open source nature has played a great part in facilitating audits.
Although OpenVPN is the most well-audited tunneling protocol, it is also extremely complex considering how many lines of codes are behind it.It takes a whole team to properly audit a code as large as OpenVPN.
WireGuard, on the other hand, has not yet received the same degrees of rigorous auditing, but that is largely due to its infancy. Considering the fact that WireGuard has a code that is simpler by a huge magnitude, it is many times more auditable than OpenVPN.
The code is so small that a single individual with the technical know-how can audit it independently. This means that WireGuard will become the more widely audited protocol not long after its first stable version is released. And with better auditability comes fewer bugs, stronger security, and low vulnerability.
Despite the fact that OpenVPN is a well-audited protocol, it is going to be really difficult for it to hold on to this status once WireGuard comes out. So, WireGuard takes the cake when it comes to auditability, which is far superior in its case as compare to OpenVPN.
Also check our guide about Comparing VPNs in 2020.
WireGuard has beaten an OpenVPN protocol in terms of speed, security and auditability as well.
The VPN industry has benefited considerably from OpenVPN, which is rightly considered the best overall tunneling protocol. But it has had its time. The flaws in OpenVPN call for an improved protocol, a call that has now been answered by WireGuard.
With excellent initial benchmark results and a highly efficient codebase, WireGuard is well on its way to claim its status as the most secure AND high performing VPN protocol when it finally sees the light of day.
Let’s hope WireGuard is able to live up to its expectations when it finally arrives, and contributes towards a safer online world in the years to come.