OpenVPN has long been accepted as the industry standard tunneling protocol for VPN services. This has been the case since the start of the decade.
With no other modern protocol to challenge the position of OpenVPN as the VPN tunnel of choice, it was easy for it to claim the top spot in terms of both security and performance among all the protocols.
Enter WireGuard, an innovative VPN tunneling protocol that promises to do everything better than the outdated PPTP, L2TP etc. while hinting to supplant OpenVPN.
In this article, I will compare the key attributes of WireGuard with OpenVPN and draw a tentative conclusion as to whether we’re really going to see a new protocol take the place of those established since over a decade.
General Overview of the Two Protocols
OpenVPN is an established open source VPN tunneling protocol that has the endorsement of a large number of security experts and auditors.
It is widely believed to be the most secure VPN protocol that delivers fast and smooth performance. It uses OpenSSL encryption library and TLS as the primary cryptographic standard, which makes it highly secure.
Being the first successful open source tunneling protocol has allowed developers and providers to modify and improve it over time with the addition of new security and control features.
Currently, OpenVPN provides the best balance of speed and security. However, it is quite complex, having over 600,000 lines of code and not easy to implement.
WireGuard is a different breed of VPN protocols. This is primarily because of the small code size of almost 3,700 lines.
Many of the key features of this protocol stem from this simplicity of code, which facilitates easy implementation, faster performance, and fewer bugs.
For a more detailed evaluation, see my detailed blog about What is WireGuard?
Comparing WireGuard and OpenVPN
The comparison between these two protocols is going to be an interesting one, because both of these are free and open source codes that have caused a lot of stir in the VPN industry.
I will compare these protocols by focusing on the factors of performance, cryptography, ease of use, and auditability.
OpenVPN is not the best protocol out there in terms of performance.
It is considerably slower than its earlier counterparts i.e. L2TP and PPTP, but this difference wasn’t really important until multi-threaded processing became practical.
However, computers today are capable of supporting multi-threaded processing and higher throughputs.
This is where OpenVPN is unable to keep up with the demand for faster speeds, because it is integrated in the user space, placing a limit on its throughput and CPU usage.
WireGuard is integrated in the kernel space and is much less complex. This allows it to be faster and utilize multi-threading capabilities of modern CPUs much more efficiently.
As such, WireGuard can outperform OpenVPN in terms of pings and throughput. Benchmark tests have revealed the real extent to which OpenVPN lags behind WireGuard:
The difference is clearly outstanding. Not only does WireGuard almost touches the 100% throughput of a 1Gbps connection, it does so without maxing out the CPU.
On the other hand, a CPU running OpenVPN completely maxes out at a mere 258 Mbps. This is a testament to the superior efficiency of WireGuard.
However, this is not the only metric on which WireGuard excels. Take a look at ping test below:
WireGuard records a ping time that is less than half of OpenVPN’s.
The thing to note is that WireGuard is already producing excellent performance results even though it is still in the development phase.
Therefore, WireGuard is seriously challenging OpenVPN on the performance front.
|WireGuard||1011 Mbps||0.403 ms|
|OpenVPN||258 Mbps||1.541 ms|
There is no denying the fact that OpenVPN uses secure encryption techniques. The OpenSSL library allows for a highly secure cryptographic primers.
Moreover, its usage of RSA and AES for data and control channels rules out the probability of brute-force attacks.
The maximum encryption key length that OpenVPN supports is 4096 bits. That is more than you’ll ever need.
On the other hand, WireGuard supports a maximum of 256 bits of key length.
The difference is doubtless too great to be ignored. But we live in the realm of practicality and a 256 bit key length is more than enough as it is. Anything greater is simply overkill.
The real test of encryption strength is in the cryptographic primers and algorithms that a protocol uses, given that the key length of both is sufficiently large.
OpenVPN uses HMAC for authentication. For encryption, it uses AES and RSA.
WireGuard uses a completely different set of encryption. These include ChaCha20, Curve25519, SipHash24, and BLAKE2s.
Now comparing cryptographic primers and algorithms is by no means a simple matter. But you can’t argue against the general rule that an algorithm is more secure the more modern it is.
While OpenVPN uses strong encryption, it is a little outdated. Moreover, it has a significantly larger attack surface as compared to WireGuard, owing to higher code length.
Since WireGuard uses more recent cryptographic methods that are trusted by cryptographers, it affirms its place as the more secure protocol of the two.
|Supports 256 bit of maximum key length|
Does not use parsers; no parser bugs
Uses modern cryptographic primers
Small attack surface
|Supports 4096 bit of maximum key length|
Uses parsers; prone to parser bugs
Uses outdated cryptographic primers
Very large attack surface
3. Ease of Use
OpenVPN is built on a complex code with hundreds of thousands of lines. Modifying this code takes a lot of effort and time on the part of a developer.
Moreover, its compatibility for certain platforms is wanting, especially on mobile phones (as iOS users might be well-aware).
In contrast, the lean code on which WireGuard is built allows for excellent usability and cross-platform compatibility.
Although it hosts a basic interface, it is nonetheless more powerful than any other existing protocol can offer.
Another important characteristic that lends superior usability to WireGuard is that it is a versioned protocol. In contrast, OpenVPN is a certificate-based protocol.
As easy as that
The cryptographic agility of OpenVPN meant that its encryption can be modified based on user preference. For technical reasons, this requires the use of security certificates.
However, WireGuard disregards cryptographic agility, instead focusing on versions specific to each type of encryption specifications.
This reduces overheads that result when a VPN connection is made as well as during reconnection.
Since every version of WireGuard will have a specific encryption configuration, establishing connection with servers will be twice as easy because the server would know in advance what to expect from the client.
As a result, WireGuard is easy to implement and configure for different devices, rendering it considerably easy to use as compared to OpenVPN.
This is the toughest attribute for this comparison because OpenVPN is the most widely audited VPN protocol.
OpenVPN has earned the trust of security experts and cryptographers by virtue of the various degrees of auditing it has undergone.
The protocol has been in existence for 17 years now and that has given software engineers a lot of time to review, verify, and, audit it. Its open source nature has played a great part in facilitating audits.
Although OpenVPN is the most well-audited tunneling protocol, it is also extremely complex considering how many lines of codes are behind it.
It takes a whole team to properly audit a code as large as OpenVPN.
WireGuard, on the other hand, has not yet received the same degrees of rigorous auditing, but that is largely due to its infancy.
Considering the fact that WireGuard has a code that is simpler by a huge magnitude, it is many times more auditable than OpenVPN.
The code is so small that a single individual with the technical know-how can audit it independently.
This means that WireGuard will become the more widely audited protocol not long after its first stable version is released.
And with better auditability comes fewer bugs, stronger security, and low vulnerability.
Therefore, in spite of the fact that OpenVPN is a well-audited protocol, it is going to be really difficult for it to hold on to this status once WireGuard comes out.
So, WireGuard takes the cake when it comes to auditability, which is far superior in its case as compare to OpenVPN.
The VPN industry has benefitted considerably from OpenVPN, which is rightly considered the best overall tunneling protocol. But it has had its time.
The flaws in OpenVPN call for an improved protocol, a call that has now been answered by WireGuard.
With excellent initial benchmark results and a highly efficient codebase, WireGuard is well on its way to claim its status as the most secure AND high performing VPN protocol when it finally sees the light of day.
Let’s hope WireGuard is able to live up to its expectations when it finally arrives, and contributes towards a safer online world in the years to come.