Virtual Private Networks (VPN) implement security protocols to ensure you get a secured Internet connection while browsing online. OpenVPN and WireGuard have been on the block as two of the most prominent security protocols. In this review article, we will be covering some significant parameters for comparison between both the software.
OpenVPN
OpenVPN was released in 2001 and already created an unconquered place for itself in the security protocols scene. Both its security and performance have been top-notch since it came into existence. OpenVPN is an open-source software whose GPU is published under General Public License (GPL). Since its release, OpenVPN has been a favorite among many VPN companies for its excellent ability to cross firewalls.
The software also makes it convenient to cross the Network Address Translators (NATS) and has significant reliability and flexibility. To date, OpenVPN possesses almost 60 million downloads under its hood for adding multiple security layers to the setup. All types of users, especially cloud service providers and third-party system integrators, enjoy the speed it brings.
WireGuard
WireGuard is quite a new software, released in 2019 and posing a tough competition to the industry’s gold standard OpenVPN. Being in the industry for such a short time, WireGuard already made its mark when NordVPN incorporated it and built the proprietary NordLynx protocol. The purpose of WireGuard was to create a simpler and faster VPN protocol compared to those that are already in the industry.
WireGuard is also open-source software. However, according to its creator Donenfeld, for every aspect of VPN security there’s a specific solution. Its protocol runs over User Datagram Protocol (UDP) and has a code size of 3700 lines.
Image: List of VPN services that support WireGuard and/or OpenVPN.
See more: Beyond the Zero Trust Hype: Is VPN Responsible for the Big Switch?
Key Parameters for Comparison Between OpenVPN and WireGuard
In this review, we will be focusing on some crucial aspects for comparing OpenVPN and WireGuard. These are:
- Performance and Speed
- Encryption and Library Support
- Security and Privacy
- Mobility and Compatibility
- Censorship Structure
- Authentication Methods
1. Performance and speed
Throughput and ping tests are two significant factors to consider while evaluating the performance of VPN software. Throughput is the measurement of the data volume that can pass through a firewall after a user connects to a network. On the other hand, Ping measures the time taken to send and receive that data packet between devices, also called latency.
WireGuard’s throughput is 1011 MBPS, as compared to OpenVPN’s 258 MBPS. Today’s computer systems are capable of supporting multithreaded processing as compared to the earlier ones. OpenVPN is unable to deliver faster speed because of its integration into the userspace. On the other hand, WireGuard’s integration is into kernel space and puts less pressure on the CPU.
Similarly, the ping tests return the records of 0.403 milliseconds and 1.541 milliseconds for WireGuard and OpenVPN, respectively. Using the UDP protocol for OpenVPN and NordLynx protocol for WireGuard, the following are the speed tests when connected through the UK on a 350MBPS connection to the global servers:
| Server Location | OpenVPN (UDP) | WireGuard (NordLynx) |
| UK | 135Mbps | 286Mbps (112% faster) |
| Germany | 131Mbps | 277Mbps (111% faster) |
| USA | 142Mbps | 254Mbps (79% faster) |
| Japan | 139Mbps | 269Mbps (94% faster) |
| Australia | 118Mbps | 207Mbps (75% faster) |
Our analysis
Since UDP is a faster protocol than TCP, it is recommended to conduct speed tests on UDP rather than TCP in OpenVPN. On NordVPN, WireGuard is a lot faster than OpenVPN. It’s designed to take advantage of multiple processors and uses faster encryption, making it better than OpenVPN. We were able to consistently connect to WireGuard at over 75% the speed of OpenVPN, regardless of where users connect. On shorter distance connections, WireGuard is capable of delivering almost double the OpenVPN’s rate.
Â
Image: Throughput test between OpenVPN and WireGuard
Image: Ping test between OpenVPN and WireGuard
Even on other VPN services supporting WireGuard and OpenVPN, like Surfshark, Mullvad, WireGuard delivers better speeds except for the UK server in Mullvad VPN. The Private Internet Access (PIA) tests have lower speeds with WireGuard, mainly because of relative immaturity and complete optimization. Overall. WireGuard takes the lead in speed and performance.
Winner: WireGuard
2. Encryption and library support
The cryptographic algorithms in OpenVPN rely on the OpenSSL library that has a wide variety of encryption methods. It includes AES, Blowfish, Camellia, ChaCha20, Poly1035, DES, and Triple DES, among many others, for authentication. For hashing, it comprises MDS, MD4, SHA-1 and SHA-2, BLAKE2, and more. For key derivation, the library consists of RSA, DSA, X25519, and others. Besides Perfect Forward Secrecy (PFS) for user-data protection, it also includes UDP or TCP for adding a protocol in the transport layer.
Image: Encryption structure in OpenVPN
Unlike OpenVPN, which has a certain degree of flexibility in its algorithms, WireGuard has a fixed set of algorithms. It uses ChaCha20 for encryption, Poly1035 for authentication, Curve-25519 for ECDH (Elliptic-curve Diffe-Hellman), BLAKE2s for hashing with RFC7693, and SipHash24 for hashtable keys, along with UDP and PFS.
Moreover, WireGuard works on public-key cryptography and strong authentication. Apart from offering a secure key generator, it also consists of automatic key management. The option of a pre-share key also adds an extra security layer. OpenVPN, on the other hand, uses certificates and a private key for identification and encryption.
Image: Encryption structure in WireGuard
Source: https://techninjapro.com/wireguard-vs-openvpn-the-best-security-protocol/#wireguard-historyOpens a new window Â
Our analysis
Because WireGuard has a limited set of ciphers and algorithms, it’s essential to update the code on your device if one is found to be insecure. On the other hand, OpenVPN can use any encryption cipher or authentication algorithm it wants, so it wouldn’t need to change the code.
OpenVPN encrypts and authenticates data by relying on the OpenSSL library. The OpenSSL library has been around for many years and has undergone rigorous testing. On the contrary, WireGuard only allows you to use their proprietary ChaCha20 encryption cipher with Poly1305 authentication.
Additionally, OpenVPN uses RSA and AES for data and control channels. Subsequently, it minimizes the possibility of attacks related to hacking passwords and encryption keys. The maximum length of the encryption key that OpenVPN supports is 4096 bits, while WireGuard has a maximum key length of only 256 bits. As of now, both OpenVPN and WireGuard are free of any known vulnerabilities. However, WireGuard is less complex with less code with a set of ciphers for each version and requires an upgrade if problems are found. OpenVPN has a larger attack surface for threat possibilities.
Winner: OpenVPN
See more: Your VPN Infrastructure Might Not Be as Secure As You Think
3. Security and privacy
OpenVPN is one of the most secure options, but it must be appropriately configured. Moreover, its code has been audited and is backed by many experts. Similarly, WireGuard’s code is small, easy to audit, and isn’t vulnerable to any known security flaws. It is also extremely safe, fast, and resistant to tampering due to its faster and comparatively newer crypto algorithms. What’s more, when a vulnerability is found in any cipher or algorithm, the endpoints are automatically updated to a new version, ensuring that none of them are used with a compromised code.
Image: Server architecture in WireGuard
Source: https://infosecwriteups.com/setting-up-a-wireguard-vpn-server-architecture-for-internal-network-access-2adcdc79e8e1Opens a new window Â
If you want to be sure your data is safe, OpenVPN is the best protocol. It does not store any personally identifiable information on its users, such as their IP addresses. However, WireGuard’s Cryptokey Routing algorithm stores users’ IP addresses on the VPN server until it reboots. As a result, it doesn’t go well with the concept of a zero-logs VPN. It could also put your IP address at risk as it may get exposed due to a WebRTC leak. However, many prominent VPN providers already consist of the workarounds that address such issues with WireGuard and make it more private.
Our analysis
WireGuard is a relatively new protocol, but it can provide just as much security as OpenVPN. It’s been around longer, gone through more third-party security audits, and has a longer track record than WireGuard. WireGuard’s maturity will be even more attractive due to its minimal codebase and updated encryption algorithms.
However, when all endpoints update to a new WireGuard version, it may possess some drawbacks. Plus, it also eliminates the probability of downgrade attacks. The conservative choice is OpenVPN. However, WireGuard is gaining maturity, implementing updated encryption algorithms, and cutting down its codebase. WireGuard is the newer option with the latest tech.
Winner: OpenVPN
4. Mobility and compatibility
Users today will often switch between Wi-Fi and mobile networks when using their devices, so it’s essential that your VPN software can do this too. WireGuard is great for mobility because it makes the transition effectively and efficiently. Plus, it is only compatible with Windows, Android, iOS, and Linux. However, with time, you can expect this list to grow.
On the other hand, OpenVPN struggles with mobility because it can’t keep up with network switches. However, it is compatible with most computer platforms. It can be used on Solaris, QNX, Maemo, FreeBSD, and ChromeOS. OpenVPN works with almost any platform and is a favorite among many manufacturers implementing it in their routers, firewalls, etc. It’s also easy to find a cloud host with OpenVPN. WireGuard is too young for many manufacturers to integrate into their hardware, but you can still create your own server on any Linux distribution.
Our analysis
WireGuard is a better option for mobility than OpenVPN. While OpenVPN has historically struggled to handle network changes, WireGuard handles them seamlessly. For mobile devices, VPN services rely on a different protocol, IKEv2, as it’s considered a better fit for this purpose. IKEv2 is a good protocol, but it is closed-source. Hence, WireGuard presents an open-source solution to solve the problem of choosing a VPN protocol for mobile. Even though OpenVPN shows compatibility with all major platforms, WireGuard has better mobility and looking at the digital era, WireGuard takes the cake.
Winner: WireGuard
5. Censorship structure
OpenVPN and WireGuard are both excellent protocols for VPNs. OpenVPN offers something that WireGuard does not – the ability to communicate using TCP. TCP and UDP may sound like two different ways to connect to the internet, but they’re actually just two different types of internet protocol. TCP is more reliable than UDP, so it’s good for bypassing strict censorship regimes. This is because TCP port 443 is the same port that HTTPS uses. Wireguard and OpenVPN both may be good VPNs, but OpenVPN remains the safest and most stable.
Our analysis
UDP is faster and stable when used with VPN tunnels, but TCP is preferred for crossing firewalls and breaking censorship. It is unlikely that any country would block port 443, which is used for all sorts of essential activities like e-commerce and banking. TCP can be used to bypass censorship in countries such as China, Russia, and Turkey. OpenVPN TCP works more efficiently in avoiding censorship regimes than WireGuard. Since WireGuard can only work with UDP, when connected to China servers, PIA could not beat the censorship with WireGuard. However, it successfully established a connection with OpenVPN.
Winner: OpenVPN
6. Authentication methods
When using OpenVPN, it can take three different methods to authenticate on the VPN server. The first is by using pre-shared keys generated by the server to prove who you are. The second is by using certificate-based authentication, which is more secure but the same principle. The third is by using a username and password, but this is optional.
Image: Working process in OpenVPN
Source: https://www.vpnunlimited.com/help/vpn-protocols/open-vpn-protocolOpens a new window Â
Whereas, with OpenVPN’s counterpart WireGuard, authentication is straightforward by exchanging your public and private keys. With its own secret key, the server can identify the user lists. The client-side also provides a secret key and a public key of the server you use for establishing a connection. You can also add a new peer to add another client, and it is ready to use.
Our analysis
When you connect to the VPN, it should not store anything that contains personal information. OpenVPN does not require data to be stored, but WireGuard needs information about the IP address. This might be a concerning aspect from the privacy perspective. If one of the servers is compromised, users’ activity log can be linked to the IP address, defeating the whole purpose of using a VPN. WireGuard logs the IP addresses for at least the span of the session in its standard implementation. However, VPN services like Mullvad, NordVPN, and IVPN have brought some workarounds to minimize these risks. Yet, it is not an ideal choice if you are working on something that requires critical security.
Winner: OpenVPN
See more: The Aging VPN Is Ready for an SDN Reboot
Comparison of OpenVPN and WireGuard
Pros and Cons of OpenVPN
Pros:
- OpenVPN is a well-established and highly recommended encryption program.
- It uses the OpenSSL library and TLS, encrypting all data, and is a leading standard in cryptography.
- Various top VPNs use this protocol, such as NordVPN, ExpressVPN, Surfshark, PureVPN, and CyberGhost.
Cons:
- OpenVPN has a larger attack surface as compared to WireGuard.
- Often the strong connection might lead to some connection issues.
- The manual configuration is complex with OpenVPN and might become a hindrance for advanced users.
Pros and Cons of WireGuard
Pros:
- WireGuard is a secure, fast VPN that has top-notch cryptography and is faster than OpenVPN.
- Wireguard is also suitable for your battery life because it doesn’t suck up much power.
- Popular VPNs that offer Wireguard are Surfshark, Private Internet Access, CyberGhost, and NordVPN.
Cons:
- WireGuard may not be finished, but it has the potential to be a great VPN down the road.
- One major disadvantage is it doesn’t use the 443 port even if it provides the UDP protocol support. It doesn’t make it ideal for bypassing content restrictions.
- It stores the users’ IP addresses for their session duration, not making it suitable for high-security environments.
Conclusion
When it comes to internet security, you need a VPN protocol that is user-friendly and easy to navigate. WireGuard VPN, for instance, is an excellent choice because OpenVPN has a complicated code with hundreds of thousands of lines in it, which can take some time to adjust; WireGuard, by contrast, has shorter code that makes it much more accessible.
The pricing and subscription plans for both OpenVPN and WireGuard depend on the VPN service you choose to use, either or both of them. In this scenario, WireGuard would gain you the benefits by paying only for the VPN service that implements WireGuard. With OpenVPN, you can either choose it for your selected VPN or set it up manually. Since it’s open-source, it is entirely free in this regard.
WireGuard is one phenomenal VPN software that came into existence and gave a nail-biting competition to its counterpart, the industry’s gold standard, OpenVPN. Even though WireGuard has lightning-fast speed from any VPN service, OpenVPN has one essential advantage over it – it doesn’t store IP addresses for a session’s duration. The whole point of using a VPN is to hide IP addresses and security from the prying eyes, which WireGuard doesn’t fulfill. WireGuard is catching up with many prominent services providing their own arrangements to mitigate such risks.Â
Till then, OpenVPN remains the most reliable and stable software and also our winner.
Do you think OpenVPN scores over WireGuard in terms of its stability, reliability, and ability to hide IP addresses? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Disclaimer: Unless stated otherwise, any information provided in this review does not constitute a recommendation or endorsement for the products listed in the article. All information in this article is provided in good faith, however we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of products that are reviewed. The viewpoints expressed within the content are solely the author’s and do not reflect the views of Spiceworks Ziff Davis or its affiliates.