Want to learn more about VPN protocols? In this guide, we compare the WireGuard and OpenVPN protocols to help you decide which protocol is the best option for you.
When it comes to VPN protocols, OpenVPN and WireGuard are the most popular. Many market-leading VPN providers include both of these protocols in their apps. This naturally leads users to ask: Which VPN protocol should I choose?
Whether you’re a beginner or have been using VPNs to gain privacy and online freedom for many years, you may still wonder which protocol is better. In this guide, we discuss the practical differences between OpenVPN and WireGuard and explain which protocol you should be using and when.
What is OpenVPN?
OpenVPN was launched in 2002 when the OpenVPN project set out to create a secure, fast, and free VPN tunneling protocol that is open source. Since that time, OpenVPN has proven itself to be one of the most reliable and secure VPN tunneling protocols available.
OpenVPN has remained the industry-standard VPN protocol for 20 years thanks to its harmonious marriage of fast speeds and watertight security. One significant advantage of OpenVPN is that it is developed by the community and can be audited by anyone.
The protocol is highly flexible, reliable, and capable of bypassing most firewalls and network restrictions. It offers compatibility with two different cryptographic libraries, which allows VPN providers to implement the protocol in various ways, and unchains VPNs from sole reliance on the OpenSSL cryptographic library.
This gives VPN providers the flexibility to integrate OpenVPN with advanced authentication methods and certificate-based authentication. Plus it supports Perfect Forward Secrecy, which, when implemented, helps to enhance overall security for VPN users.
Another advantage is that OpenVPN can run over either the User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, which allows adaptability for optimizing performance and reliability based on specific networking needs and scenarios.
The main caveat is that OpenVPN's extensive codebase can lead to time-consuming and costly security audits. Consequently, OpenVPN has to rely on external funding to conduct audits and ensure that newer iterations of the protocol are still fit for purpose.
What is WireGuard?
The WireGuard protocol was developed by Jason Donenfeld as a means to solve the problems caused by OpenVPN’s large codebase. Donenfeld knew an OpenVPN audit could take weeks to undertake, which worried him.
Donenfeld was also concerned that internet users might have become overly reliant on an aging protocol that might harbor vulnerabilities in the face of evolving technology and emerging threats. For this reason, he decided to use his knowledge of network security and cryptography to develop a modern VPN protocol that would be fast, secure, and easy to audit.
His work resulted in the WireGuard protocol, introduced as a beta test in 2018, and subsequently developed with contributions and feedback from the open-source community. The benefit of WireGuard is that it uses modern cryptographic primitives with proven effectiveness for securing digital transmissions.
Its codebase is small enough for anybody with technical knowledge to audit the protocol in a day or two. In other words, WireGuard has roughly 4,000 lines of code, compared to the 70,000 lines of code seen with OpenVPN.
Wireguard provides some of the fastest VPN connections available. For this reason, it has quickly gained popularity with consumer-facing VPNs that want to provide users with speedy connections for streaming, gaming, and torrenting. In our tests, WireGuard has proven to be two to three times faster than OpenVPN when downloading.
Wireguard is modular and can have its cryptographic primitives switched if a vulnerability is found. The only caveat is that the protocol has cryptographic interdependency (no cipher agility), meaning that changes to cryptographic components may require additional changes to other parts of the protocol. It also means that when a vulnerability is identified, it will require updates to both the VPN server and the VPN application to fix it.
This means that the VPN provider would need to temporarily block WireGuard connections until the vulnerability had been resolved, and an updated VPN application had been sent to its users. By contrast, OpenVPN can be updated on the server side – without the need to push updates to individual users.
WireGuard vs OpenVPN – Summary
If you are in a rush to find out which of these two VPN protocols you should use, see the quick list below. Our lists show each protocol's distinct advantages and reveal which protocol you should use depending on your requirements.
WireGuard advantages
- Faster connection speeds than OpenVPN – better for streaming, gaming, and torrenting
- Robust encryption and compatibility with Perfect Forward Secrecy
- Easier to audit than OpenVPN
OpenVPN advantages
- Robust encryption and compatibility with Perfect Forward Secrecy
- Better for privacy than WireGuard
- Better for bypassing censorship because it can be stacked with obfuscation
- Better cross-device compatibility than WireGuard
- Easier to push updates and changes
WireGuard vs OpenVPN – which should you use?
Each of these VPN protocols offers some distinct advantages. OpenVPN is tried and tested, reliable, and well-equipped to provide VPN users with online privacy.
The best thing about WireGuard is that it provides lightning-fast connections. This makes it a fantastic option for streaming, gaming, torrenting, and any other tasks that require fast performance.
The WireGuard protocol is designed in such a way that it doesn’t transmit any packets unless there is data to be sent. This helps save on mobile data, processing power, and other resources such as device battery – which makes it a great option for mobile users.
One of the main disadvantages of WireGuard is that it was not originally developed for consumer VPNs. Instead, it was created as a solution for individuals and businesses to roll out their own secure VPN implementations. As a result, consumer VPNs have had to develop reliable ways to handle key sharing between consumer VPN clients and servers located all around the world.
WireGuard also suffers from a limitation caused by the way it assigns and stores IP addresses. Handling IP address information securely is crucial for consumer VPNs to provide privacy for their subscribers. Consequently, VPN providers must mitigate storage of IP addresses as part of their implementation of the WireGuard protocol.
The good news is that consumer VPNs have found solutions to both these issues:
- Key sharing has been solved by implementing centralized key management with rotating encryption keys. VPN providers also rely on digital certificates to authenticate clients and servers. In addition, VPNs use advanced encryption methods like Diffie-Hellman key exchange to bolster key exchange security (perfect forward secrecy).
- IP address-based vulnerabilities have been mitigated by either setting up a system that scrubs IP data in real-time – or by using a double NAT system that prevents source IPs and VPN IPs from being linked together.
Is it safer to use WireGuard or OpenVPN to gain online privacy?
Although the WireGuard protocol is secure and future-proof, it's important to acknowledge potential flaws that may arise from the development of solutions to the key sharing and IP address-based vulnerabilities mentioned above.
These custom solutions are designed and executed by VPN providers themselves, which might make some users skeptical about using WireGuard for privacy purposes.
If you have an elevated threat model, the OpenVPN protocol might be preferable because it is better equipped to provide private VPN connections in its native state. OpenVPN has a proven track record of ensuring online privacy. It can be paired with obfuscation protocols for enhanced privacy, can effectively bypass strict firewalls, and has undergone numerous security audits.
That said, WireGuard is a newer protocol that uses modern cryptography, which theoretically provides a security advantage. The fields in the WireGuard protocol have fixed lengths, which eliminates the presence of parsers and potential parser bugs.
Generally speaking, most home internet users will find that the WireGuard protocol offers sufficient protection for privacy applications such as:
- Preventing ISP tracking
- Securely using public WiFi
- Bypassing blocks at school or work
- Working remotely
- Accessing region-locked content
- Torrenting privately and securely
Yet, for individuals like activists, political dissidents, journalists, lawyers, politicians, or others requiring the highest levels of privacy, skepticism toward a VPN’s self-deployed WireGuard implementation seems reasonable. In such cases, OpenVPN has its advantages.
On the flip side, it's essential to recognize that various consumer-facing VPNs have been consistently conducting audits of their apps and infrastructure. These VPNs have allowed third-party security firms to analyze their apps, protocols, and network implementation, meaning that their implementation of the WireGuard protocol has been verified.
If you have any privacy concerns related to the WireGuard protocol, we recommend checking the date of your VPN provider's audit (if it has had one) to ensure it took place after it added WireGuard to its service. Each option has the potential to be seen as a secure VPN protocol.
Does OpenVPN or WireGuard have better encryption?
One advantage of OpenVPN is that it offers significant flexibility by supporting a range of protocols and ciphers through the OpenSSL library. This includes options like AES, DES, RSA, and SHA.
This versatility comes with a wider potential for poor implementation, which could lead to security breaches, and susceptibility to downgrade attacks. This makes it vital for VPN providers to implement the OpenVPN protocol securely.
At the time of writing, we would suggest only subscribing to VPNs that implement OpenVPN to the following minimum standards:
- Cipher: AES-256-CBC, AES-256-GCM, or CHACHA20-POLY1305.
- Handshake: 2048-bit RSA key (or better).
- Authentication: HMAC SHA-1 (or better).
NIST designated December 31, 2030, as the end date for SHA-1 deprecation. By that time, it should have been removed from all software and hardware. This date, however, remains subject to change based on future technological developments.
Thankfully, most reliable VPNs have already moved over to SHA-256 encryption for authentication. For the time being, however, a VPN with the settings listed above is still considered secure.
Implementing OpenVPN with a weak cipher, authentication, or handshake could result in the OpenVPN protocol being unfit for purpose. This is why it is important to check how the VPN implements the protocol. Alternatively, stick to the VPNs we recommend, as they all exceed these minimum standards.
WireGuard uses a fixed selection of protocols and ciphers: ChaCha20, Poly1305, Curve25519, BLAKE2s, and SipHash25. This streamlined approach to protocol deployment reduces attack vectors and enhances WireGuard’s resistance to exploitation by hackers. It also removes the potential for most downgrade attacks. Similar to OpenVPN, WireGuard can be implemented with Elliptic Curve Diffie Hellman keys to provide Perfect Forward Secrecy.
The lack of customization options helps to make WireGuard more secure. Its modern cryptographic elements are robust, making it safe to use for privacy and security purposes. Although WireGuard’s cryptography is often described as “modern,” it is not quantum-resistant (NIST).
In conclusion, both of these VPN protocols are highly secure when implemented correctly. However, WireGuard’s security is standardized, reducing the possibility of poor implementations by VPN providers. This may make WireGuard a better option for VPN beginners who are unsure how to assess the reliability of OpenVPN security offered by competing VPN providers.
Is OpenVPN or WireGuard better for bypassing censorship?
Both these VPNs can and have been implemented by VPNs using TCP over port 443. This means that they can both be used to provide basic obfuscation.
With that said, it is worth noting that by default WireGuard uses UDP over port 51820. This makes it easier for ISPs and networks to block default WireGuard connections.
In addition, OpenVPN can more easily be stacked with additional obfuscation technologies, such as Stunnel, XOR, or Obfsproxy. This versatility makes OpenVPN better for bypassing censorship than WireGuard.
If you want a VPN that offers WireGuard with added stealth, you will need to check with your provider to find out whether it is possible to switch from UDP to TCP over port 443. This is not a common feature, but it is currently available with Mullvad.
Either option will help the user to bypass strict censorship in countries that block or ban most commercial VPN services.
Should I use OpenVPN or WireGuard for streaming?
WireGuard is fast, which makes it great for streaming. Speed tests conducted by the WireGuard Project have found the open-source VPN protocol to be up to six times faster than OpenVPN. This gives WireGuard a distinct advantage for users who want to stream HD content.
If your VPN has WireGuard in its apps, we would recommend using it for:
- Streaming live TV
- Watching Netflix or other streaming platforms on vacation
- Bypassing blocks to stream YouTube, Netflix, Hulu, or any other video platform at work
- Watching sports online
- Accessing restricted news shows in countries with overreaching censorship
- Bypassing ISP throttling to get the best speeds when streaming
- Any tasks that need faster speeds, whether it's gaming, torrenting, or anything else
OpenVPN is a highly reliable protocol capable of providing decent speeds. If your VPN app gives you the option of OpenVPN TCP and OpenVPN UDP, the latter is the faster protocol.
Should I use OpenVPN or WireGuard for gaming?
A fast VPN connection is essential for playing popular multiplayer games. A fast VPN can improve ping times, reduce lag, and make it easier to engage in multiplayer sessions that use VoIP for voice chat – perfect if you want to play multiplayer games in countries that block VoIP.
WireGuard doesn’t transmit packets unless they need to be sent. This helps to make the protocol less resource-intensive, easier on battery consumption, and kinder on data consumption. This is advantageous for mobile gaming, gaming on devices with limited processing power, and gaming on networks with limited bandwidth. If battery life is an issue, there's a clear winner.
For this reason, we recommend using the WireGuard protocol any time that you want to play games. Below, we have included a list of games that greatly benefit from using the WireGuard protocol:
- Fortnite
- Minecraft
- Call of Duty
- CS:GO
- Among Us
- Apex Legends
- ROBLOX
- Rainbow Six Siege
- GTA Online
- League of Legends
- Overwatch
- World of Warcraft
- Valorant
- Rocket League
- Destiny 2
- PUBG
Will WireGuard replace OpenVPN?
Because VPN providers must update both their servers and the VPN application if a WireGuard vulnerability is discovered, it is a bad idea for consumer VPNs to implement WireGuard exclusively in their apps.
Providing an additional option, such as OpenVPN, will allow users to stay connected even if this scenario comes to pass. It also allows VPNs to provide users with additional connection options, which can help users to connect under varying network conditions and circumstances.
That said, some major VPN providers have already started implementing WireGuard (or a custom WireGuard fork) as the primary protocol in their apps. This is a testament to the protocol’s efficacy, security, reliability, and performance. Proprietary protocols are likely to become more popular, helping to avoid any potential privacy issues while improving everything from battery consumption to download speeds.
As time passes, more VPNs may decide to implement WireGuard solely in their apps, but they may come to regret it. This is why we recommend sticking to a VPN service that offers both WireGuard for when you want fast speeds, and OpenVPN if you prefer something that is compatible with more devices and provides better options for bypassing blocks in countries with strict censorship. In terms of security, either option is sure to improve user privacy.
Comments
S3curityPlu5 - 4 days ago
Cmmon i always at least try to comment and let the author know I just found his writing piece and although i may have not made much noise upon our first meeeting, i always must try to post something because I wouldnt want to decide to forget this in a year and when i come to read it again, most likely the person who has gotten stuck being responsible for the last bills, if they are not feeling like anyone is reading or needing to find their articles, MOST non commmented blogs eventually succumb to the commentfreeSHYSYNDROME
and nobody pays to maintain the hosting or the domain registrar