OpenVPN vs WireGuard: Which Protocol is Better?
Opinions Technical

OpenVPN vs WireGuard: Which Protocol is Better?

Ben Thornton
Ben Thornton

One of the core factors in determining which VPN service to use is what VPN protocol(s) they support. VPN protocols are rules and instructions that determine how your data is routed from your device to the VPN server.

They play a significant role in the stability and security of your connection, with each protocol having its own strengths and weaknesses.

There are quite a few in use, but there are two that stand out from the rest; in this article, I’ll be guiding you through a comparison of OpenVPN and WireGuard.

What is OpenVPN?

For the longest time, OpenVPN has been the industry standard VPN protocol. Initially released in 2001 under the GNU General Public License, this open-source software was developed by James Yonan. It has since become the industry standard thanks to its reliability and flexibility.

Flexible Cryptographic Algorithms

OpenVPN supports several cryptographic algorithms as it uses the OpenSSL library to provide encryption.

  • Encryption and Authentication options include AES, Blowfish, Camellia, ChaCha20, DES, Triple DES, GOST 28147-89, Poly1305, and SM4
  • Hashing options include BLAKE2, MD4, MD5, MDC-2, SHA-1, and SHA-2
  • Key Derivation and Agreement options include DSA, Ed25519, RSA, SM2, and X25519
  • Transport Layer Protocol options include TCP or UDP
  • User Data is protected by Perfect Forward Secrecy

This is a large number of options, giving OpenVPN the flexibility to negotiate with different algorithms depending on the circumstance. The downside is that this dramatically increases code complexity, which can slow down execution.

Thoroughly Audited and Approved

OpenVPN has a well-established track record with audits, all of which have consistently failed to find any security vulnerabilities. It is the industry standard for a reason, and many security experts will back it.

It also has no fundamental framework that breaches privacy, requiring no user information to be stored on the VPN side.

The software does contain hundreds of thousands of lines of code, however, making auditing a cumbersome task. Future audits are likely to be rare.

What is WireGuard?

WireGuard is the new kid on the block and is rapidly becoming the new gold standard thanks to its much sleeker code and significantly increased speeds.

When it first burst onto the scene, many were skeptical - in large part because the framework allows for storing the user's IP address for extended periods on the VPN side. Naturally, the privacy-conscious found this disagreeable.

Since then, its vastly increased speeds and significantly reduced code (allowing for much easier auditing), alongside developments by VPNs to mitigate or remove the privacy flaw, have made it the VPN protocol of choice. At the current rate, it won’t be long before OpenVPN is outpaced and, essentially, defunct.

Gotta Go Fast

In all testing, WireGuard consistently beats out all other competitors when it comes to speeds. Compared directly to OpenVPN, WireGuard is typically over 50% faster when communicating between geographically close VPN servers.

The VPN protocol is not the only determining factor in your VPN services speed, of course, and WireGuard or not, your experience will vary from provider to provider. However, a WireGuard VPN service will outpace an OpenVPN service by a wide margin when all else is equal.

State-of-the-Art Cryptography

Unlike OpenVPN, WireGuard uses a single cryptographic algorithm per function. This sacrifices the flexibility OpenVPN has in favor of a smaller attack surface, and immunity to downgrade attacks.

  • Symmetric Encryption uses ChaCha20
  • Authentication uses Poly1305, with RFC7539’s AEAD Construction
  • ECDH anonymous key agreements use Curve25519
  • Hashing uses BLAKE2s
  • Hashtable Keys use SipHash24
  • Key Derivation uses HKDF
  • Transport Protocol Layer uses UDP
  • User Data is protected by Perfect Forward Secrecy

The use of a fixed list makes it much harder for hackers to find points of attack, increasing the security of WireGuard networks compared to OpenVPN ones. The downside is that any problems discovered with the ciphers or protocols will force all endpoint users to upgrade to a new version of WireGuard.

Easy Audibility

One of the core goals with the creation of WireGuard was to make it easily auditable, to the point a single engineer could do the task in a reasonable amount of time. Compared to lengthy times and entire teams it takes to audit a protocol like OpenVPN, this was a lofty goal.

WireGuard achieves this by reducing to a staggeringly small 4000 lines of code; to be clear, OpenVPN has around 70,000 lines in its open-source code alone. This sleek framework is highly appealing regarding the continuous auditing of the software.

Existing in Kernels rather than User Spaces

WireGuard is designed to exist in the Linux and Window Kernels, as opposed to the traditional operating systems user space. This has the advantage of circumventing the additional overheads of the user space, vastly increasing efficiency; it's primarily responsible for WireGuard’s domination in speed comparisons.

Privacy Issues and their Solutions

As I mentioned earlier, when WireGuard first came onto the scene, privacy concerns were raised due to the framework storing the user's IP address on the VPN server. This is a result of the crypto key routing algorithm and while it simplifies elements of WireGuard, it leaves a big question mark about user privacy.

Fortunately, VPN services have come up with various solutions to this problem, such as NordVPNs double-NAT “NordLynx” system or Mullvad’s automatic record erasure after a short period of no communication between the VPN client and server.

Here at Windscribe, we do two things to ensure your privacy. To start, we also have automatic record erasure shortly after a connection is closed, meaning we never "keep" your IP address. Second, we also have a slightly altered WireGuard implementation that doesn't print the endpoint (IP address) when using the peer state inspection tool; this is a small additional touch that reduces the chances of staff accidentally seeing this information (like during debugging, for instance).

There are Other Options

WireGuard and OpenVPN may be the most widely used, but they aren’t the only ones. Here, at Windscribe, we offer several options alongside those two, and they’re worth checking out for their niche advantages.

  • IKEv2
  • Stealth
  • WSTunnel

Which One is Best?

We are now at the stage where, in almost all circumstances, the answer to which one is best is, resoundingly, WireGuard. OpenVPN has advantages, including its encryption flexibility and lack of a need for a workaround for the privacy issue with WireGuard. The problem is that those aren’t overly significant advantages, so the only real reason to use OpenVPN is if you are hyper-cautious and value the old guard's more established and trusted history.

If you want increased speed, security, and transparency, then WireGuard has become the de facto for a reason - and that’s why it’s our go-to here at Windscribe.

Note: WireGuard is a registered trademark of Jason A. Donenfeld.

Ben Thornton
Ben Thornton