Disclosure: Top10VPN is editorially independent. We may earn commissions if you buy a VPN through links on our site.

WireGuard vs OpenVPN

JP Jones - CTO @ Top10VPN

JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio

Our Verdict

WireGuard is much faster than OpenVPN. It also consumes around 15% less data, handles network changes better, and appears to be equally secure. However, OpenVPN has been thoroughly tried-and-tested, is more privacy-friendly, and is supported by a larger number of VPNs. WireGuard is an excellent VPN protocol, but OpenVPN is still the best choice for the most privacy-conscious user.

WireGuard and OpenVPN options in Surfshark VPN's protocol selection settings

Surfshark supports both the WireGuard and OpenVPN protocols.

Virtual private networks (VPN) use VPN protocols to create and secure your connection. Two of the best and most commonly-used protocols are OpenVPN and WireGuard.

OpenVPN has been around since 2001 and is traditionally seen as the industry’s gold standard. But the new WireGuard VPN protocol has burst onto the scene since its release in 2019, and is now threatening to take that crown away from OpenVPN.

In this in-depth guide we compare OpenVPN and WireGuard to see which VPN protocol you should be using.

Our extensive lab tests reveal which of the protocols is best in seven key areas, including security, speed, privacy, ease of use, and more.

We’ll also tell you how these protocols came into being, give some background information on who’s behind them, and explain the differences in how they work.

First, here’s a quick summary of how OpenVPN and WireGuard compare in each of the of key categories:

Category Winner
Speed WireGuard

WireGuard is twice as fast as OpenVPN, if implemented correctly.

Security & Encryption Tie

Neither protocol has any known security vulnerabilities.

Bypassing Censorship OpenVPN

OpenVPN is better at bypassing censors (e.g. the Great Firewall of China) because it can use TCP port 443.

Mobility WireGuard

WireGuard offers a more reliable connection for mobile users than OpenVPN because it handles network changes better.

Data Usage WireGuard

OpenVPN adds a data overhead of up to 20%, whereas WireGuard uses just 4% more data (compared with not using a VPN).

Privacy & Logging OpenVPN

VPN services need to include mitigations to ensure user privacy when using WireGuard.

VPN & Device Compatibility OpenVPN

OpenVPN is currently supported by many more VPNs, across many more devices, than WireGuard.

Read on for an introduction to the two protocols, or use the category links below to skip to the section most important to you.

What are OpenVPN and WireGuard?

OpenVPN and WireGuard are two types of VPN protocol. A VPN protocol is a technology used to create a secure tunnel between your device and a VPN server. (Learn more about how VPNs work here).

You can use both OpenVPN and WireGuard independently to create your own VPN connection. However, they’re more commonly used as part of a commercial VPN service.

Here’s an overview of each protocol’s main features:

Feature OpenVPN WireGuard
Date Released May 2001 September 2019
Encryption AES, Blowfish, Camellia ChaCha20, Poly1305
Code Length >70,000 lines ~4,000 lines
Open Source Yes Yes
Security Strong Strong
Privacy Strong Needs mitigations
Speeds Moderate Fast

OpenVPN

The original OpenVPN software was created in 2001 by James Yonan. He made OpenVPN because he wanted to ensure his connection was private when he was travelling through Central Asia and using Asian and Russian internet connections.

Today, Yonan is the CTO of OpenVPN Inc. The company provides business-to-business services as well as running OpenVPN. The company’s CEO and founder is Francis Dinha, who grew up in Iraq and shares Yonan’s concerns about staying private from state surveillance.

The OpenVPN software has now been downloaded from the website more than 60 million times, and pretty much every VPN today supports the protocol. It’s available under an open-source license, which means anyone can view its underlying code.

For over a decade, OpenVPN has been considered the pinnacle of VPN security. However, with the release of WireGuard, we now have a new contender for that top spot.

WireGuard

WireGuard Logo

WireGuard was created by Jason A. Donenfeld from Edge Security, and had its first stable release in September 2019. It’s designed to improve upon existing VPN protocols by being simpler, faster, and easier to use.

Unlike OpenVPN, WireGuard is “cryptographically opinionated,” to use Donenfeld’s words. That means he’s selected one solution for each aspect of the VPN’s security. WireGuard therefore includes less choice than OpenVPN, but it’s far less complex as a result.

Like OpenVPN, WireGuard is also open source.

Despite only being released in September 2019, WireGuard has already been incorporated into a number of VPN services. NordVPN, for example, built its proprietary NordLynx protocol on top of it.

So which one is better? Let’s start by comparing their encryption and security levels.

WireGuard vs OpenVPN: Speed Comparison

WireGuard was designed with speed in mind. OpenVPN was not. As such, WireGuard is considerably faster than OpenVPN. It’s optimized to use multiple processor cores at the same time, and it uses faster encryption methods.

WireGuard’s own measures suggest their protocol is at least 3x faster than OpenVPN – with a throughput of 1011Mbps, compared to OpenVPN’s 258Mbps.

WireGuard's own speed test results graph

The team admits, however, that these results are “old and crusty and not super well conducted”, so we ran the tests ourselves to see which protocol was faster.

WireGuard Is Faster Than OpenVPN in Most VPNs

NordVPN is an excellent VPN service that was one of the first to support both WireGuard and OpenVPN, so it’s ideal for running a speed test comparison.

We connected to NordVPN servers around the world using either the OpenVPN (UDP) protocol or the NordLynx (WireGuard) protocol and recorded our connection speeds. Here’s a summary of our findings:

Server Location OpenVPN (UDP) WireGuard (NordLynx)
UK 135Mbps 286Mbps (112% faster)
Germany 131Mbps 277Mbps (111% faster)
USA 142Mbps 254Mbps (79% faster)
Japan 139Mbps 269Mbps (94% faster)
Australia 118Mbps 207Mbps (75% faster)

Speed test data recorded from the UK on a 350Mbps connection.

WireGuard was consistently over 75% quicker than OpenVPN, no matter where in the world we were connecting to. On shorter-distance connections, the difference was even more pronounced, with WireGuard running at over double the speed of OpenVPN.

These results match what NordVPN themselves saw when comparing NordLynx and OpenVPN. They conducted 8,200 automated tests daily for a month and also found that NordLynx was up to 2x faster than OpenVPN. You can read more about NordVPN’s tests here.

NOTE: These tests used OpenVPN UDP rather than OpenVPN TCP. This is because UDP is typically faster than TCP, so we wanted to record OpenVPN at its ‘best’.

We then ran similar tests with other VPN services that support both protocols. Here are the results:

Surfshark VPN Mullvad VPN Private Internet Access
Country OpenVPN WireGuard OpenVPN WireGuard OpenVPN WireGuard
UK 121Mbps 286Mbps 345Mbps 345Mbps 228Mbps 181Mbps
USA 110Mbps 261Mbps 64Mbps 331Mbps 92Mbps 28Mbps
AUS 78Mbps 235Mbps 261Mbps 269Mbps 111Mbps 18Mbps

Speed test data recorded from the UK on a 350Mbps connection.

As with NordVPN, WireGuard is clearly the faster protocol for both Surfshark and Mullvad VPN users.

The speed test results from Private Internet Access (PIA) are important to note, though. Because of its relative immaturity, a number of VPN providers currently offer the option to use WireGuard but haven’t yet fully optimized their service to maximize its performance.

Mullvad is a good case study for this. At the end of April 2021, it released an update that better integrated WireGuard into the service.

Before the update, the VPN was around 70% slower on WireGuard than it was on OpenVPN. After the update, WireGuard is now the fastest protocol you can use with Mullvad.

We expect to see a similar trend with VPNs, like PIA, as they work to better integrate WireGuard into their service.

NOTE: Our speed tests are conducted on a 350Mbps connection, which may be higher than you have on your home network. Consequently, WireGuard’s superiority is probably more pronounced here than it would be in everyday usage, because it is better at using all the available bandwidth.

It’s certainly the faster protocol, but the differences between WireGuard and OpenVPN may be more marginal on your device than in the data above.

Time to Connect

WireGuard also establishes a connection much quicker than OpenVPN. This is important because if the connection is lost or the VPN tunnel breaks for some reason, you want your VPN to reconnect fast.

An Ars Technica study found that an OpenVPN connection can take as long as 8 seconds to initiate, whereas WireGuard connections take around 100 milliseconds.

SUMMARY

WireGuard is a much faster protocol than OpenVPN, when correctly integrated into the VPN service. It was designed for that purpose, and it does it well. If you’re doing anything speed-sensitive, such as gaming or streaming, use WireGuard.

Winner: WireGuard

WireGuard vs OpenVPN: Encryption & Security

OpenVPN WireGuard
Encryption Ciphers & Authentication Protocols Commonly Used:

AES, Blowfish, Camellia

Also Supported:

ChaCha20, Poly1305
(plus many more)

ChaCha20, Poly1035
Perfect Forward Secrecy Supported Supported
Known Vulnerabilities None None

OpenVPN lets you use a wide range of encryption ciphers and authentication algorithms, while WireGuard just has a fixed set for each release.

This means that, if a security vulnerability is found in an algorithm, OpenVPN can be quickly configured to use something else. Whereas WireGuard would require a software update across all devices. That’s a pain, but it ensures there are no devices ever using insecure code.

There are currently no known security vulnerabilities in both WireGuard and OpenVPN.

Choice vs Security

One of the key differences between OpenVPN and WireGuard is the trade-off between choice and security.

OpenVPN uses the OpenSSL library for encryption, which was first released in 1998 and has been thoroughly tested over a long period of time. The library supports a wide range of encryption ciphers, including AES, Blowfish, and ChaCha20.

WireGuard, on the other hand, doesn’t offer a choice of encryption. Instead, it forces you to use ChaCha20 for encryption and Poly1305 for authentication.

Because of this, WireGuard requires much less code than OpenVPN – around 4,000 lines compared to 70,000 (at least). This smaller footprint makes it much easier for security researchers to audit and verify WireGuard’s code than OpenVPN’s. It also makes WireGuard’s possible attack surface much smaller than OpenVPN’s.

SUMMARY

OpenVPN offers greater freedom when it comes to encryption and security, but WireGuard is easier to audit and has a smaller attack surface. Both protocols are very secure, but less tech-savvy users may prefer to trust the experts at WireGuard, rather than take matters into their own hands.

Are New Encryption Algorithms Safe?

Generally, security researchers prefer encryption technology that has been around for a while. This is because newer algorithms may sometimes feature vulnerabilities that just haven’t been identified yet. It’s therefore often safer to go with a more tried-and-tested option.

In this case, OpenVPN is by far the most tried-and-tested option. It was released 18 years before WireGuard, and the AES cipher it uses is almost a decade older than the ChaCha20 and Poly1035 algorithms that WireGuard uses.

In practice, however, WireGuard’s relative immaturity doesn’t appear to be a huge security risk. There are three main reasons for this:

  1. WireGuard’s minimal codebase means it can be audited very quickly. This mitigates a lot of the concerns about the protocol’s lack of rigorous testing, because experts can audit it much faster than OpenVPN’s code.
  2. ChaCha20 is very secure. The ‘20’ in ‘ChaCha20’ means there are 20 rounds of encryption to protect the data. In 2008, ChaCha7 (with seven rounds) was broken, but ChaCha8 remains unbroken to this day. So you can be confident that ChaCha20 offers a high level of security.
  3. Endorsements from Linux and Google. Linus Torvalds, original creator of Linux, said: “Can I just once again state my love for [WireGuard]… Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.” WireGuard has since been included in the Linux kernel, which represents strong support for its security credentials. Google has also switched to using ChaCha20 and Poly1305 for encrypting traffic on its Android devices.

SUMMARY

WireGuard and OpenVPN are both very secure VPN protocols. Which is better for encryption and security mostly comes down to personal preference.

If you’re wary of newer technologies or like to have more control over your security settings, then OpenVPN is the better option for you. If you like the idea of an efficient, streamlined codebase, then go for WireGuard.

Winner: No clear winner. It’s a tie.

WireGuard vs OpenVPN: Bypassing Censorship

OpenVPN and WireGuard are both very reliable VPN protocols that deliver a stable internet connection under most circumstances.

However, only OpenVPN gives you the option to use the TCP communication protocol. This is helpful for bypassing strict censorship regimes because TCP connections are able to use port 443, which is the same port that regular HTTPS traffic uses.

It’s highly unlikely that censorship systems in countries like China, Russia, and Turkey would block port 443 because it would halt essential activities like online banking and shopping.

In short, OpenVPN TCP is more effective at bypassing censorship than WireGuard, because WireGuard can only be used with UDP.

Here’s a quick summary of how UDP and TCP compare:

User Datagram Protocol (UDP) Transmission Control Protocol (TCP)
WireGuard Support
OpenVPN Support
Reliability Features
Speed Faster Slower

We usually recommend using UDP whenever possible because it’s faster, more efficient, and equally stable when used within a VPN tunnel. However, for bypassing firewalls and circumventing censorship, a TCP protocol is preferable.

This is reflected in the option that VPN services default to when you try to connect in China. We found that, in almost every case, when a VPN provider offers both WireGuard and OpenVPN, the service will default to using the OpenVPN protocol when you try to connect from within China.

We also tested a few VPN services that we know work well in China to see whether OpenVPN or WireGuard was better at bypassing the Great Firewall of China:

  • Astrill VPN was able to beat the censorship using both OpenVPN and WireGuard
  • Private Internet Access (PIA) was only able to connect when using OpenVPN, and failed using WireGuard.

SUMMARY

OpenVPN is the better choice for bypassing censorship. It enables you to use port 443 which is very difficult for censorship systems to block. Use OpenVPN (TCP) if you’re trying to access the free, global internet from within countries like China and the UAE.

Winner: OpenVPN

WireGuard vs OpenVPN: Mobility

ExpressVPN's new app on mobile devices

Devices today frequently move between mobile and WiFi networks. A good VPN protocol needs to be able to make that switch efficiently and effectively.

WireGuard is far better than OpenVPN for mobility. It handles network changes seamlessly, whereas OpenVPN has historically struggled when users regularly switch between networks. Many VPN services have actually opted to use a different protocol, IKEv2, for mobile devices.

IKEv2 is a reasonably good VPN protocol, but it is closed source and some people have concerns that it may have been compromised by the NSA. Instead, then, WireGuard presents a new, open-source solution to the problem of which VPN protocol to use on mobile.

If you’re using a VPN while on the move, we strongly recommend using WireGuard rather than OpenVPN.

SUMMARY

Unlike OpenVPN, WireGuard copes impressively with regular network changes. It’s also faster and more privacy-friendly than IKEv2, which is many VPN service’s current default protocol for mobile users.

Winner: WireGuard

WireGuard vs OpenVPN: Data Usage

Using a VPN always increases the total amount of data you consume. That’s because the tunneling process requires you to send additional information over the internet, which leads to an increase in data usage.

The data overhead can affect the speed of your VPN. If you are on a pay-as-you-go cell phone contract, you might also spend more money and/or reach your planned data limit sooner.

The VPN protocol you use affects how big the data overhead is. Our research found that WireGuard consumes far less data than OpenVPN. Here’s a summary of the findings:

bar chart showing the data consumption of OpenVPN TCP (+19.96%), OpenVPN UDP (+17.23%), and WireGuard (+4.53%)

To test each protocol’s data usage, we used the Linux WireGuard and OpenVPN applications and calculated how much additional data they were adding to our connection, compared to not using a VPN. For each test, we copied a 209MB test file between two virtual servers. We conducted each test three times, and worked out the average data increase.

The Results: WireGuard uses much less data than OpenVPN. While OpenVPN UDP has a large data overhead of 17.23%, WireGuard adds just 4.53% to your data consumption. When using OpenVPN TCP, this overhead is even greater, at 19.96%.

WireGuard actually has the smallest data overhead of any VPN protocol we’ve tested, including IKEv2 and PPTP. By contrast, OpenVPN has the largest.

You can see the full results from this investigation, and learn more about VPN data usage, in our guide to mobile data and VPNs.

SUMMARY

WireGuard consumes much less data than OpenVPN. Use WireGuard if your internet access has a data cap, or you’re charged based on the amount of bandwidth you consume.

Winner: WireGuard

WireGuard vs OpenVPN: Privacy & Logging

Protocol Logging Mitigations
OpenVPN None Not required
WireGuard IP address stored on server until it reboots Available with most commercial VPN providers

An essential feature of a safe VPN service is that it doesn’t store any personally-identifiable information about you. This also applies to the VPN protocol being used.

While OpenVPN works without needing to log an IP address, WireGuard requires permitted IP addresses to be stored on the server until the server reboots. This is concerning from a privacy standpoint, because if the server is compromised, the IP address could be used to link you to your activity and thereby remove the main benefit of using a VPN.

Be aware, then, that if you’re using the standard implementation of WireGuard, it’s likely your IP address is being logged for at least the duration of your session.

Thankfully, most commercial VPN services that support WireGuard have implemented workarounds to minimize these privacy risks. Some examples include:

  • NordVPN: NordVPN has combined WireGuard with its proprietary Double Network Address Translation (NAT) technology to create NordLynx. Instead of storing your static IP address until the server reboots, NordLynx assigns a unique dynamic IP address to each VPN tunnel, such that each session has a different IP address that only lasts as long as the session.
  • Mullvad: To maximise privacy when using WireGuard, Mullvad deletes your IP address from its servers after 10 minutes of inactivity. As an extra step, Mullvad also suggests you use its Multihop feature to route your traffic through two or more servers when using WireGuard.
  • IVPN: IVPN deletes your IP address after three minutes of inactivity. It also randomly generates a new IP address every 24 hours, to avoid issues around using a static IP address.

These mitigations will be enough for most users. However, if you are in a strict censorship country or a country where officials may try to prosecute VPN users, it’s probably not a risk worth taking.

We’d also recommend checking with your VPN provider which mitigations they have in place for WireGuard users, if you’re concerned about your privacy.

SUMMARY

Unlike OpenVPN, the WireGuard protocol requires your IP address to be stored on the VPN server for an extended period of time. VPN services can and will mitigate against this, but it’s not ideal from a privacy perspective. No such mitigations are required for OpenVPN.

Winner: OpenVPN

WireGuard vs OpenVPN: VPN & Device Compatibility

OpenVPN is natively supported by almost every commercial VPN service, whereas WireGuard is much less widely available. It’s catching up fast, though. Despite only being released in 2019, WireGuard has already been implemented into many leading VPNs – often across both desktop and mobile apps.

Here’s an overview of which protocols are supported on 15 of the most popular VPNs:

VPN Protocol ExpressVPN NordVPN CyberGhost IPVanish Surfshark PrivateVPN PIA Windscribe ProtonVPN Astrill HideMyAss Hotspot Shield Mullvad TunnelBear PureVPN
OpenVPN
WireGuard

Traditionally, most VPNs use OpenVPN as their default protocol, particularly on desktop. However, we’re now seeing an increasing number of providers switch their allegiance to WireGuard. For example, CyberGhost now uses WireGuard by default on Android and iOS, and NordVPN uses its NordLynx version of WireGuard as the default in most of its apps.

NOTE: To use a VPN on your router, you’ll likely still have to use OpenVPN. Only Mullvad, from the list above, works with WireGuard at the router-level.

Ease of Use

To manually configure the protocol yourself, WireGuard is much easier than OpenVPN. Again, this is due to WireGuard’s streamlined code and lack of choice when it comes to encryption configurations, which makes it very simple to install.

WireGuard’s light codebase is also a strength for using a VPN on small computing devices and embedded devices. OVPN, for example, includes a WireGuard-compatible command-line application for Raspberry Pi single-board computers.

That said, OpenVPN is easier to use for most VPN users simply because it is natively supported by more VPN services. Just download your chosen VPN and, in almost every instance, the OpenVPN protocol will be set up and ready to use.

SUMMARY

OpenVPN has been around for almost two decades and is natively supported within almost every VPN app. WireGuard is currently being integrated into more and more VPNs, but your chosen VPN provider is still more likely to support OpenVPN. This is especially the case if you’re using a VPN on your router.

Winner: OpenVPN

Conclusion

WireGuard has already made a big impression on the VPN industry – with many leading VPNs now supporting it, and its recent inclusion in the Linux kernel.

OpenVPN is older, more trusted, and certainly more privacy-friendly, but WireGuard is astonishingly fast and appears to be very secure, too.

Therefore, the answer to whether you should use OpenVPN or WireGuard for your VPN connection depends on what you’re doing.

You should use WireGuard if:

  • You want the fastest speeds.
  • You are using a mobile device and you’re concerned about data consumption.
  • You’re regularly switching between WiFi and cellular networks.
  • You are manually configuring your VPN or building your own VPN software.

You should use OpenVPN if:

  • You are in a country where VPNs are banned and you may face prosecution if caught using one.
  • You want the utmost degree of privacy and don’t like the extra logging requirement of WireGuard, even if your VPN provider has a mitigation in place.
  • You are more cautious of new technologies, and want to give WireGuard more time to mature and be tested.
  • You’re using a VPN service that doesn’t yet support WireGuard.

About the Author


  • JP Jones - CTO @ Top10VPN

    JP Jones

    JP is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio