WireGuard vs OpenVPN

OpenVPN and WireGuard are two types of VPN protocol. A VPN protocol is technology used to create a secure tunnel between your device and a VPN server.

In other words, a VPN protocol is a key element to how a VPN works.

You can use both OpenVPN and WireGuard independently to create your own VPN connection. However, they’re more commonly used as part of personal VPN services.

Here’s an overview of each protocol’s main features:

Feature	OpenVPN	WireGuard
Date Released	May 2001	September 2019
Encryption	AES, Blowfish, Camellia	ChaCha20, Poly1305
Code Length	Over 70,000 lines	~4,000 lines
Open Source	Yes	Yes
Security	Strong	Strong
Privacy	Strong	Needs mitigations
Speeds	Moderate	Fast

OpenVPN

The original OpenVPN software was created in 2001 by James Yonan.

Yonan made OpenVPN to ensure his connection was private while travelling through Central Asia and using Asian and Russian internet connections.

Today, Yonan is the CTO of OpenVPN Inc. The company provides business-to-business services as well as running OpenVPN.

The company’s CEO and founder is Francis Dinha, who grew up in Iraq and shares Yonan’s concerns about staying private from state surveillance.

The OpenVPN software has now been downloaded more than 60 million times, and almost every VPN today employs the protocol.

OpenVPN is available under an open-source license, which means anyone can view its underlying code.

For over a decade, OpenVPN has been considered the pinnacle of VPN security. However, with the release of WireGuard, there is a new contender for that top spot.

WireGuard

WireGuard was created by Jason A. Donenfeld from Edge Security, and had its first stable release in September 2019.

WireGuard is designed to improve upon existing VPN protocols by being simpler, faster, and easier to use.

Unlike OpenVPN, WireGuard is “cryptographically opinionated,” to use Donenfeld’s words. That means he’s selected one solution for each aspect of the VPN’s security.

As a result, WireGuard includes less choice than OpenVPN, but it’s also far less complex.

Like OpenVPN, WireGuard is also open source.

Despite only being released in September 2019, WireGuard has already been incorporated into a number of VPN services. NordVPN, for example, built its proprietary NordLynx protocol on top of it.

So which one is better, OpenVPN or WireGuard? Let’s start by comparing their speeds.

WireGuard was designed with speed in mind. OpenVPN was not. As such, WireGuard is considerably faster than OpenVPN.

The WireGuard protocol is optimized to use multiple processor cores at the same time, and it uses faster encryption methods.

WireGuard’s own measures suggest their protocol is at least 3 times faster than OpenVPN – with a throughput of 1011Mbps, compared to OpenVPN’s 258Mbps.

The WireGuard team admits, however, that these results are “old and crusty and not super well conducted.”

Therefore, we ran the tests ourselves to see which protocol is faster.

WireGuard Is Faster Than OpenVPN in Most VPNs

NordVPN is an excellent VPN service that was one of the first to support both WireGuard and OpenVPN. It’s therefore ideal for running a speed test comparison.

We connected to NordVPN servers around the world using either the OpenVPN (UDP) protocol or the NordLynx (WireGuard) protocol, and recorded our connection speeds.

Here’s a summary of our OpenVPN versus WireGuard speed findings:

Server Location	OpenVPN (UDP)	WireGuard (NordLynx)
UK	135Mbps	286Mbps (112% faster)
Germany	131Mbps	277Mbps (111% faster)
USA	142Mbps	254Mbps (79% faster)
Japan	139Mbps	269Mbps (94% faster)
Australia	118Mbps	207Mbps (75% faster)

Speed test data recorded from the UK on a 350Mbps connection.

Our results found WireGuard was consistently over 75% quicker than OpenVPN, no matter where in the world we were connecting to.

On shorter-distance connections, the difference was even more pronounced, with WireGuard running at over double the speed of OpenVPN.

These results match what NordVPN themselves saw when comparing NordLynx and OpenVPN. They conducted 8,200 automated tests daily for a month and concluded NordLynx was up to 2 times faster than OpenVPN.

We then ran similar tests with other VPN services that support both protocols. Here are the results:

	Surfshark VPN		Mullvad VPN		Private Internet Access
Country	OpenVPN	WireGuard	OpenVPN	WireGuard	OpenVPN	WireGuard
UK	121Mbps	286Mbps	345Mbps	345Mbps	228Mbps	181Mbps
USA	110Mbps	261Mbps	64Mbps	331Mbps	92Mbps	28Mbps
AUS	78Mbps	235Mbps	261Mbps	269Mbps	111Mbps	18Mbps

Speed test data recorded from the UK on a 350Mbps connection.

As with NordVPN, WireGuard is clearly the faster protocol for both Surfshark and Mullvad VPN users.

The speed test results from Private Internet Access (PIA) are important to note, though. Due to its relative immaturity, several VPN services currently offer WireGuard, but haven’t yet fully optimized their service to maximize its performance.

Mullvad is a good case study for this. At the end of April 2021, it released an update that better integrated WireGuard into the service.

Before the update, the VPN was around 70% slower on WireGuard than it was on OpenVPN. After the update, WireGuard is now the fastest protocol you can use with Mullvad.

We expect to see a similar trend with other VPNs, like PIA, as they work to improve WireGuard as a part of its service.

In the video above you can see in real-time the difference between OpenVPN (UDP) and WireGuard as we test both using Proton VPN. The difference in download speeds was clear once more: OpenVPN averaged 250Mbps while WireGuard averaged 335Mbps.

Time to Connect

WireGuard also establishes a connection much quicker than OpenVPN. This is important because if the connection is lost or the VPN tunnel breaks for some reason, you want your VPN to reconnect fast.

An Ars Technica study found that an OpenVPN connection can take as long as 8 seconds to initiate, whereas WireGuard connections take around 100 milliseconds.

	OpenVPN	WireGuard
Encryption Ciphers & Authentication Protocols	Commonly Used: AES, Blowfish, Camellia Also Supported: ChaCha20, Poly1305 (plus many more)	ChaCha20, Poly1035
Perfect Forward Secrecy	Supported	Supported
Known Vulnerabilities	None	None

OpenVPN lets you use a wide range of encryption ciphers and authentication algorithms, while WireGuard just has a fixed set for each release.

This means that, if a security vulnerability is found in an algorithm, OpenVPN can be quickly configured to use something else. Whereas WireGuard would require a software update across all devices. That’s a pain, but it ensures there are no devices ever using insecure code.

There are currently no known security vulnerabilities in both WireGuard and OpenVPN.

Choice vs Security

One of the key differences between OpenVPN and WireGuard is the trade-off between choice and security.

OpenVPN uses the OpenSSL library for encryption, which was first released in 1998 and has been thoroughly tested over a long period of time. The library supports a wide range of encryption ciphers, including AES, Blowfish, and ChaCha20.

WireGuard, on the other hand, doesn’t offer a choice of encryption. Instead, it forces you to use ChaCha20 for encryption and Poly1305 for authentication.

As a result, WireGuard requires much less code than OpenVPN: roughly 4,000 lines of code compared to 70,000 (at least).

This smaller footprint makes it much easier for security researchers to audit and verify WireGuard’s code than OpenVPN’s. It also makes WireGuard’s possible attack surface much smaller than OpenVPN’s.

Furthermore, less code considerably reduces the possibility of bugs occurring in Wireguard.

Are New Encryption Algorithms Safe?

Generally, security researchers prefer encryption technology that has been around for a while. This is because newer algorithms may sometimes feature vulnerabilities that just haven’t been identified yet. It’s therefore often safer to go with a more tried-and-tested option.

In this case, OpenVPN is by far the most tried-and-tested option. It was released 18 years before WireGuard, and the AES cipher it uses is almost a decade older than the ChaCha20 and Poly1035 algorithms that WireGuard uses.

In practice, however, WireGuard’s relative immaturity doesn’t appear to be a huge security risk. There are three main reasons for this:

1. WireGuard’s minimal codebase means it can be audited very quickly. This mitigates a lot of the concerns about the protocol’s lack of rigorous testing, because experts can audit it much faster than OpenVPN’s code.
2. ChaCha20 is very secure. The ‘20’ in ‘ChaCha20’ means there are 20 rounds of encryption to protect the data. In 2008, ChaCha7 (with seven rounds) was broken, but ChaCha8 remains unbroken to this day. So you can be confident that ChaCha20 offers a high level of security.
3. Endorsements from Linux and Google. Linus Torvalds, original creator of Linux, said: “Can I just once again state my love for [WireGuard]… Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.” WireGuard has since been included in the Linux kernel, which represents strong support for its security credentials. Google has also switched to using ChaCha20 and Poly1305 for encrypting traffic on its Android devices.

OpenVPN and WireGuard are both very reliable VPN protocols that deliver a stable internet connection under most circumstances.

However, only OpenVPN gives you the option to use the TCP communication protocol. This is helpful for bypassing strict internet blocks, because TCP connections are able to use port 443, which is the same port regular HTTPS traffic uses.

It’s highly unlikely censorship systems in countries like China, Russia, and Turkey would block port 443, because it would halt essential activities like online banking and shopping.

In short, OpenVPN TCP is more effective at bypassing censorship than WireGuard, because WireGuard can only be used with UDP.

Here’s a quick summary of how UDP and TCP compare:

	User Datagram Protocol (UDP)	Transmission Control Protocol (TCP)
WireGuard Support	✓	✗
OpenVPN Support	✓	✓
Reliability Features	✗	✓
Speed	Faster	Slower

We usually recommend using UDP whenever possible because it’s faster, more efficient, and equally stable when used within a VPN tunnel. However, for bypassing firewalls and circumventing censorship, a TCP protocol is preferable.

This is reflected in the option that VPN services default to when you try to connect in China.

We found that, in almost every case, when a VPN provider offers both WireGuard and OpenVPN, the service will default to using the OpenVPN protocol when you try to connect from within China.

We also tested a few VPN services that we know work well in China to see whether OpenVPN or WireGuard was better at bypassing the Great Firewall of China:

• Astrill VPN was able to beat the censorship using both OpenVPN and WireGuard
• Private Internet Access (PIA) was only able to connect when using OpenVPN, and failed using WireGuard.

Devices today frequently move between mobile and WiFi networks. A good VPN protocol needs to be able to make that switch efficiently and effectively.

WireGuard is far better than OpenVPN for mobility. It handles network changes seamlessly, whereas OpenVPN has historically struggled when users regularly switch between networks. Many VPN services have actually opted to use a different protocol, IKEv2, for mobile devices.

IKEv2 is a reasonably good VPN protocol, but it is closed source and some people have concerns that it may have been compromised by the NSA. Instead, then, WireGuard presents a new, open-source solution to the problem of which VPN protocol to use on mobile.

If you’re using a VPN while on the move, we strongly recommend using WireGuard rather than OpenVPN.

Using a VPN always increases the total amount of data you consume. That’s because the tunneling process requires you to send additional information over the internet, which leads to an increase in data usage.

The data overhead can affect the speed of your VPN. If you are on a pay-as-you-go cell phone contract, you might also spend more money and/or reach your planned data limit sooner.

The VPN protocol you use affects how big the data overhead is. Our research found that WireGuard consumes far less data than OpenVPN. Here’s a summary of the findings:

To test each protocol’s data usage, we used the Linux WireGuard and OpenVPN applications and calculated how much additional data they were adding to our connection, compared to not using a VPN. For each test, we copied a 209MB test file between two virtual servers. We conducted each test three times, and worked out the average data increase.

WireGuard actually has the smallest data overhead of any VPN protocol we’ve tested, including IKEv2 and PPTP. By contrast, OpenVPN has the largest.

You can see the full results from this investigation, and learn more about VPN data usage, in our guide to mobile data and VPNs.

Protocol	Logging	Mitigations
OpenVPN	None	Not required
WireGuard	IP address stored on server until it reboots	Available with most commercial VPN providers

An essential feature of a safe VPN service is that it doesn’t store any personally-identifiable information about you. This also applies to the VPN protocol being used.

While OpenVPN works without needing to log an IP address, WireGuard requires permitted IP addresses to be stored on the server until the server reboots.

This is concerning from a privacy standpoint, because if the server is compromised, the IP address could be used to link you to your activity and thereby remove the main benefit of using a VPN.

Be aware, then, that if you’re using the standard implementation of WireGuard, it’s likely your IP address is being logged for at least the duration of your session.

Thankfully, most commercial VPN services that support WireGuard have implemented workarounds to minimize these privacy risks. Some examples include:

• NordVPN: NordVPN has combined WireGuard with its proprietary Double Network Address Translation (NAT) technology to create NordLynx. Instead of storing your static IP address until the server reboots, NordLynx assigns a unique dynamic IP address to each VPN tunnel, such that each session has a different IP address that only lasts as long as the session.
• Mullvad: To maximise privacy when using WireGuard, Mullvad deletes your IP address from its servers after 10 minutes of inactivity. As an extra step, Mullvad also suggests you use its Multihop feature to route your traffic through two or more servers when using WireGuard.
• IVPN: IVPN deletes your IP address after three minutes of inactivity. It also randomly generates a new IP address every 24 hours, to avoid issues around using a static IP address.

These mitigations will be enough for most users. However, if you are in a strict censorship country or a country where officials may try to prosecute VPN users, it’s probably not a risk worth taking.

We’d also recommend checking with your VPN provider which mitigations they have in place for WireGuard users, if you’re concerned about your privacy.

OpenVPN is natively supported by almost every commercial VPN service, whereas WireGuard is much less widely available.

WireGuard is catching up fast, though. Despite only being released in 2019, the protocol has already been implemented into many leading VPNs – often across both desktop and mobile apps.

Here’s an overview of which protocols are supported on 15 of the most popular VPNs:

VPN Protocol	ExpressVPN	NordVPN	CyberGhost	IPVanish	Surfshark	PrivateVPN	PIA	Windscribe	Proton VPN	Astrill	HideMyAss	Hotspot Shield	Mullvad	TunnelBear	PureVPN
OpenVPN	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
WireGuard	✗	✓	✓	✓	✓	✗	✓	✓	✗	✓	✗	✗	✓	✗	✗

Traditionally, most VPNs use OpenVPN as their default protocol, particularly on desktop.

However, we’re now seeing an increasing number of providers switch their allegiance to WireGuard.

For example, CyberGhost now uses WireGuard by default on Android and iOS, and NordVPN uses its NordLynx version of WireGuard as the default in most of its apps.

Ease of Use

To manually configure the protocol yourself, WireGuard is much easier than OpenVPN. Again, this is due to WireGuard’s streamlined code and lack of choice when it comes to encryption configurations, which makes it very simple to install.

WireGuard’s light codebase is also a strength for using a VPN on small computing devices and embedded devices. OVPN, for example, includes a WireGuard-compatible command-line application for Raspberry Pi single-board computers.

That said, OpenVPN is easier to use for most VPN users simply because it is natively supported by more VPN services. Just download your chosen VPN and, in almost every instance, the OpenVPN protocol will be set up and ready to use.