OpenVPN has almost become synonymous with VPN clients and rightly so. It’s one of the fastest, most secure, and reliable VPN protocols out there. No matter which operating system you are on, most of the VPN clients have OpenVPN as their default tunneling protocol. Having said, there is talk of an OpenVPN alternative that claims to bring better performance and is much easier to set up. Yes, I am talking about WireGuard. While WireGuard is relatively new, it holds a lot of promise and that’s why we bring you an in-depth explainer on OpenVPN vs WireGuard. In this article, we talk about their similarity and differences and take you through some important aspects of WireGuard. So without further delay, let’s begin.
OpenVPN vs WireGuard: A Brief Introduction
Before I begin, I want to give a brief overview of the development history and business model of both the VPN protocols. As most of us know, OpenVPN is among the oldest VPN protocols which was first released in 2001. It’s an open-source VPN protocol and run by the OpenVPN project. Having said that, OpenVPN is not free to use either for personal or commercial users so keep that in mind. Nevertheless, you can use the OpenVPN Community Edition for free, but with very limited features.
Coming to WireGuard, it’s relatively new and was first released in 2016. Similar to OpenVPN, WireGuard is open-source, but also free for both commercial and personal users. So far, we have not seen a stable release as the work is still in progress and not ready for production. However, Mullvad and IVPN have implemented the WireGuard protocol in their VPN client for initial testing. As an aside, in January 2020, WireGuard was finally merged into the Linux Mainline kernel and it’s expected to ship with the next kernel release. What it means is that you will be able to use WireGuard on any Unix-based operating systems (Android, iOS, macOS, Linux) natively. As for the business model, WireGuard has received donations from many big VPN companies like PIA and IVPN.
Now that we have learned about the basics, let’s move to the security aspect of OpenVPN and WireGuard.
When we talk about VPN protocols, security is treated as the top priority, hence, let’s begin with OpenVPN’s security first. Since OpenVPN has been here for so long, it has gone through many security audits and has been found secure and reliable without any glaring vulnerability. It has a CVE tracking mechanism where publicly known security vulnerabilities and exposures are reported and patched regularly. On the technical front, OpenVPN uses a custom security protocol based on SSL and TLS protocols. If you are unaware, TLS (Transport Layer Security) is one of the best cryptographic protocols which provides secure communication between two endpoints. In fact, this protocol is used by iPhones to share files through AirDrop.
Apart from that, OpenVPN utilizes OpenSSL which is a library of security protocols to identify other parties in the network and prevent eavesdropping. Another important security aspect of OpenVPN is that it operates in user space — a segregated space where virtual memory is protected against rogue programs and attackers. All in all, OpenVPN is a pretty secure protocol and the company continuously develops new technologies to combat malicious attacks.
Talking about WireGuard, it uses SSH (Secure Shell) protocol to communicate between devices. It’s a cryptographic network protocol just like TLS that offers a great range of security features. But that is not all. Unlike OpenVPN which runs in a user space, WireGuard runs inside a Linux module called the kernel space. What it means is that all the operations happen inside the deep layer of kernel, away from the operating system. As a result, the operations remain quick and secure — even better than OpenVPN.
While encryption is part of security, we have mentioned it separately to emphasize on various algorithmic techniques used by OpenVPN and WireGuard. As I said above, OpenVPN utilizes a security suite called OpenSSL which provides a range of 256-bit cryptographic algorithms like AES, 3DES, BlowFish and more. The algorithms are so powerful that it can traverse through NAT servers and firewalls without breaking the connection.
As for WireGuard, it uses a number of cryptographic algorithms to protect data transmission from brute-force attacks. Some of the algorithms are 128-bit Curve25519, Poly1305, Diffie–Hellman Elliptic-curve and more. On top of that, WireGuard brings HKDF to derive keys from third-party endpoints. Not to mention, there are dedicated protocols for hashing and key derivation as well. Simply put, both OpenVPN and WireGuard are excellent when it comes to using encryption methods and maintaining secrecy.
Now we come to another important aspect of VPN protocols: Authentication. OpenVPN uses two ways to authenticate between parties in a network. One is Certificate-based authentication which is the most secure method, but it’s slower in execution and another is Pre-shared keys which is the fastest way, but relatively less secure. Depending on the network environment, OpenVPN uses either of the authentication methods, but you can choose your own configuration too for better security.
If we talk about WireGuard, it deploys RFC 7539’s AEAD method to authenticate endpoints in a network. And the authentication is also encrypted using the Poly1305 cryptographic cipher. For general users, it might not make much sense, but in simple terms, it means that a handshake request is sent to all the devices in a network. After that, it waits for the responder to decrypt the message and hence, a connection is established.
In this battle of OpenVPN vs WireGuard, the major difference between the two protocols is performance. The reason WireGuard is touted to be the VPN protocol of the future is that it offers almost 2X performance jump than what OpenVPN offers. And the reason is quite simple: unlike OpenVPN which runs as an application, WireGuard runs as a module inside the Linux kernel. So the cryptographic services are executed really fast while operating encryption or decryption processes. Apart from that, due to the deep integration with the kernel, there is not much layer to interact with which saves time significantly.
But that is not all. OpenVPN has 400,000 lines of code which is simply huge whereas WireGuard has just 4,000 lines in its codebase. If you know a bit of programming, you would know that a smaller codebase translates to faster performance. So, if you want to implement WireGuard in your private VPN, you are going to be surprised on the performance front.
5. Platform Support
OpenVPN is available everywhere including Windows, macOS, Linux, iOS, Android, Windows Phone and more. In fact, almost all the modern VPNs are based on OpenVPN protocol. We have covered the best VPN for Windows, Android, iPhone, iPad and macOS so check those lists too. Other than that, OpenVPN’s protocol is also used in many routers’ firmware for tunneling data packets in a secure method.
Coming to WireGuard, the VPN protocol is implemented in a few VPN clients and you can get them on Windows, Android, macOS, iOS and Linux. Some of those VPN clients are Mullvad, IVPN, and Tunsafe. However, in the coming months, when WireGuard will be released with Linux kernel, it will be natively available as a kernel module on all UNIX-like operating systems. And that includes Android, macOS, iOS, iPadOS, and Linux.
So at this point, WireGuard is nowhere near OpenVPN in terms of adoption and platform support. However, after the upcoming Linux kernel release and subsequent adoption by Google and Apple, many mainstream VPN clients like ExpressVPN and PIA may start implementing the WireGuard protocol in their apps.
OpenVPN vs WireGuard: What’s the Verdict?
So that was our deep dive into OpenVPN and WireGuard and in what ways they are similar or different in their approach. For a long time, OpenVPN has been the de-facto protocol not only for VPN clients but also for any kind of network tunneling be it in routers or network servers. However, WireGuard has come up with lots of promise in the performance and setup front. So now we will have to wait and see if VPN companies are adopting the WireGuard protocol or not. Anyway, that is all from us. If you found the article informative, do comment down below and let us know.