It's become increasingly common to compare WireGuard vs OpenVPN to see how the fare. OpenVPN and WireGuard are two of the most popular free VPN tunnel services available. Both are easy to install, run on multiple platforms, and use strong encryption to secure your Internet transmissions.
However, WireGuard is much newer compared to OpenVPN and these protocols differ in terms of features and support. It's important to know how they stack up against each other before making a choice. Let's take a close look at each service to see which is right for you.
What is Wireguard?
WireGuard is a simple, lightweight yet fast VPN protocol that utilizes state-of-the-art cryptography. Initially developed for Linux, WireGuard is now more widely available and supports multiple platforms, including Windows, Mac, Android, and iOS.
The groundwork for this started In 2016 with security researcher and developer Jason Donenfeld. He felt that users needed a more efficient model to overcome deficiencies in existing VPN protocols like IPsec and OpenVPN.
How WireGuard Works
WireGuard is faster, simpler, and leaner than other protocols. It is open-source, which means the chances of security vulnerabilities are lower. However, the protocol is still under development, and some VPN providers are still cautious about adopting this technology.
If you’re considering safety in this protocol, understanding how it works might help. Like most other VPN protocols, there are two primary components; the transport layer and cryptography.
WireGuard’s Transport Layer
The protocol suite transport layer is User Datagram Protocol (UDP)-based. For most VPN use cases, that’s excellent since UDP is fast. Data-heavy activities such as media streaming thrive on UDP.
Yet concerning security, UDP is a bit of a mixed bag of tricks. The good news is that it doesn't rely on OpenSSL libraries, something hackers have previously exploited. However, UDP has other weaknesses, including vulnerability to spoofing and Denial of Service (DoS) attacks.
Regardless of the pros and cons of UDP, the core characteristics remain the same as implemented in WireGuard. It allows fast data transportation but is more easily “seen and interpreted” by snoops.
That’s where encryption comes in handy.
WireGuard lacks different encryption methods, key exchange, and hashing algorithms. Instead, it uses tested and peer-reviewed cryptographic primitives, a robust default cryptographic choice.
However, the lack of configurable options means a heavy reliance on developers to address vulnerabilities in the used crypto primitives. Only when a new version of the protocol is released will there be a negotiation of protocol versions between peers.
WireGuard utilizes ChaCha20 for symmetric encryption with Poly1305 for message authentication via RFC7539’s AEAD construction. It also uses Curve25519 for elliptic-curve Diffie-Hellman (ECDH) key agreement, BLAKE2s for hashing, and key hashing faster than SHA-3.
Then there’s SipHash24 for hashtable keys, HKDF for key derivation, as described in RFC5869, a 1.5 Round Trip Time (1.5-RTT) handshake based on the Noise framework, and provides forward secrecy. The system identifies each peer via short public keys, similar to OpenSSH.
WireGuard also enables crypto key routing where public keys establish peer assignment for each IP within the tunnel. There’s built-in protection against key impersonation and DoS or replay attacks. It doesn’t respond to packets from unrecognizable peers, and the connection between peers goes silent when there’s no data exchange.
WireGuard vs OpenVPN
The popular and gold standard of VPN protocols has been OpenVPN in the past years. Also an open-source protocol, OpenVPN is a known entity – deemed secure and reliable with good performance.
However, given the sterling performance seen so far, OpenVPN is being sorely tested. To determine if there’s a “winner” between the two, here are some core comparisons;
Optimization: WireGuard is More Streamlined than OpenVPN
- WireGuard: 4,000 lines of code
- OpenVPN: 70,000 lines of code
WireGuard excels in its significantly smaller code lines, which currently stand at around 4,000, including the crypto code. On the other hand, OpenVPN has about 70,000 lines that support two different cryptographic libraries.
WireGuard will register better performance with a smaller code base, is easier to audit, and has a smaller attack surface, thus is also safer.
Speed: WireGuard is 58% Faster Than OpenVPN
Based on tests done, the newer protocol is 58% faster than OpenVPN on average. After all, it is a leaner protocol and has a lighter touch when consuming your device's resources. The boost in speed is also relevant when it comes to reconnection times.
When you switch from mobile data to Wi-Fi while using your mobile device with VPN, Wireguard is fast enough that you will hardly notice and significant disruption in the connection.
Security: Cryptographic Algorithms
Whereas OpenVPN is flexible with the cryptographic algorithms it uses (its more extensive code base probably explains this), WireGuard uses a fixed set of algorithms only. Hence, if a problem arises in any WireGuard version, there is an immediate need to upgrade versions at all endpoints.
While OpenVPN uses certificates for identification and encryption, WireGuard uses public key encryption. Since the latter has a smaller set of authentication methods, it will have fewer integration interface options than OpenVPN.
This lack of options does not mean that WireGuard isn’t good; it just means that if you have more demands as a VPN user, you may need to rethink using WireGuard.
Many are also skeptical about the protocol using the untested ChaCha20 instead of the internet's gold standard of encryption, AES-256. Although both are symmetrical encryption and share some inherent weaknesses, there are still question marks regarding ChaCha20.
Both protocols are open source, which encourages transparency. Developers can see everything in the code. So far, there are no known overwhelming security flaws for either protocol.
However, if security is your number one priority, it probably is best to opt for the more conservative option, which is OpenVPN. It has been around much longer and has undergone numerous third-party security audits.
WireGuard stores user IPs on the VPN server is a concern for many. This storage is necessary because its crypto key routing algorithm maps public keys and permitted IPs. WireGuard uses static IPs and does not assign them dynamically.
For VPN users, having IP addresses stored to any extent is never good news. The safest bet in overcoming this issue would be a VPN service provider like Surfshark that runs RAM-only servers. At least you’ll know that the data is gone after each reboot.
If privacy is a serious concern, then, for the time being, OpenVPN is still on top of things.
Best WireGuard VPNs
Many VPNs are still shy from offering WireGuard because protecting their users’ privacy requires extra work. However, several VPNs offer WireGuard while still preserving your privacy:
1. NordVPN – Best Overall WireGuard VPN
- Price: from $3.99/mo
- Servers: Over 5,100 in 60 countries
- Protocols Available: IKEv2, OpenVPN, NordLynx (WireGuard adaptation)
NordVPN addressed the privacy issues (storage of static IPs in the VPN servers) via its NordLynx protocol, an adaption of WireGuard. NordLynx uses a double Network Address Translation (NAT) system to authenticate users via two local network interfaces.
While one obtains the same local IP address on the server, the other pairs with the dynamic NAT that assigns random IP addresses. The system destroys all dynamically created information when VPN tunnels are closed.
Tests have confirmed that although NordVPN registered fast enough speeds with OpenVPN, it is simply blazing fast with NordLynx (aka Wireguard). I see improved performance of at least 2 to 3 times on NordLynx compared to OpenVPN.
2. Surfshark – Value-packed WireGuard VPN
- Price: from $2.21/mo
- Servers: Over 3,200 in 66 countries
- Protocols Available: IKEv2, OpenVPN, WireGuard
Surfshark is a great budget choice for use with WireGuard. Like NordVPN, Surfshark registers higher speeds with WireGuard and has implemented the double NAT method, thus giving you excellent privacy-preserving traits.
Surfshark assigns a dynamic IP to all users, so your IP is different each time you connect to a VPN server via WireGuard. As such, there’s no identifiable data stored on any server. Along with their RAM-only server network, this method ensures you’re safe and protected.
Surfshark is one of the few reputable VPNs that allows unlimited simultaneous connections. You can connect as many compatible devices as you want under one paid account. That makes it an ideal choice for households with multiple connected devices.
3. CyberGhost – Massive Location Coverage
- Price: from $2.17/mo
- Servers: Over 7,300 in 90 countries
- Protocols Available: IKEv2, OpenVPN, WireGuard
CyberGhost is best suited for beginners as it’s effortless to use. If you’re an advanced user, you’ll find that you can also configure customized security rules, select your protocols, and more. CyberGhost offers scorching speeds with WireGuard, a significant improvement from the popular OpenVPN.
This capability also makes CyberGhost an excellent option for streaming – combined with the fact that it unblocks most major streaming services, including US Netflix, BBC iPlayer, Amazon Prime Video, and Disney+.
Covering over 7,300 servers located in 90 countries, it is one of the largest consumer VPN networks in the market. As such, this explains why CyberGhost is an excellent option if you’re looking to bypass geoblocks. Cyberghost offers 256-bit encryption and comes with an automatic kill switch, DNS, and IP leak protection.
Although this speedy protocol still has room for improvement, its future looks bright. Due to its improved speed and performance, it is no wonder that more and more VPNs are looking towards adopting WireGuard. VPNs have found workarounds to its vulnerability in the privacy issue.
Frequently Asked Questions on Wireguard
WireGuard is a new VPN protocol and not a VPN service. It uses ‘state-of-the-art’ cryptography to secure the communication tunnel between your device and the VPN server. It was designed to be faster, simpler, and register considerably higher performance than other VPN protocols.
In many ways, WireGuard is far superior to OpenVPN. It is leaner, faster, and easier to set up and use than OpenVPN. However, OpenVPN has undergone much longer testing and auditing.
WireGuard is generally safe. There’s less room for vulnerabilities or security flaws with its minimal codebase. Still, it assigns static IP addresses and logs identifying information, resulting in some privacy concerns.
Yes, WireGuard works in China. However, being UDP-based, it may be easier to detect. Ideally, you need to find a VPN provider that’s beefed up WireGuard over the default configuration.
No, ExpressVPN uses a proprietary protocol called Lightway. This protocol seems excellent so far, though, and offers similar speeds to those running WireGuard. Lightway supports Android, iOS, Windows, Mac, Linux, and routers.