WireGuard vs. OpenVPN

Encryption is a powerful technology for online data security. When paired with a Virtual Private Network (VPN), users have both end-to-end encryption in online traffic as well as IP address obfuscation.

To encrypt data as it travels through multiple points between user’s devices and the public web, VPNs use specialized protocols. WireGuard and OpenVPN are two widely-used softwares that power the infrastructure necessary for encrypted routing in modern VPNs. But what are the differences between them exactly? The considerations can be quite technical and depend on what a user specifically needs. So Nym is here to break it all down for you.

If you’re ultimately looking for privacy and anonymity online, unfortunately encryption is not enough. This is because all online traffic, regardless of encrypted content, leaks metadata which is then used to track users in what they do, who they communicate with, and what they want. When it comes to digital privacy, we need multiple tools in our arsenal. It’s important to choose a truly decentralized VPN (dVPN) which uses modern cryptographic protocols and which cannot keep traffic logs by design.

Read this article to discover what Wireguard is.

VPN encrypted routing

Most users turn to a VPN for privacy online. By replacing our IP addresses with their own public IP, VPNs make it so we can be anonymous in what we do online. When your online traffic is routed through a VPN’s server(s), it is first encrypted on your device, making your data unreadable to external parties trying to intercept it. This is what’s called a VPN’s encrypted tunnel between your device and their servers.

Keep in mind that a VPN on its own cannot provide encryption between its server and the final destination (this should be done by the web service to which you’re connecting). If the web service you’re connecting to also has an encrypted connection, this essentially doubles encryption on route to the VPN.

The encryption functionality of a VPN is facilitated by specialized interfaces such as WireGuard and OpenVPN. Before comparing them, how does modern encrypted networking work exactly?

Encrypted communication protocols

Online data encryption essentially transforms your data into an indecipherable code that only those with the encryption and decryption key(s) can access. This guarantees that your data cannot be read even if intercepted by hackers or surveillance en route.

There are three key stages of encrypted communication online: key exchange, authentication, and encrypted data transfer. When communicating online (privately with a person or a web service), each party must possess the encryption/decryption key(s). So procedures for securely exchanging keys, as well as authenticating that a correspondent or service is who they say they are, are crucial steps before an encrypted data transfer can begin.

OpenVPN and WireGuard are protocols that take care of all these stages so that the content of any data passing through a VPN is secure, encrypted from point-to-point through the VPN. Note that encryption only protects the content of your data, and cannot protect any metadata about your traffic. As we will see, this is a huge privacy concern that encryption cannot solve, but which decentralized VPNs can.

What is OpenVPN?

Introduced in 2001, OpenVPN is a widely used, flexible, and open-source routing protocol. It is compatible with many different operating systems, hardware, and software programs. It is also used by the large majority of traditional VPN services. Moreover, it supports various encryption algorithms and authentication methods, allowing users to customize security configurations according to their needs and use cases. OpenVPN’s use of the OpenSSL library for encryption permits a wide range of ciphers to be used. Until now, OpenVPN has been the industry standard for VPN encryption.

What is WireGuard?

WireGuard is a newer and highly efficient VPN encryption protocol. It is notable for its conciseness and speed, using only 4000 lines of code, as well as having a smaller surface area for attack. It uses the modern cryptographic algorithm and authentication protocol ChaCha20-Poly1305 which, while potentially less compatible with certain systems, is growing in popularity. It also uses state-of-the-art cryptographic primitives (Curve25519) for authentication and the modern BLAKE2 for hashing and keyed hashing.

Like OpenVPN, WireGuard is open-source, but its short code allows for increased speed, easier implementation and integration, and better auditability in general.

Similarities between OpenVPN and WireGuard

OpenVPN and WireGuard share several key similarities:

Security

When implemented correctly, both protocols offer robust security with no known vulnerabilities. They both use modern cryptographic standards, although the encryption algorithms and authentication methods differ in each case.

Privacy

Both OpenVPN and WireGuard provide the necessary encryption protocols underlying VPN privacy services. However, these protocols are not themselves sufficient privacy mechanisms, and so can be considered to perform equally well. While encryption protocols safeguard data, it is the architecture of VPNs themselves that must be analyzed to determine the scope of privacy protections. But more on this below!

Open-source

Both OpenVPN and WireGuard are open-source, so anybody can view the underlying code. This is contrary to proprietary software in which no one outside a company’s coding department can verify its level of security, efficiency, or problems. However, there is an important difference in how easily their codes can be audited.

PFS

Both protocols support Perfect Forward Secrecy (PFS). PFS is a feature of certain cryptographic systems that aims to protect past sessions against keys being compromised in the future. If the private key of a server is compromised, the session keys used in past communications remain secure, preventing an attacker from decrypting old messages.

Differences between OpenVPN and WireGuard

Encrypted routing protocols are quite complex in their design, with many features to compare. Here are some of the key ones in a snapshot, which we will analyze in more detail below:

Let’s breakdown in detail each of these differences in terms of their encryption protocols, structure, and functionality.

Speed

Speed is WireGuard’s clear strong suit, being upwards of 50% faster for downloads over OpenVPN. Why exactly? WireGuard’s code is concise and efficient, while OpenVPN’s code is extensive, complicated, and with a higher data overhead. Moreover, WireGuard’s choice of exclusive but efficient encryption, key authentication, and transport layer procedures all contribute to an exceptionally performative protocol. All of this involves no tradeoff in security. For multi-hop routing with a dVPN, this speed factor is crucial in choosing WireGuard.

Compatibility

Operating system compatibility: Both OpenVPN and WireGuard are widely compatible with most major operating systems and devices: Windows, macOS, iOS, Android, Linux, and modern versions of BSD. WireGuard was originally designed for Linux, so its native design may give it some integration advantages there over OpenVPN.

Router compatibility: While WireGuard can be integrated with certain routers, OpenVPN has a much wider compatibility with VPN routers. This is not surprising given that WireGuard is new, and many router hardwares have been designed and employed before WireGuard was launched. Given WireGuard’s overall efficiency, Nym expects a growth in WireGuard compatibility with routers in coming years.

Encryption: As we will see next, OpenVPN allows for users to customize which encryption algorithms and authentication protocols are used. To maximize speed and data efficiency, WireGuard uses select protocols at each stage. It is difficult to compare the two at the level of encryption alone, since customization will involve tradeoffs in speed, and vice versa.

Nym’s Verdict: OpenVPN has been around for 23 years, compared to only four years for WireGuard. It has been well tested and its code is well-known by many experts. It is also used by the large majority of traditional VPNs on the market. However, given the privacy problems with many of these VPN service providers, this fact shouldn’t be taken at face value. Ultimately, WireGuard’s hardware compatibility shortcomings with VPN routers will likely be addressed in coming years, so Nym calls this a tie.

Encryption and authentication

Readers can check out OpenVPN’s and WireGuard’s own specifications for their encryption protocols. Here is Nym’s breakdown:

Encryption protocols

• OpenVPN uses the OpenSSL library, thus offering a wide selection of encryption ciphers for clients and programmers to select from: not only the many (128- and 256-bit versions) of AES, but also modern algorithms such as Blowfish, Camellia, and ChaCha20. This choice can be important for some developers, depending on their hardware and programming needs.
• WireGuard uses ChaCha20 exclusively for data encryption and transfer, which pairs efficiently with Poly1305 for authentication steps. ChaCha20 is equivalent in strength to 256-bit AES encryption.

Key exchange and authentication

• OpenVPN can be customized to use either a Static Key which is pre-shared, or SSL-TLS for authenticated key exchange. This also includes the possibilities of using X.509 certificates or PKCS#12 for certificate and key storage. Again, this can be advantageous to clients looking for specific security configurations.
• WireGuard uses specific protocols for each stage of the encryption process which are chosen for simplicity and efficiency. The initial handshake is made through the modern Noise protocol (whose cryptographic primitives are used by anonymous communication systems like Signal). Curve25519, an Elliptic Curve Cryptography, is then used for public key exchange, and Ed25519 for signing to authenticate public keys. ChaCha20-Poly1305 is then used for encrypted authentication. BLAKE2 is used for hashing and keyed hashing throughout.

Verdict: Given the strengths of modern encryption and key exchange methods, these differences in protocols come down to user choice. An edge nonetheless goes to WireGuard for its speed and optimization, and another edge to OpenVPN for this customizability.

Auditability

Both OpenVPN and WireGuard are open-source, so their underlying codes are fully auditable. Public auditing is crucial in continually verifying and improving upon programs, for instance, by finding bugs and security vulnerabilities.

However, whether a program is easily auditable depends on the size of its code-base. WireGuard is remarkable with its highly concise code of 4,000 lines, while OpenVPN’s code is upwards of 100,000 lines, depending on the version. This makes OpenVPN very difficult for individuals to audit, and still challenging for groups of IT experts. While OpenVPN code has been analyzed and known by experts for two decades, it poses a big challenge for individual auditors who are new to the practice.

Networking

The transport layer is the part of the VPN architecture that is responsible for the actual transmission of encrypted data across a network. In network communications, the transport layer is crucial in ensuring that data packets are transferred between systems reliably and efficiently. UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) are two widely used protocols.

OpenVPN supports both UDP and TCP, while WireGuard only supports UDP. This is because UDP is more efficient and much faster for VPN requirements, while TCP has a large data overhead that can lead to inefficiencies or problems (e.g., “TCP meltdowns”).

Overall flexibility, and complexity, data usage

In the end, OpenVPN is highly customizable for users. Users can select which encryption algorithms will be used, while WireGuard uses more limited, but modern, and highly secure encryption protocols. This also makes OpenVPN’s data overhead heavier, its download and upload performance much slower than WireGuard’s, and its overall code less easily auditable.

OpenVPN vs. WireGuard: Their respective advantages

Advantages of OpenVPN over WireGuard

OpenVPN has some clear advantages over WireGuard, largely due to its longer development time, years of troubleshooting, and wide-spread adoption by mainstream VPNs.

• Compatibility and support: OpenVPN provides more options for integration across different hardwares and current VPN services. For instance, most routers support OpenVPN integration, contrary to WireGuard.
• Customization: Users and programmers can choose which encryption algorithms and authentication and key exchange procedures to use.

Advantages of WireGuard over OpenVPN

WireGuard’s clear strengths are its speed, size, and overall optimality.

• Speed and data overhead: WireGuard is hands down much faster, and its data overhead much smaller. This is not only crucial for ordinary users of VPNs, but particularly for privacy centered users opting for a dVPN where latency might be a concern.
• Easily auditable: The concise code-base contributes not only to its speed and implementation, but also its open-source auditability.

But which one is better for privacy?!

Frankly, neither are better or worse in protecting your privacy. WireGuard and OpenVPN are encryption protocols for routing, and they both are incredibly strong in protecting the content of your data. However, this is typically already guaranteed by default through reliable web services. The current problem of privacy is not encryption, but online tracking: a lot can be known about us and what we do online regardless of the fact that our cleartext data is encrypted.

The most widely used way to combat data harvesting, traffic analysis, digital fingerprinting, hackers, and government surveillance is by using a privacy-centered VPN. If you’re concerned about your privacy online, the choice of the best VPN provider for your needs should not be made on their encryption protocols alone. You need to also consider the architecture of a VPN provider, specifically whether they centralize user traffic data or metadata.

Centralized VPNs

Most VPN service providers have centralized infrastructures: single servers that they individually own or rent from third-parties. These servers are not simply IP-obscuring pit stops: they can also keep metadata logs of our traffic of our IP addresses, the IPs of who or what we connect to, when, and even where. This is likely the case even if they promise not to keep such centralized logs. What’s worse, most free VPN services deliberately harvest user data to sell to third-party data brokers.

This centralized design of VPNs is the real problem for user privacy online today. All it takes is one data breach, cyber attack, or government request for mass user traffic records from a VPN server to expose the metadata and subscription records of clients. Fortunately, it is no longer necessary to put our trust in these kinds of VPN services, let alone the exploitative free VPN services that lure users in to sell their traffic data behind their backs.

Decentralized VPNs (dVPNs)

Privacy-centered dVPNs like NymVPN have been developed to counter this problem of centralized user data. A truly decentralized VPN will route user traffic through independent and unlinkable servers across the world. This makes it so no server (or node) in the VPN network can keep centralized and holistic logs of your traffic. Without any central point of control or failure for the network, the possibilities of centralized logs and data breaches are ruled out by design.

dVPNs, however, have a problem: speed. The more servers your data has to pass through, decrypting and encrypting your data at different points, the slower your connections will be. This is where something like WireGuard wins the day as a VPN encryption protocol. With its speed and efficiency, users looking for robust privacy online with a dVPN can avoid much of the typical latency issues that come with multi-hop architectures.

OpenVPN vs. WireGuard: Nym’s verdict

Head to head, OpenVPN and WireGuard each have clear strong suits, so the choice comes down to the specific needs of the user or developer. If you need flexibility in encryption ciphers and care less about speed and strong privacy, OpenVPN is your machine. But if speed, decentralization, and optimal traffic is your priority, WireGuard wins hands down. In the end, they both deliver equally in data security.

At Nym, our goal is to provide the best options for user privacy in an age in which it is increasingly under threat. So if you’re looking for a VPN to be more anonymous online, it’s crucial to avoid traditional and centralized VPNs, regardless of whether they use OpenVPN. In choosing a VPN which is truly decentralized, look for one powered by WireGuard so that you’re not trading off speed for privacy.

NymVPN’s 2-hop dVPN mode is built on WireGuard for this reason: more robust privacy with the same speed as other single-server VPN services. Users can then choose when to use its 5-hop mixnet mode for unparalleled privacy (and possibly slower speeds) for highly sensitive traffic when needed, like private communications or crypto transactions. NymVPN’s mixnet mode is powered by Sphinx, an encrypted routing protocol specifically designed for mixnets.