WireGuard vs OpenVPN
Speed Test
In the official WireGuard page, there is a Benchmark between WireGuard, IPsec and OpenVPN. In terms of throughput, WireGuard wins with a difference of 753 mbps over OpenVPN. But it only beats IPsec by 130 mbps.
There is also a second test that checks the response time of a ping. WireGuard is again the best performer, with a difference of 0.1ms compared to IPsec and 1.1ms compared to OpenVPN.
Encryption
OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports the following cryptographic algorithms:
- AES, Blowfish, Camellia, ChaCha20, Poly1305, DES, Triple DES, GOST 28147-89, SM4 and more for encryption and authentication.
- MD5, MD4, SHA-1, SHA-2, MDC-2, BLAKE2, and more for hashing.
- RSA, DSA, X25519, Ed25519, SM2 and more for key derivation and agreement.
- UDP or TCP as the Transport Layer protocol.
- Perfect Forward Secrecy to protect user data.
This number of algorithms allows OpenVPN to be more flexible. The code can negotiate the use of different algorithms depending on the circumstances. On the other hand, this complexity of the code slows down performance.
The operation of WireGuard encryption algorithms is different. WireGuard uses a fixed set of algorithms:
- ChaCha20 for symmetric encryption.
- Poly1305 for authentication using RFC7539’s AEAD construction.
- Curve25519 for Elliptic-curve Diffie–Hellman (ECDH) anonymous key agreement.
- BLAKE2s for hashing (RFC7693)
- SipHash24 for hashtable keys.
- HKDF for key derivation (RFC5869).
- UDP as the Transport Layer protocol.
- Perfect Forward Secrecy (PFS) to protect user data.
OpenVPN uses certificates for identification and encryption, while WireGuard uses a public key for these tasks. Although, WireGuard allows you to create an additional pre-shared key to add another layer of security.
Depending on the needs, in the aspect of the encryption, both have advantages and disadvantages. OpenVPN can operate using several protocols, but at the same time broadens the attack surface. WireGuard only uses one set of protocols and this leads to a lighter, smaller attack area. On the downside, if a vulnerability is found, you will have to upgrade to a newer version.
Auditability
Both programs are code, but OpenVPN has hundreds of thousands of lines, while WireGuard has only 4000.
Privacy
VPN protocols provide security, not privacy. What determines privacy are the policies of the VPN service, in particular whether it stores logs.
OpenVPN’s design does not need to store any user information on the VPN server, so it does not compromise user privacy.
The main problem with the WireGuard VPN is that it stores the user’s IP on the VPN server. WireGuard maps the public keys with the allowed IPs, simplifying some aspects, but making the user’s IP stored in the VPN server until is rebooted. Saving the IP on the server in this way would make WireGuard no longer be considered “no-logs” VPN.