WireGuard vs. OpenVPN: Which One Should You Use?
There’s a new VPN protocol in town. Since launching in 2018, WireGuard quickly established itself as an interesting alternative to the widely used OpenVPN.
But what are the pros and cons of using WireGuard rather than OpenVPN? How do the two protocols’ key features compare against each other? And which WireGuard VPN providers are currently on the market?
WireGuard vs. OpenVPN: Code
WireGuard has about 4,000 lines of code. The open-source version of OpenVPN has 70,000, while modified versions of the protocol have been known to run as high as 600,000 lines.
The primary benefit of fewer lines of code is a smaller attack surface. It’s harder for hackers to find flaws and easier for developers to plug vulnerabilities.
Less code also means bugs are less likely—there are fewer chances for things to go awry. In contrast, OpenVPN users will know that crashes and freezes are not uncommon.
WireGuard vs. OpenVPN: Crypto-Agility
WireGuard is not “crypto-agile”, while OpenVPN is crypto-agile. Crypto-agility is the ability of a security system to switch between security protocols and encryption methods.
A lack of crypto-agility makes the new VPN protocol more secure. By only supporting a single cryptographic suite, there is less complexity. In turn, vulnerabilities are less frequent; there is less scope for a man-in-the-middle attack.
The developers have also designed WireGuard so that it can be updated to a new suite if a major problem occurs, thus avoiding one of the common pitfalls of regular non-crypto-agile systems.
The system it uses is called “Versioning.” In the event of a change, a total package would be released. The server would start requesting connections over the new version, and the previous version could be entirely disabled. Updating OpenVPN is more complicated. It requires a new set of keys and key lengths to be agreed on a piece-by-piece basis.
WireGuard vs. OpenVPN: Connection Speed
A major criticism of old VPN protocols is the connection speed. It can take several seconds for the handshake process to complete and your session to begin.
WireGuard drastically reduces that time. On decent hardware, it can take as little as a tenth of a second.
Until recently, there was no WireGuard Windows version. Due to the underlying architecture, WireGuard was only available on macOS, iOS, Android, and Linux. The Lead Developer, Jason Donenfeld, didn’t want to have to deal with the issues of OpenTAP’s adapter code or Microsoft’s native VPN API.
In mid-2019, that changed. WireGuard Windows finally became a thing. Complexities in Windows’ design—such as lack of access to the kernel—have forced the team to develop the project from scratch. It’s not a simple port; the entire ntoskrnl.exe and ndis.sys had to be reverse-engineered.
Users who are not tech-savvy will be pleased to learn that there’s no tricky installation process. You can just run self-contained installers for both 32-bit and 64-bit versions. At the time of writing, the WireGuard Windows UI is simple but functional. You can import single configuration files or a batch of tunnels in a ZIP file.
Perhaps the most impressive feature of WireGuard Windows, however, is its ability to maintain persistent VPN connections across system reboots. A reconnection will occur instantaneously, without even needing to open the UI interface.
Download: WireGuard Windows (Free)
WireGuard VPN Providers
If you want to test WireGuard for yourself, you’re going to need to sign up with a VPN provider that supports the new protocol.
Thankfully, support is slowly becoming more widespread among the major VPN brands. Here are two mainstream WireGuard VPN providers that you can try right now:
Mullvad offers users five WireGuard keys. You need one key per device, so you can connect up to five devices in total.
To connect to Mullvad’s WireGuard services, you’ll need to use the terminal. If you don’t already have a key (you can check by typing mullvad tunnel WireGuard key check), you need to create one by entering mullvad tunnel WireGuard key generate.
Once you have a key, enter mullvad relay set tunnel WireGuard any to connect and mullvad relay set tunnel OpenVPN any to disconnect.
Since December 2018, IVPN customers have been able to select the WireGuard protocol from within the IVPN app.
The company issues a warning, however:
“The WireGuard protocol is currently under heavy development and should be considered experimental. At this time, we do not recommend using WireGuard except for testing or in situations where security is not critical.”
To mitigate security risks, all its WireGuard VPN servers are separate from its OpenVPN servers.
Does Private Internet Access Use WireGuard?
Private Internet Access was quick to realize the potential of WireGuard and the new VPN protocol. In both 2018 and 2019, the company has been the project’s biggest donor.
However, Private Internet Access does not offer WireGuard to its customers. The most recent blog post on the topic said:
“There’s still a lot of work to be done before WireGuard is ready for professional use […] It is crucial to understand that while WireGuard is very promising conceptually and the principles behind its development are sound, it needs to be feature complete and have independent review of all “final” components before it is safe to use in production.”
Private Internet Access goes on to add, “Some VPN companies have jumped the gun with WireGuard and are running WireGuard VPNs now. This is not prudent and could present serious risks if security flaws in this early code are discovered.”
WireGuard vs. OpenVPN: Should You Use WireGuard?
WireGuard has received rave reviews from security experts from around the world. The number of VPN providers already offering WireGuard is a testament to its potential.
But it’s still early days. WireGuard is only just starting its journey—problems could yet arise. For now, OpenVPN still has an important role to play alongside the new VPN protocol.