If you are looking for a VPN software, OpenVPN is still the most popular solution, but WireGuard is a suggestion that we hear more and more in the last years.
Where are we exactly? What are the differences between OpenVPN and WireGuard?
That’s what I will try to answer in this article.
OpenVPN and WireGuard are two open-source solutions to create virtual private network (VPN).
OpenVPN is the standard, created in 2001, and running most VPN in the world.
WireGuard is a recent solution (2016), promoting better performances that should not be overlooked when creating a new VPN.
In this post, I will start by an overview of each solution, and then compare them point per point.
So, as I told you in introduction, OpenVPN is the old solution, created in 2001, about 20 years ago!
Do you remember 2001? Google was a young company, Apple had just released the iPod, Microsoft released Windows XP, etc. It was another age 🙂
OpenVPN was created in this period, with most of the population without Internet access at home, so it was really a revolution for bigger networks (even if IPsec was already there).
OpenVPN quickly grows to be adopted by most brands and companies, and is now the standard to create VPN.
I don’t want to be too technical in this post, so I’ll not give too many details about the security part, but just as a reminder, the goal of a VPN is to protect your data by encrypting them on the network between your computer and the server.
To do this, there are several protocols available, and OpenVPN mainly use OpenSSL. OpenSSL provides SSL and TLS protocols
It’s the same technology as for HTTPS website, so it’s a standard in cryptographic protocols.
When using OpenVPN, you need to authenticate on the VPN server to connect.
This can be done with three methods :
- Pre-share keys : The server will generate keys to use when you connect, to prove who you are.
- A certificate-based method : More secure but it’s the same principle (same thing as for HTTPS websites).
- Username / password : Not mandatory, but you can add this level of security with one of the others.
I generally use certificates + username/password, but you can configure it as you want depending on your current needs.
With 20 years of operation, OpenVPN has had time to be included in most solutions and all operating systems.
You will almost always find a way to create an OpenVPN server on any router of the market.
For example, I use Pfsense a lot at work, and we build VPNs with the OpenVPN module integrated in Pfsense.
Watchguard was another firewall I used before that, and it also included an OpenVPN server.
So, it should not be complicated to create a server. And obviously, you can install it manually on any operating system.
For clients, OpenVPN is available on most platforms:
- Linux / BSD
You can download the applications directly on the OpenVPN website.
You can even create an OpenVPN Access Server on AWS (the cloud solution from Amazon).
OpenVPN and Raspberry Pi
The goal here is not to explain how to install OpenVPN, but for information, you can install it easily on Raspberry Pi.
It’s available in the Raspberry Pi OS repository, or you can download the source code here.
The installation is a bit more complicated, so if you try to do this on your Raspberry Pi, I recommend checking this tutorial I made on how to install OpenVPN on Raspberry Pi.
Another solution if you want to go faster, is to try PiVPN to do almost everything for you. Run the command, answer the questions, and customize it after the installation if needed.
Let’s see what the challenger has to offer now 🙂
WireGuard is a very new solution for VPN on the market.
Created in 2016 and developed during at least 2 years in a beta version, it’s very young.
But in January 2020, Linus Torvalds accepted to include WireGuard in the Linux Kernel, and it was a big promotion for this software.
We can now consider it seriously for new projects.
The main goal of the author is simply to replace any other VPN solution by WireGuard (yes, just that ^^).
As you can see on the logo, they promote their project as faster, safer and lighter.
For the lightweight, there is no doubt. The WireGuard source code is made with 4000 lines, while OpenVPN has 150 times more lines than that.
That doesn’t mean it’s safer or faster, but in any case it’s clearly lighter.
We’ll see now what really change for the user and the administrator.
As WireGuard is a younger project, it includes some of the most recent technologies.
For symmetric encryption, WireGuard uses Chacha2020 (also used by Google on Android). Curve25519 as a backup protection, BLAKE2s, SipHash24 and HKDF are also used for specific parts if you want to know, but for now just remember that WireGuard is using safe and fast protocols.
For authentication, WireGuard is elementary.
It uses only public and private keys, as you would do with SSH authentication.
The server has its own secret key and know the list of users. On the client, you also have a secret key and the public key of the server that you will use to connect.
To add a new client, you just add a new peer on the server and it’s ready to use.
Once they exchanged their public key, the connection can be made.
As you can see on the official website, WireGuard clients are available on most operating systems.
On Linux, it’s often available in the default repository of your distribution. For Windows and macOS there is an installer to download.
And on smartphone you can find an app in the store.
Clients are also directly included in some other solutions if you don’t want to do the installation yourself.
For example, if you are using NordVPN for other things, you can add a connection to a WireGuard server in it, through the Nordlynx technology. By the way, I have an entire article here on why and how to install NordVPN on Raspberry Pi.
To find a server in the solutions on the market is more difficult. The WireGuard project is probably too young to have had the time to be included in the most popular solutions.
But you can find a package on Pfsense for example, and obviously install it manually on your system.
OpenVPN and Raspberry Pi
On Raspberry Pi, WireGuard is available in the default Raspberry Pi OS repository.
But the easiest way to install it is to use PiVPN.io
This script includes WireGuard since 2019 as an alternative to OpenVPN (you have the choice at the beginning of the installation).
Differences between OpenVPN and WireGuard
As I already wrote previously, OpenVPN is available on almost any platform and many manufacturers are including the technology in their solutions (routers, firewall, etc.). Cloud hosting is also easy to find (with Amazon or other).
WireGuard is still too young to be largely integrated on network hardware, even if some manufacturers start to speak about it. But you can easily create your server on any Linux distribution, and on some other solutions like Pfsense.
Your choice will probably depend on the network you already have, and if you are ok to add or change some equipment or want to keep the same.
For users, there is no difference, both solutions are easy to install on Windows / macOS / Linux.
I didn’t do the benchmark myself for the moment, but I have seen everywhere that WireGuard, is not only promoting its speed, but is also much faster than other solutions.
It’s not astounding as it’s one of the main goal of the developers, and that the code is really limited to the minimum.
On the official website, you can find a benchmark they made with speed (megabits per second) and ping response (milliseconds).
It’s on their website, so I don’t know how we can consider that, but it seems that people are getting similar results in real life.
So, for performances, WireGuard seems to be way better than OpenVPN.
Also, another interesting thing I found thanks to Google Trends, is the interest in web search in the past 5 years for the two solutions.
OpenVPN seems to be gradually declining in the last few years, while WireGuard has an opposite trend.
This suggests to me that in 5 years WireGuard could be the leader on this market, so it’s probably a good time to start learning more about this solution.
It doesn’t mean it’s a better solution, but more and more people are looking at it.
Ok good, WireGuard may be faster and trendy, but the main criteria for a choice is still the security of our network. Is there a difference between both solutions?
OpenVPN is based on old technologies. SSL is over 20 years old and it’s one of the most popular solutions, that we still implement on almost any website for HTTPS.
WireGuard prefers new technologies, with ChaCha20-Poly1305, we don’t have so much experience, but in theory it’s faster and safer. Also, the low number of lines in its source code works in its favor to assume that everything is up-to-date and secure.
It’s really hard to choose a winner, or at least I don’t have enough knowledge in cryptography to choose.
For me, both are interesting, but your choice might still depend on your needs.
On a bigger company network, maybe the experience and popularity are more important that innovation and eventual instability.
At home with a Raspberry Pi server, WireGuard is probably an excellent solution.
That’s it, you know the most important elements there is to know about OpenVPN and WireGuard. I tried to keep this post accessible for beginners, without going in too much technical details, so I hope it was enough for you and helped to give you a general idea on the topic.
If we focus again on the Raspberry Pi for the conclusion, I would say that WireGuard is probably the best solution to choose if you are installing a new VPN server today.
We don’t need manufacturers or other software developers to use it, so this limitation is not a problem. Also, stability is rarely the main criteria when we build something on Raspberry Pi, so even if there are some crashes sometimes, it’s ok (and I think it’s already stable enough to be used in production).
OpenVPN is still a good solution in some cases, but probably not with a Raspberry Pi server.
What do you think? Which one is your favorite? Why?
Are you interested in a step-by-step installation of WireGuard?