WireGuard vs OpenVPN vs IPsec: Protocol Comparison
Compare the three major VPN protocols -- WireGuard, OpenVPN, and IPsec -- on speed, security, compatibility, and use cases.
The Three Major VPN Protocols
Choosing the right VPN protocol affects your connection speed, security level, and compatibility. The three dominant protocols in modern VPN deployments are WireGuard, OpenVPN, and IPsec (often paired with IKEv2).
Protocol Comparison
| Feature | WireGuard | OpenVPN | IPsec/IKEv2 |
|---|---|---|---|
| Release year | 2020 (stable) | 2001 | 1995 (updated) |
| Codebase size | ~4,000 lines | ~100,000 lines | OS-dependent |
| Encryption | ChaCha20, Poly1305 | AES-256-GCM, others | AES-256, others |
| Speed | Fastest | Moderate | Fast |
| Latency | Lowest | Moderate | Low |
| UDP/TCP | UDP only | UDP or TCP | UDP (ESP) |
| Firewall traversal | Limited | Excellent (TCP/443) | Moderate |
| Mobile performance | Excellent | Good | Excellent (MOBIKE) |
| Auditability | Easy (small codebase) | Harder (large codebase) | Complex |
WireGuard
WireGuard is the newest protocol, designed from the ground up for simplicity and performance.
Strengths: - Extremely fast -- minimal overhead, modern cryptography. - Simple configuration -- a server config is about 10 lines. - Small attack surface -- easier to audit and verify. - Excellent for mobile -- fast reconnection when switching networks.
Limitations: - UDP only -- blocked by some restrictive firewalls. - Fixed cryptographic choices -- no cipher negotiation (by design). - Static IP challenges -- the server must store client public keys, which some argue is less anonymous than OpenVPN.
# WireGuard config is remarkably simple
[Interface]
PrivateKey = <key>
Address = 10.0.0.2/24
[Peer]
PublicKey = <server-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
OpenVPN
OpenVPN is the most widely deployed VPN protocol, with two decades of production use.
Strengths: - Runs over TCP or UDP -- can use port 443 to bypass firewalls. - Highly configurable -- supports many cipher suites and authentication methods. - Mature ecosystem -- extensive documentation, widespread support. - Proven security record -- extensively audited over 20+ years.
Limitations: - Slower than WireGuard due to larger overhead and user-space processing. - Complex configuration -- config files can be hundreds of lines. - Large codebase makes auditing more difficult.
IPsec/IKEv2
IPsec is a suite of protocols built into most operating systems. IKEv2 (Internet Key Exchange version 2) is the modern key exchange protocol used with IPsec.
Strengths: - Built into Windows, macOS, iOS, and Android -- no extra software needed. - MOBIKE support -- seamlessly switches between Wi-Fi and cellular without dropping the connection. - Fast -- kernel-level implementation avoids user-space overhead.
Limitations: - Complex to configure manually (certificate management, SA policies). - UDP port 500/4500 can be blocked by firewalls. - Less flexible than OpenVPN for custom deployments.
Which Protocol Should You Use?
- General use, maximum speed -- WireGuard.
- Restrictive networks, firewall bypass -- OpenVPN over TCP/443.
- Mobile devices, network switching -- IKEv2/IPsec or WireGuard.
- Corporate VPN, legacy compatibility -- IPsec/IKEv2 or OpenVPN.