Just wondering if and what exactly do I gain by possibly switching.
Wireguard allows you to build a mesh, where every peer can connect to each other. This is especially great when you have multiple locations you all want to inner connect to each other
OpenVPN has a client-server model. Even in its UDP mode, a client can only connect to 1 server, and a server can only receive connections.
Most people typically do not notice any benefits of this however, as they have one central server, and clients cannot connect directly to each other, because they are in networks that do not accept incoming connections
I’m currently on a cruise ship. They say on their internet plans “no VPN”. I said “we’ll see about that.”
OpenVPN did not work even though I used port 443 (worth a try). But … WireGuard did work. It’s connection-less protocol really helps with these super high latency and slow internet connections. WireGuard for the win.
Next, I have a separate encryption key for each device. If I lose a laptop, I can quickly and easily deny the connection from that device.
And WireGuard is fast and CPU friendly.
Now for the bad news. OpenVPN is still useful. Sometimes OpenVPN can tunnel out of a business network where WireGuard can not. Often due to a security setup.
WG makes roaming easier, no version dependent configs, lower latency, better encryption, smaller package, easier to deploy
Speed increases. Better encryption. Easier to deploy (in some cases).
On my laptop, if I use OpenVPN, the fans will be on all the time (slightly higher CPU usage than normal) and it’s annoying, especially when I’m in a quiet environment. Once I switch to Wireguard, the fan rarely even turns on. That’s my first-hand personal opinion that has directly affected me if that’s what you’re looking for.
Even though the speed has been more stable with Wireguard than OpenVPN, but that doesn’t make much of a difference on my normal day-to-day usage. But the fan noise, that’s the biggest reason I’m glad I switched.
I was using it for point to point links between small offices over bossiness broadband connections. OpenVPN could only manage like ~20mb/s for the secure tunnels. I switched over to Wireguard and was able to get close the full broadband bandwidth over the tunnel on the same hardware and connection at like 300mb/s. So I made my site-to-site traffic ~15-20 times faster by switching.
Seriously the design of OpenVPN really sucks for performance.
Wireguard is in kernel, openvpn is userspace. You can squeeze out a bit more bandwidth while using less CPU cycles.
Access to my docker services without opening ports and without taking care about who can access them, only I can
I have both Wireguard and OpenVPN installed on my Phone and Linux based laptop.
I run 2 VM’s one for Wireguard and one for Openvpn, I don’t use docker. I also enabled BBR on both servers, but thats for TCP not UDP, so if anything its giving OpenVPN a better chance. My home internet is 500/200 and I often can exceed 200mbit on 4g and 5g (without VPN).
I also have a pi4 (4gb) running ubuntu off an ssd that also runs wireguard (backup) and my 2nd instance of pihole
So with that all out of the way.
Wireguard IS MUCH BETTER on battery. I have noticed, literally, 0 impact on battery on my android phones (I have had wireguard on my old Samsung Note 20 Ultra 5g, my old Pixel 6 Pro and my now current Pixel 7 Pro). How I don’t really need to wait for the tunnel to come up before I started browsing content within my home network is bliss.
Because of where I live, ISP’s dont peer with each other in my state so my VPN traffic needs to leave the state, then come back into the state adding probably close to 40ms of latency but I dont notice it on Wireguard.
I also have a gl.inet portable router that supports wireguard (and openVPN) but due to running on USB power it doesn’t have a lot of power behind it. The advertised OpenVPN speeds are 120mbps and the advertised wireguard speeds are 550mbps. Since my home internet is 200mbit up, that is MORE than enough.
Using Speedtest.net in single threaded mode to the same server I get the following results (I ran these all back to back standing in the same spot)
- Pixel 7 | Telstra 5G (No VPN) 214/45.5 42ms
- Pixel 7 | Telstra 5G (VM wireguard) 108/28.8 46ms
- Pixel 7 | Telstra 5G (Pi4 Wireguard) 117/51.2 44ms
- Pixel 7 | Telstra 5G (VM OpenVPN) 120/14 85ms
I also ran the test on my Pixel 7, wifi connected to my Netgear Nighthawk m6 Pro (MR6500) that is also Telstra 5g
- MR6500 | Telstra 5G 206/66.1 53ms
- MR6500 | Telstra 5G (VM wireguard) 113/51 57ms
- MR6500 | Telstra 5G (Pi4 Wireguard) 110/39.9 58ms
- MR6500 | Telstra 5G (VM OpenVPN) 90.3/12.2 148ms
Now that I have ran these tests my results surprised me a little. My pi4 is faster than my x86 VM. But OpenVPN preformed WAY faster than I expected on my Pixels 5g, however the weird thing was is wireguard basically shot up to 100mbit instantly where as OpenVPN took multiple seconds (most of the test) to ramp up to 120mbit, so sure its peak speed is faster but takes a LOT longer to get there. also the latency is…shit and the upload on open VPN is…trash
Using my Hotspot (which is also 5g midband, but uses wifi6 (not e)) I got pretty the same results but with just 1 extra hop OpenVPN latency almost doubled! upload went to complete shit. (I ran the tests a few times, same result each time).
My Telstra 5G is the only “fast” internet connection I have access to. The only other ones I can test on are my mates 100/20 connection, which is the same isp and is only 2-3ms latency between us, so not a fair test. I also have access to a 50/20 which is…slow (for the purpose of fair testing) so no point using that.
Security is the most significant advantage.
Stable. OpenVPN would drop randomly and then fail handshakes on persistent connections. Wireguard doesn’t do any such thing.
One thing that deserves a mention: a disadvantage. WireGuard is somewhat less user-friendly.
Don’t get me wrong, I use Wireguard a lot and benefit from all that was said. Still, I keep the old OpenVPN tunnels around for failover - but its clear my users don’t like them. Too slow and cumbersome in comparison.
However, WireGuard provides nothing like OpenVPN’s debug potential. Give WireGuard to end users, and the local wg1 interface may go up but never take any traffic and still not inform the user about reasons. Even when remote peer is down, or just offline, WireGuard clients do not give out that information, which could be helpful to a remote admin to help with diagnosis. For admins this strongly implies external monitoring.
Depending on your scenario this may be a point to consider.
Better stability because there is no “connected” state.
I use it on my Android and I can switch from Wi-fi to 5G to 4G … seamlessly.
The most significant to me is speed.
OpenVPN with OpenSSL is over half a million lines of code. Wireguard is 4K. Wireguard is much more secure.
Wireguard is straightforward to understand: copy paste public keys and IP addresses, done! OpenVPN has a lot of options and configurations. Hard to understand.
For maxing out my connection, Wireguard is awesome.
While I like Wireguard, I wanted to chime in with one disadvantage: UDP. I find that some public WiFi networks block UDP traffic making Wireguard unusable. In contrast, OpenVPN works fine in those same scenarios.
I raise this not to through rocks at Wireguard because I like it and use it but to simply raise a point that I wish I knew. I was hoping to replace OVPN with Wireguard, but now run both. (Wireguard = primary, OVPN for when Wireguard does not work.)
Speed, security, simplicity.