
OpenVPN vs. WireGuard – A Short Comparison - telmich
https://ungleich.ch/en-us/cms/blog/2019/09/10/openvpn-vs-wireguard/
======
vbezhenar
I tried OpenVPN and IPsec and IPsec works much better for Windows client and
Linux server. Also CPU load for server was much lower (I'm using very low
power VPS). I don't think that it's because of userland implementation, but
rather because OpenVPN has some implementation issues. So I'm using IPsec now.
Unfortunately I've hit some problems with IPv6. I managed to configure real
IPv6 address from /64 VPS subnet for each client, but this configuration does
not work reliably.

Another problem is that I did not found a way for Windows to keep tunnel up
all the time. There's some way for "Always on" connection, but I couldn't
configure it, there's no GUI option and it seems to require a lot of
powershell magic and no easy to follow tutorials.

Another problem with IPsec is that only strongswan can provide adequate
implementation. OpenBSD iked daemon can't send certificate chain, so I can't
use Letsencrypt certificate. Libreswan does not support MSCHAP-V2 protocol, so
easy configuration with username/password is not possible. Also default
strongswan configuration does not allow Windows clients to connect without
further tweaks (Windows does not want to use strong ciphers and strongswan
does not want to use weak ciphers).

It's a mess.

So, yeah, wireguard might be interesting for me, as I still did not find a
suitable solution which checks all the boxes. IPsec works for me, but it's not
ideal.

Last time I checked, wireguard for Windows was in beta, but it looks like it's
stable now according to the website. I guess it's worth to try it now.

~~~
gruez
>Another problem with IPsec is that only strongswan can provide adequate
implementation.

Is this regarding server or client implementation? Are the client
implementations of major operating systems (eg. Windows, Mac, iOS, Android)
secure?

~~~
vbezhenar
It's regarding server implementation. My aim was to use built-in IPsec IKEv2
implementations for Windows, iOS and macOS.

Regarding security: I had to reduce cipher strength to allow Windows client
without further configuration. I'm using aes128-sha1-prfsha1-modp1024 which
IMO should be relatively secure for home usage, but it's not very secure
against governments. It's possible to use stronger ciphers, but you need to
use some registry changes or powershell snippets for that, and I wanted to
keep configuration to GUI dialogs. I have no idea why Windows by default does
not accept strong ciphers.

------
bryanlarsen
One thing I like about WireGuard is that beginner tutorial setups for it are
point-to-point, which means that it's High Availability. If one node goes down
only communications to it are lost, the rest of the network is still up.
Beginner tutorial setups for OpenVPN are for gateways which have the gateway
being a single point of failure.

Point-to-point is annoying because you have to update every node when you add
or change a node, but we have appreciated the HA aspect of it.

Of course I'm sure you can do point-to-point with OpenVPN and you can do
gateways with Wireguard, but the design of them does influence how they're
used.

------
darkwater
Is there a way with wireguard to replicate the "push routes from the server"
feature of OpenVPN? I would really like to switch but I cannot find a way to
replicate that

~~~
yardstick
WireGuard’s philosophy seems to follow the unix “do one thing and do it well”.
So for dynamic routing, 2FA, config management etc you are expected to use
other tools for that. Ie for dynamic routing you should be running BGP or OSPF
over the tunnel.

I don’t particularly like this approach, definitely prefer how OpenVPN handles
both routing updates (subnet push) and 2FA, despite its other flaws (slower,
especially).

~~~
mercora
it should be noted that anything that relies on non unicast packets being
routed is not possible.

------
Mister_Snuggles
One big advantage that IPSec has over both OpenVPN and WireGuard is that the
client is built in to both iOS and Android so you don't have to worry about
finding an appropriate client.

The last time I tried OpenVPN the client seemed to primarily be a vehicle for
displaying ads for a VPN service that I wasn't interested in (I wanted to VPN
back to my home network, not to an endpoint in another country).

~~~
boomboomsubban
>The last time I tried OpenVPN the client seemed to primarily be a vehicle for
displaying ads for a VPN service that I wasn't interested in

I don't know what you used, but the official OpenVPN apps are all ad free as
far as I can tell.

~~~
Mister_Snuggles
I checked in the iOS app store and it looks like a recent update split
"Private Tunnel" off into a separate app. As I recall, the old versions
included advertising for this private tunnel service.

This is "OpenVPN Connect" by "OpenVPN Technologies".

------
mises
Wireguard is an excellent choice. Much simpler and faster (lower CPU,
according to my bench-marks). It's also much better on windows, as it doesn't
have to use the crufty old tun/tap driver. It's smooth and easy cross-
platform, and so much simpler than openvpn.

------
cypherpunks01
What is the current status of WireGuard being added directly to the mainline
Linux kernel? I know there was a push to do this awhile back, but as far as I
know it has not been added—is that correct, and is it still planned to happen
sometime?

~~~
altmind
It's been delayed again "WireGuard Releases New Snapshot While Not Expected
For Linux 5.4 Mainline"
[https://www.phoronix.com/scan.php?page=news_item&px=WireGuar...](https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-0.0.20190905)

------
p4bl0
I find that setting up any kind of VPN is always a PITA. I'm so relieved since
I found sshuttle [1].

[1] [https://sshuttle.readthedocs.io/](https://sshuttle.readthedocs.io/)

~~~
erdii
shameless self-plug: [https://github.com/wg-dashboard/wg-
dashboard](https://github.com/wg-dashboard/wg-dashboard)

a simple dashboard to set up and manage a wireguard vpn server

~~~
xmichael999
Cool, haven't tried it, YET, but will be. Any chance it has the option to
export configs, I.e. use as a config generator for multiple devices?

------
RandomTisk
Does anyone have a good solution for keeping VPNs connected on an iPhone? I've
set one up in the past and wanted to always stay connected to my VPN server at
home, but I've found the biggest challenge isn't setting up the VPN, but
making sure it stays connected or reconnects when the signal is interrupted.

~~~
Diederich
Have you tried with wireguard? One nice feature of WG is that it takes almost
no time to make/restore a connection. It's hard to even notice.

~~~
jerkstate
I use Wireguard on my iOS devices and it only needs to be restarted when the
device reboots, otherwise is persistent.

------
mamcx
I try wireguard between a ubuntu server and my osx and the speed is turtle-
slow:

[https://www.reddit.com/r/WireGuard/comments/cor7ze/wireguard...](https://www.reddit.com/r/WireGuard/comments/cor7ze/wireguard_from_osx_ubuntu_it_connect_but_web/)

Is unsolved.

~~~
majewsky
Did you try the suggestions in that thread? Is the MTU set correctly? Is the
OS X side using a kernel driver or a user space implementation (which is
always slower than a kernel driver)?

~~~
mamcx
I have it at 1500. I set at 1360 and not see a change.

------
ncmncm
Doesn't have any actual information about either.

tl;dr: OpenVPN is ipv4, bad, Wireguard, ipv6, good.

~~~
RandomTisk
Yes, the article had about the actual information density of cotton candy.

------
finn319
Promising, I will give WireGuard a try.

~~~
jbverschoor
Try zerotier while you’re at it

------
laxentasken
Got PIVPN (openvpn) running on my raspberry pi. Went almost too smooth to set
up.

------
Snawoot
Time for shameless plug, but I hope someone will find my experience useful.

I tried wide variety of VPN solutions, including Wireguard, IKEv2, OpenVPN,
L2TP/IPsec, PPTP. Eventually I came to conclusion: I don't need VPN at all
with all it's packet-level machinery, I just need fast encrypted proxy for
browser and IM to forward my TCP connections securely.

And in practical terms, even Wireguard is not fastest substitution for proxy
because packet loss on last mile (roughly) causes delays comparable to RTT
between client and destination server versus proxy where retransmit on last
mile packet loss occurs only between proxy server and client (it's also true
for OpenVPN in TCP mode, but it has much more serious downsides caused by
packet encapsulation inside stream protocol). Despite that fact Wireguard and
other packet-level tunnels have higher theoretical throughput (from server
point of view), simple TCP-to-TCP connection forwarding often gains higher
practical speeds and more durable if such TCP-forwarding do not depend on
state of underlying tunnel. So I decided: forward each TCP connection in
separate encrypted connection will be just fine.

There already exist software which allows to wrap SOCKS in TLS or SSH (for
example stunnel or haproxy for TLS case and OpenSSH for SSH case), but TLS
handshake delay for each connection kills speed benefits for typical browsing
scenario. Dynamic port forwarding via SOCKS proxy built-in into OpenSSH client
has another drawback: all forwarded connections multiplexed into single one
and in real networks with packet loss it makes high speeds unapproachable.

For these reasons I decided to re-implement both stunnel and OpenSSH client
for connection forwarding purposes.

Here it is: [https://github.com/Snawoot/ptw](https://github.com/Snawoot/ptw)
\- TCP-to-TLS wrapper, which keeps pool of established TLS connections in
order to cancel TLS handshake delay. May serve as transparent proxy on Linux
router (sends haproxy PROXY-protocol v1/v2 in connection prologue) or serve as
wrapper for plain SOCKS/HTTP/whatever proxy.

And second one:
[https://github.com/Snawoot/rsp](https://github.com/Snawoot/rsp) \- Rapid SSH
Proxy, faster [1] replacement to `ssh -ND`. It also uses connection pooling,
and, unlike default OpenSSH client, maps TCP connections one-to-one to SSH
connections. You don't need any setup on server side: working SSH server
should be already enough.

And this is how I quit hating. Now I don't need to turn proxy on/off, because
it doesn't imposes performance penalty. In SpeedTest I achieve almost full
connection speed (mine is 100Mbps) with ptw or rsp (versus 50Mbps with
wireguard).

[1] -
[https://github.com/Snawoot/rsp#performance](https://github.com/Snawoot/rsp#performance)

------
johnmarcus
big fan of pritunl vpn. hands down the best vpn interface i've ever used. i
would actually say it was pleasant. It only took about an hour to setup my
first one, and it's like a 15 minute task to setup a new one now. highly
recommend it for anyone setting up a new vpn.

personally, i found wiresharks documentation confusing and left me unsure of
the best practices. im sure if i used it regularly it would be clear, this was
just my first impression and then I left it behind.

~~~
telmich
wireshark or wireguard? They are related, but not exactly the same...

~~~
johnmarcus
typo on my part, sorry.

