Hacker News new | past | comments | ask | show | jobs | submit login
OpenVPN vs. WireGuard – A Short Comparison (ungleich.ch)
52 points by telmich 6 months ago | hide | past | web | favorite | 52 comments

I tried OpenVPN and IPsec and IPsec works much better for Windows client and Linux server. Also CPU load for server was much lower (I'm using very low power VPS). I don't think that it's because of userland implementation, but rather because OpenVPN has some implementation issues. So I'm using IPsec now. Unfortunately I've hit some problems with IPv6. I managed to configure real IPv6 address from /64 VPS subnet for each client, but this configuration does not work reliably.

Another problem is that I did not found a way for Windows to keep tunnel up all the time. There's some way for "Always on" connection, but I couldn't configure it, there's no GUI option and it seems to require a lot of powershell magic and no easy to follow tutorials.

Another problem with IPsec is that only strongswan can provide adequate implementation. OpenBSD iked daemon can't send certificate chain, so I can't use Letsencrypt certificate. Libreswan does not support MSCHAP-V2 protocol, so easy configuration with username/password is not possible. Also default strongswan configuration does not allow Windows clients to connect without further tweaks (Windows does not want to use strong ciphers and strongswan does not want to use weak ciphers).

It's a mess.

So, yeah, wireguard might be interesting for me, as I still did not find a suitable solution which checks all the boxes. IPsec works for me, but it's not ideal.

Last time I checked, wireguard for Windows was in beta, but it looks like it's stable now according to the website. I guess it's worth to try it now.

IPsec worked best for me too, until recently. Suddenly, I couldn’t send e-mail while on VPN, but I could when I was off VPN. I did an nmap of the mail server provided by my ISP, and ports 465 and 587 simply weren’t open to me while I was on VPN, but were when I was off. Oddly, when I was on VPN, that server also appeared to be open on ports 22 and 80 but not when off VPN. That machine definitely should not be open on 22 and 80, so something really strange is going on.

So, I had to find an alternative. So far, I’ve tried WireGuard, ZeroTier, and now OpenVPN via Mullvad.

I just couldn’t get reliable connectivity with WireGuard and ZeroTier on all my devices, regardless of the configuration I used. OpenVPN is known to be slow and a CPU hog, but at least it seems to work. And I’ve done speed tests with fast.com and DSLReports, and both show me getting ~20-30 mbps or faster download speeds while on VPN, and that’s not much slower than what I was getting when off VPN. And “wehe” shows that I was getting throttled by the carrier even when on WiFi, not just on cell. Now, I’m not throttled at all.

I have not yet noticed any problems with extreme battery loss or high CPU, but we will just have to wait and see.

>Another problem with IPsec is that only strongswan can provide adequate implementation.

Is this regarding server or client implementation? Are the client implementations of major operating systems (eg. Windows, Mac, iOS, Android) secure?

It's regarding server implementation. My aim was to use built-in IPsec IKEv2 implementations for Windows, iOS and macOS.

Regarding security: I had to reduce cipher strength to allow Windows client without further configuration. I'm using aes128-sha1-prfsha1-modp1024 which IMO should be relatively secure for home usage, but it's not very secure against governments. It's possible to use stronger ciphers, but you need to use some registry changes or powershell snippets for that, and I wanted to keep configuration to GUI dialogs. I have no idea why Windows by default does not accept strong ciphers.

TunSafe client for Windows works just fine. I configured the tunnel about two months ago, and it has kept it working since then. It also has a killswitch mode in case it fails to establish the connection.

That's a very nice IPsec summary!

One thing I like about WireGuard is that beginner tutorial setups for it are point-to-point, which means that it's High Availability. If one node goes down only communications to it are lost, the rest of the network is still up. Beginner tutorial setups for OpenVPN are for gateways which have the gateway being a single point of failure.

Point-to-point is annoying because you have to update every node when you add or change a node, but we have appreciated the HA aspect of it.

Of course I'm sure you can do point-to-point with OpenVPN and you can do gateways with Wireguard, but the design of them does influence how they're used.

Is there a way with wireguard to replicate the "push routes from the server" feature of OpenVPN? I would really like to switch but I cannot find a way to replicate that

WireGuard’s philosophy seems to follow the unix “do one thing and do it well”. So for dynamic routing, 2FA, config management etc you are expected to use other tools for that. Ie for dynamic routing you should be running BGP or OSPF over the tunnel.

I don’t particularly like this approach, definitely prefer how OpenVPN handles both routing updates (subnet push) and 2FA, despite its other flaws (slower, especially).

it should be noted that anything that relies on non unicast packets being routed is not possible.

Wg-quick from the same project as Wireguard supports pre/post-up/down Hooks. You should be able to very easily write a post-up hook that read the rules from the server and a pre-down one that delete them.

Since your are connected to the server using Wireguard, you don't need to check its identity you can just open the correct port, read the rules and apply them, a simple Python or Perl script should be able to do what you want.

mmmh I can explore this idea, thanks for the tip!

I'm working on this to add TOTP support, I will publish it when it's ready, you may be able to reuse some parts of the implementation.

Algo VPN scripts (Wireguard where it can be) does this.

But Algo is too much opinionated for my use case, or at least looks like by reading its docs. Plus, the VPN I need to replace is not "for personal use".

One big advantage that IPSec has over both OpenVPN and WireGuard is that the client is built in to both iOS and Android so you don't have to worry about finding an appropriate client.

The last time I tried OpenVPN the client seemed to primarily be a vehicle for displaying ads for a VPN service that I wasn't interested in (I wanted to VPN back to my home network, not to an endpoint in another country).

>The last time I tried OpenVPN the client seemed to primarily be a vehicle for displaying ads for a VPN service that I wasn't interested in

I don't know what you used, but the official OpenVPN apps are all ad free as far as I can tell.

I checked in the iOS app store and it looks like a recent update split "Private Tunnel" off into a separate app. As I recall, the old versions included advertising for this private tunnel service.

This is "OpenVPN Connect" by "OpenVPN Technologies".

... I think you downloaded a bad copy. OpenVPN has official clients. And WireGuard Development Team, eg the people who develop Wireguard, have a has both Android and iOS implementations.

I have used OpenVPN on iOS for the past year and there are 0 ads.

It would have been well over a year ago that I tried OpenVPN.

The app store listing currently shows that they removed the Private Tunnel section and made that into a separate app. The private tunnel is the advertising I was referring to.

Wireguard is an excellent choice. Much simpler and faster (lower CPU, according to my bench-marks). It's also much better on windows, as it doesn't have to use the crufty old tun/tap driver. It's smooth and easy cross-platform, and so much simpler than openvpn.

What is the current status of WireGuard being added directly to the mainline Linux kernel? I know there was a push to do this awhile back, but as far as I know it has not been added—is that correct, and is it still planned to happen sometime?

It's been delayed again "WireGuard Releases New Snapshot While Not Expected For Linux 5.4 Mainline" https://www.phoronix.com/scan.php?page=news_item&px=WireGuar...

I find that setting up any kind of VPN is always a PITA. I'm so relieved since I found sshuttle [1].

[1] https://sshuttle.readthedocs.io/

shameless self-plug: https://github.com/wg-dashboard/wg-dashboard

a simple dashboard to set up and manage a wireguard vpn server

Cool, haven't tried it, YET, but will be. Any chance it has the option to export configs, I.e. use as a config generator for multiple devices?

Have you set up WireGuard yet? It's approximately as simple as setting up SSH; the only thing it adds over SSH is IP addresses.

No I never tried WireGuard. I read the docs a bit a few months ago. The thing is that for my usage sshuttle is enough and with it I have literally nothing to setup. WireGuard can't beat that. I'll keep your remark in mind in case I need an actual VPN in the future :).

Another less-hassle connectivity solution is ZeroTier.com. They provide a fully open-source solution, but the hassle-free bit involves using their registration service (free for ~100 devices or so).

They run something like Ethernet over IP, so your "segment" auto-configures via normal ARP, as if it were a LAN, as long as your devices have a connection. What's great e.g. for laptops and phones is that devices physically on the same network do talk directly, not via a VPN proxy node.

Does anyone have a good solution for keeping VPNs connected on an iPhone? I've set one up in the past and wanted to always stay connected to my VPN server at home, but I've found the biggest challenge isn't setting up the VPN, but making sure it stays connected or reconnects when the signal is interrupted.

Have you tried with wireguard? One nice feature of WG is that it takes almost no time to make/restore a connection. It's hard to even notice.

I use Wireguard on my iOS devices and it only needs to be restarted when the device reboots, otherwise is persistent.

If you're using an IPsec VPN, you can build a configuration profile with Apple's Configurator tool and do some neat stuff with VPNs.

I believe always-on is one option, but the option that intrigues me the most is to automatically connect when a certain domain is requested after a lookup failure. If you have an internal domain, say, ".randomtisk", you can set it to try, then connect the VPN if the DNS lookup fails - this way it will work normally at home and transparently connect to the VPN when you're away.

NOTE: I haven't actually tried this yet, it's a work in progress.

I use wireguard on: - Linux - Mac - Windows - Android

And it works pretty much the same way on all platforms, and it recovers seamlessly from switching cell phone towers and wifi APs.

You will end up with significant battery life reduction. Just saying.

I try wireguard between a ubuntu server and my osx and the speed is turtle-slow:


Is unsolved.

Did you try the suggestions in that thread? Is the MTU set correctly? Is the OS X side using a kernel driver or a user space implementation (which is always slower than a kernel driver)?

I have it at 1500. I set at 1360 and not see a change.

It sounds like you are using your homenetwork for this with a 10mbps connection, which means your max down speed is 1.25MB/s, which is fine for most things. But most home-networks are asymmetric. Your upload speed may be around to slow to realistically be able to do anything.

I barely can browse light html pages. See youtube is impossible slow.

Doesn't have any actual information about either.

tl;dr: OpenVPN is ipv4, bad, Wireguard, ipv6, good.

Yes, the article had about the actual information density of cotton candy.

Agreed. Flagged on that basis. This is just an advert for IPv6-hosting.

Promising, I will give WireGuard a try.

Try zerotier while you’re at it

Got PIVPN (openvpn) running on my raspberry pi. Went almost too smooth to set up.

Time for shameless plug, but I hope someone will find my experience useful.

I tried wide variety of VPN solutions, including Wireguard, IKEv2, OpenVPN, L2TP/IPsec, PPTP. Eventually I came to conclusion: I don't need VPN at all with all it's packet-level machinery, I just need fast encrypted proxy for browser and IM to forward my TCP connections securely.

And in practical terms, even Wireguard is not fastest substitution for proxy because packet loss on last mile (roughly) causes delays comparable to RTT between client and destination server versus proxy where retransmit on last mile packet loss occurs only between proxy server and client (it's also true for OpenVPN in TCP mode, but it has much more serious downsides caused by packet encapsulation inside stream protocol). Despite that fact Wireguard and other packet-level tunnels have higher theoretical throughput (from server point of view), simple TCP-to-TCP connection forwarding often gains higher practical speeds and more durable if such TCP-forwarding do not depend on state of underlying tunnel. So I decided: forward each TCP connection in separate encrypted connection will be just fine.

There already exist software which allows to wrap SOCKS in TLS or SSH (for example stunnel or haproxy for TLS case and OpenSSH for SSH case), but TLS handshake delay for each connection kills speed benefits for typical browsing scenario. Dynamic port forwarding via SOCKS proxy built-in into OpenSSH client has another drawback: all forwarded connections multiplexed into single one and in real networks with packet loss it makes high speeds unapproachable.

For these reasons I decided to re-implement both stunnel and OpenSSH client for connection forwarding purposes.

Here it is: https://github.com/Snawoot/ptw - TCP-to-TLS wrapper, which keeps pool of established TLS connections in order to cancel TLS handshake delay. May serve as transparent proxy on Linux router (sends haproxy PROXY-protocol v1/v2 in connection prologue) or serve as wrapper for plain SOCKS/HTTP/whatever proxy.

And second one: https://github.com/Snawoot/rsp - Rapid SSH Proxy, faster [1] replacement to `ssh -ND`. It also uses connection pooling, and, unlike default OpenSSH client, maps TCP connections one-to-one to SSH connections. You don't need any setup on server side: working SSH server should be already enough.

And this is how I quit hating. Now I don't need to turn proxy on/off, because it doesn't imposes performance penalty. In SpeedTest I achieve almost full connection speed (mine is 100Mbps) with ptw or rsp (versus 50Mbps with wireguard).

[1] - https://github.com/Snawoot/rsp#performance

big fan of pritunl vpn. hands down the best vpn interface i've ever used. i would actually say it was pleasant. It only took about an hour to setup my first one, and it's like a 15 minute task to setup a new one now. highly recommend it for anyone setting up a new vpn.

personally, i found wiresharks documentation confusing and left me unsure of the best practices. im sure if i used it regularly it would be clear, this was just my first impression and then I left it behind.

"Best practices"?

wireshark or wireguard? They are related, but not exactly the same...

typo on my part, sorry.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact