VPN Protocols Compared: WireGuard, OpenVPN, and IPSec
An in-depth comparison of modern VPN protocols — performance, security, configuration, and when to use each one.
Why VPNs Still Matter in 2025
Even with widespread HTTPS adoption, a VPN remains a critical layer in any serious privacy or security posture. Public Wi-Fi networks, ISP-level traffic logging, geo-restricted content, and corporate network access all demand encrypted tunnels between endpoints. But not all VPN protocols are created equal. The protocol you choose directly impacts your throughput, latency, attack surface, and operational complexity.
This article breaks down three dominant VPN protocols — WireGuard, OpenVPN, and IPSec/IKEv2 — comparing their architecture, configuration, performance, and ideal use cases.
WireGuard
Overview
WireGuard is a modern, lightweight VPN protocol that lives inside the Linux kernel (since 5.6). It was designed by Jason Donenfeld with a philosophy of minimal code and cryptographic simplicity. The entire codebase is roughly 4,000 lines of code, compared to OpenVPN’s 100,000+. This makes it significantly easier to audit.
WireGuard uses a fixed set of modern cryptographic primitives:
- ChaCha20 for symmetric encryption
- Poly1305 for authentication
- Curve25519 for key exchange
- BLAKE2s for hashing
- SipHash24 for hashtable keys
Configuration Example
A minimal WireGuard peer configuration looks like this:
# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
Address = 10.0.0.2/24
DNS = 1.1.1.1
ListenPort = 51820
[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25Bringing the tunnel up is a single command:
sudo wg-quick up wg0Pros and Cons
| ✅ Pros | ❌ Cons |
|---|---|
| Extremely fast (kernel-space) | No built-in dynamic IP handling |
| Tiny attack surface (~4K LOC) | Fixed cryptographic suite (no cipher agility) |
| Simple configuration | No built-in user authentication (needs wrapper) |
| Roaming-friendly (UDP-based) | Stores peer IPs in memory (privacy consideration) |
| First-class Linux kernel support | Less mature ecosystem than OpenVPN |
OpenVPN
Overview
OpenVPN has been the industry workhorse since 2001. It operates in user-space, uses OpenSSL (or mbed TLS) for cryptography, and supports both UDP and TCP transports. Its maturity means wide platform support, extensive documentation, and battle-tested deployments across enterprises worldwide.
OpenVPN can operate in two modes:
- Routed (tun) — Layer 3, most common
- Bridged (tap) — Layer 2, useful for broadcast-dependent protocols
Configuration Example
A basic OpenVPN server config:
# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
keepalive 10 120
persist-key
persist-tun
verb 3Client connection:
sudo openvpn --config /etc/openvpn/client.ovpnPros and Cons
| ✅ Pros | ❌ Cons |
|---|---|
| Extremely flexible and configurable | Slower than WireGuard (user-space) |
| TCP mode can bypass firewalls (port 443) | Complex PKI setup required |
| Mature, well-audited codebase | Larger attack surface (~100K+ LOC) |
| Supports certificate-based auth and MFA | Higher CPU usage under load |
| Plugin architecture (LDAP, RADIUS, PAM) | Configuration can be error-prone |
IPSec / IKEv2
Overview
IPSec is a suite of protocols operating at the network layer (Layer 3), standardized by the IETF. Combined with IKEv2 (Internet Key Exchange version 2) for session negotiation, it forms one of the most robust VPN solutions available — and it’s the protocol behind most corporate and mobile VPN deployments.
IPSec works in two modes:
- Transport mode — encrypts only the payload (host-to-host)
- Tunnel mode — encrypts the entire IP packet (gateway-to-gateway)
Common implementations include strongSwan, Libreswan, and native OS stacks on Windows, macOS, iOS, and Android.
Configuration Example (strongSwan)
# /etc/ipsec.conf
conn myvpn
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
left=%defaultroute
leftauth=pubkey
leftcert=server.crt
[email protected]
right=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1
auto=addPros and Cons
| ✅ Pros | ❌ Cons |
|---|---|
| Native OS support (no third-party apps) | Complex configuration |
| Excellent for mobile (MOBIKE handles roaming) | Debugging is notoriously difficult |
| Strong standards-based security | Can be blocked by restrictive firewalls |
| Kernel-level performance | Certificate and EAP setup overhead |
| IKEv2 reconnects seamlessly | Multiple interacting components (IKE, ESP, AH) |
Performance Benchmarks
Real-world performance varies by hardware, but the following table reflects general throughput characteristics measured on modern x86 hardware with a 1 Gbps link:
| Protocol | Throughput | Latency Overhead | CPU Usage | Handshake Time |
|---|---|---|---|---|
| WireGuard | ~900 Mbps | ~0.5 ms | Very Low | ~1 RTT |
| OpenVPN (UDP) | ~400-600 Mbps | ~1-3 ms | Moderate-High | ~2-4 RTT |
| OpenVPN (TCP) | ~200-400 Mbps | ~3-8 ms | High | ~4-6 RTT |
| IPSec/IKEv2 | ~700-850 Mbps | ~0.5-1 ms | Low | ~2 RTT |
WireGuard’s kernel-space execution and lean cryptographic stack give it a clear edge. IPSec benefits from kernel-level processing as well, while OpenVPN’s user-space design introduces context-switching overhead.
Security Comparison
| Criteria | WireGuard | OpenVPN | IPSec/IKEv2 |
|---|---|---|---|
| Codebase size | ~4,000 LOC | ~100,000+ LOC | Varies (large) |
| Cipher agility | No (fixed suite) | Yes (configurable) | Yes (negotiated) |
| Forward secrecy | Yes (per-handshake) | Yes (with DH/ECDH) | Yes (with PFS) |
| Formal verification | Partial | No | Partial |
| CVE history | Minimal | Moderate | Extensive |
| Post-quantum readiness | Not yet | Not yet | Research phase |
WireGuard’s lack of cipher agility is both a strength and a limitation. It eliminates downgrade attacks and misconfiguration, but if a vulnerability is found in one of its primitives, the entire protocol must be updated. OpenVPN and IPSec offer negotiation flexibility at the cost of a larger configuration surface.
When to Use Which
Choose WireGuard when:
- You need maximum throughput with minimal overhead
- You’re building a mesh network (e.g., with Tailscale or Netmaker)
- You want simple peer-to-peer connectivity
- You control both endpoints and prefer a modern stack
Choose OpenVPN when:
- You need to traverse restrictive firewalls (TCP/443)
- Your deployment requires certificate-based authentication with LDAP/RADIUS
- You’re running on legacy systems that don’t support WireGuard
- You need granular control over every aspect of the tunnel
Choose IPSec/IKEv2 when:
- You’re deploying on mobile devices that need seamless roaming
- You want native OS support without installing third-party software
- You’re operating in a corporate environment with existing PKI infrastructure
- You need standards-compliant interoperability between vendors
Final Thoughts
There is no universally “best” VPN protocol. WireGuard leads in performance and simplicity, OpenVPN dominates in flexibility and firewall traversal, and IPSec/IKEv2 excels in mobile and enterprise scenarios. Evaluate your threat model, infrastructure constraints, and operational requirements before committing to a stack. In many architectures, running more than one protocol for different use cases is the pragmatic choice.