WireGuard vs OpenVPN: Which VPN to Self-Host?
Quick Verdict
WireGuard is the better choice for most self-hosters. It’s faster, simpler to configure, has lower overhead, and is built into the Linux kernel. OpenVPN still has niche advantages — better firewall traversal (TCP support), more granular configuration, and wider client compatibility on older systems — but for 90% of self-hosting use cases, WireGuard wins.
Overview
WireGuard is a modern VPN protocol designed from the ground up for simplicity and performance. It’s built into the Linux kernel since 5.6, uses state-of-the-art cryptography (Curve25519, ChaCha20, Poly1305), and has a codebase of roughly 4,000 lines. Configuration is a simple INI-like file.
OpenVPN has been the standard self-hosted VPN solution since 2001. It runs in userspace, supports both UDP and TCP, has extensive configuration options, and uses certificate-based authentication with a full PKI infrastructure. It’s battle-tested across millions of deployments.
Feature Comparison
| Feature | WireGuard | OpenVPN |
|---|---|---|
| Protocol | UDP only | UDP and TCP |
| Encryption | ChaCha20-Poly1305, Curve25519 | OpenSSL (AES-256-GCM, RSA, etc.) |
| Codebase | ~4,000 lines | ~100,000+ lines |
| Kernel integration | Yes (Linux 5.6+) | No (userspace) |
| Speed (throughput) | 800-900 Mbps typical | 200-400 Mbps typical |
| Latency | Lower | Higher |
| Connection establishment | Instant (stateless) | 5-10 seconds (handshake) |
| Configuration | Simple (INI file) | Complex (many options) |
| Certificate management | None (key pairs) | Full PKI required |
| TCP support | No | Yes |
| Firewall traversal | UDP 51820 only | TCP 443 (stealth) |
| NAT traversal | Built-in (keepalive) | Built-in |
| Per-user bandwidth limits | No | Yes |
| Dynamic IP assignment | Static only (in config) | Yes (DHCP-like) |
| Push routes to clients | No (client-side only) | Yes (server pushes) |
| Logging | Minimal by design | Detailed |
| Audit history | Formally verified | Multiple audits |
| Client support | Most modern OS | Nearly everything |
Installation Complexity
WireGuard is installed as a kernel module (already present on most modern Linux distros) or via Docker. Configuration is a single file per peer. You generate a key pair, define peers, and you’re done. No certificate authority, no PKI, no TLS negotiation. A basic setup takes 10-15 minutes. See our WireGuard setup guide.
For an even simpler experience, use wg-easy — a web UI that manages WireGuard configuration and generates QR codes for mobile clients.
OpenVPN requires setting up a Public Key Infrastructure (PKI) with a certificate authority, generating server and client certificates, configuring the server with dozens of options, and distributing .ovpn config files to clients. Plan for 30-60 minutes minimum. Tools like easy-rsa help, but it’s still more involved.
Performance and Resource Usage
| Metric | WireGuard | OpenVPN |
|---|---|---|
| Throughput (1 Gbps link) | 800-900 Mbps | 200-400 Mbps |
| CPU usage per tunnel | Minimal (kernel-space) | Moderate (userspace) |
| RAM usage | ~2 MB per tunnel | ~20-50 MB per tunnel |
| Connection time | <100 ms | 5-10 seconds |
| Battery impact (mobile) | Low | Moderate-High |
WireGuard’s kernel integration is the key differentiator. It processes packets in kernel space without context switches to userspace, resulting in 2-4x higher throughput and significantly lower CPU usage. On mobile devices, this translates to noticeably better battery life.
Security
WireGuard uses modern, opinionated cryptography: Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, BLAKE2s for hashing. There’s no cipher negotiation — if a vulnerability is found in one algorithm, the entire protocol version is updated. The small codebase (~4,000 lines) makes formal verification practical.
OpenVPN supports a wide range of ciphers through OpenSSL. This flexibility means you can use the latest algorithms, but misconfiguration is possible (weak ciphers, outdated TLS versions). The large codebase has had more CVEs historically, though it’s been heavily audited.
Privacy difference: WireGuard stores peer IP addresses in memory while a connection is active. This is a concern if you’re using a VPN for anonymity (commercial VPN providers have worked around this with NAT). For self-hosted VPN (connecting to your home network), this isn’t a meaningful issue — you know who’s connecting.
Firewall Traversal
This is OpenVPN’s remaining killer feature. WireGuard uses UDP only, which is blocked by some corporate firewalls, airports, and restrictive networks. OpenVPN can run over TCP port 443, making it indistinguishable from HTTPS traffic — it works almost everywhere.
If you need VPN access from networks that block UDP, OpenVPN over TCP is your best option. Alternatively, pair WireGuard with Cloudflare Tunnel or use Tailscale which includes relay servers for traversal.
Community and Support
WireGuard: Backed by Jason Donenfeld and the WireGuard project. Included in the Linux kernel. Active development, strong community, excellent documentation. Every major VPN provider and network tool now supports WireGuard.
OpenVPN: Backed by OpenVPN Inc. Massive community with 20+ years of deployment experience. Extensive documentation, forums, and commercial support options. The project is mature and stable, with slower release cadence.
Use Cases
Choose WireGuard If…
- Performance matters (high throughput, low latency)
- You want the simplest possible setup
- You’re connecting to your home network from mobile devices (battery life)
- You run modern Linux (kernel 5.6+)
- You don’t need TCP transport
- You value a small, auditable codebase
- You want instant connections (no handshake delay)
Choose OpenVPN If…
- You need TCP support for restrictive firewalls (corporate, airport, hotel)
- You need per-user bandwidth controls
- You need detailed connection logging
- You support legacy clients (Windows 7, older Android, embedded devices)
- You need the server to push routes and DNS to clients
- You need certificate-based authentication with revocation
Final Verdict
WireGuard for almost everything. It’s faster, simpler, lighter, and built into the kernel. For self-hosted remote access to your home network, WireGuard is the right choice.
The only scenario where OpenVPN wins is firewall traversal: if you regularly connect from networks that block UDP, OpenVPN over TCP port 443 is the reliable fallback. Some self-hosters run both — WireGuard as the primary VPN and OpenVPN as a backup for restrictive networks.
If WireGuard’s bare-bones configuration is too manual for you, use wg-easy for a web UI, or Tailscale/Headscale for a zero-config mesh network built on WireGuard.
FAQ
Can WireGuard run over TCP?
Not natively. WireGuard is UDP-only by design. You can tunnel WireGuard over TCP using tools like udp2raw or wstunnel, but this adds complexity and overhead. If TCP is a hard requirement, use OpenVPN.
Is WireGuard less secure than OpenVPN?
No. WireGuard uses modern cryptography and has a smaller attack surface. Its formal verification and small codebase make security auditing more practical. Both are secure when properly configured.
Can I migrate from OpenVPN to WireGuard?
Yes, but they use different protocols, so it’s not a direct migration. Set up WireGuard alongside OpenVPN, migrate clients one at a time, then decommission OpenVPN. Both can run simultaneously on different ports.
Does WireGuard support dynamic IP assignment?
Not natively. Each peer gets a static IP defined in the config file. If you need dynamic assignment, use Tailscale or Headscale which handle IP management automatically on top of WireGuard.
Which is better for a site-to-site VPN?
WireGuard. Its low overhead and high throughput make it ideal for site-to-site links. Configure AllowedIPs on both sides to route between subnets.
Related
Get self-hosting tips in your inbox
New guides, comparisons, and setup tutorials — delivered weekly. No spam.