— bash — netgod.dev — 80×24
guest@netgod.dev:~/blog$ cat wireguard-vs-openvpn-anatomy.md
~/netgod.dev
← cd ../blog
POST(VPN)netgod.dev manualPOST(VPN)
NAME

$ The Anatomy of a Modern VPN Protocol: WireGuard vs OpenVPN

DESCRIPTION

WireGuard is ~4000 lines of code. OpenVPN is ~70,000. The performance and security gap exists for a reason. A look under the hood.

DATE
2025-04-18
DURATION
1 min read
TAGS
vpnnetworkingsecurity
./assets/wireguard-vs-openvpn-anatomy.pngcover
CONTENT

OpenVPN dates from 2001. It carries TLS, OpenSSL, configurable cipher suites, and a lot of weight. WireGuard ships in 2020 with a take-it-or-leave-it cryptosuite (ChaCha20, Poly1305, Curve25519, BLAKE2s) and runs in the Linux kernel.

Where the speed comes from

  1. Kernel-space, not user-space. No syscall round-trips per packet.
  2. No connection state. WireGuard is essentially stateless UDP with rolling session keys. OpenVPN holds a TLS session.
  3. Fixed crypto. No negotiation, no fallback paths, no Bleichenbacher attacks waiting to happen.

When OpenVPN still makes sense

  • Corporate environments that audit specific cipher suites
  • TCP fallback for hostile firewalls (WireGuard is UDP-only)
  • Per-connection user authentication via PAM/RADIUS — WireGuard pushes that to a layer above

The one annoying part of WireGuard

It does not roam well across NATs without PersistentKeepalive. Set it to 25 seconds. Don't think about it again.

netgod.dev manual2025-04-18END