Wireguard is less than half as old as OpenVPN’s 22 years, though it’s still proving to be fairly reliable. It’s also much leaner, at only 4,000 lines of code. That’s much easier to audit, incorporate, or build with than OpenVPN’s 70,000, and that can be critical for certain sensitive applications. Wireguard’s protocol itself also has less overhead than others, which means it uses more bandwidth on your actual data and there’s less of a tax on the system.
OpenVPN operates in user-space, which means privilege-escalation attacks aren’t likely from the program itself, but it hurts your overall throughput. Wireguard has a user-space application that’s very fast, but it also has kernel support. It’s significantly faster overall, both in theory and in practice, making it ideal for transferring large files quickly or streaming video from a personal media server.
Wireguard’s security philosophy is also different. OpenVPN is flexible, so if there’s a mismatch between the client and server, there are options and the connection can still be established. However, the cost of this approach is that there are more potential security holes, and there’s much more upkeep required by system administrators to mitigate that risk.
Wireguard is built to be less flexible—each version is based around specific algorithms and processes. If there’s a mismatch between two devices in the network, they will not connect. This means that system administrators mainly just need to make sure things are updated regularly. There’s a variety of other differences between Wireguard’s implementation and traditional VPNs as well. There’s a lot of depth once you start to get more technical.
The linked article goes on to say what Wireguard can be used for, as well as some specific disadvantages with using it. I see Proton VPN also has an experimental implementation of Wireguard, but it is a pity they don’t offer its split tunnelling in their Linux client app.
Comments