WireGuard vs OpenVPN in 2026: which one to use

For two decades the answer to "which VPN protocol should I use" was OpenVPN, and the only debate was UDP versus TCP. Then in 2018 a Linux kernel developer named Jason Donenfeld published WireGuard — a protocol so much smaller and faster that it forced the entire VPN industry to retool. Six years later, the dust has settled. Here is the field guide.

OpenVPN, briefly

OpenVPN runs in userspace, uses the OpenSSL library for cryptography, and supports TLS-style ciphersuite negotiation. It has been deployed everywhere from corporate VPN concentrators to consumer apps to embedded routers. Its strength is flexibility: it can run over TCP or UDP, on any port, through any reasonable firewall.

Its weakness is size. The codebase is over 70,000 lines and exposes a wide attack surface. It is single-threaded by default, which becomes a bottleneck on faster connections. And the handshake is comparatively slow.

WireGuard, briefly

WireGuard takes a different approach: pick the best modern crypto primitives, hardcode them, and refuse to negotiate anything. The result is a protocol that fits in 4,000 lines of C and runs as a Linux kernel module. No port choices, no cipher negotiation, no MTU surprises. It just works, and it works fast.

Side by side

Speed

WireGuard is faster, often dramatically. On a 1 Gbps line we measure 950 Mbps over WireGuard, 380 Mbps over OpenVPN. Mobile-to-cellular handoffs are nearly instant on WireGuard (no TLS renegotiation), several seconds on OpenVPN.

Battery

WireGuard uses less CPU per byte, which translates to longer phone battery. We measure roughly 30% lower CPU on iPhones during sustained download. Most of that is the lighter handshake.

Censorship resistance

OpenVPN wins, narrowly. It can be wrapped in obfuscation (stunnel, OpenVPN over TLS) that mimics regular HTTPS. WireGuard's UDP is more visible to deep-packet inspection, although our Obfuscated mode wraps WireGuard in TLS to neutralize that.

Privacy of the protocol itself

WireGuard requires the server to keep a small piece of state per peer (a static IP). On the client side, this is invisible. On the server side, it means a memory dump from a compromised server reveals which peers were connected. PlanetProxy mitigates this with our 'double NAT' setup, but it is a real consideration.

When to pick which

• Default to WireGuard. Faster, lighter, simpler. Used by 89% of our members.
• Use OpenVPN if you are routing through a hostile firewall that drops UDP — corporate networks, some hotel Wi-Fi, certain countries.
• Use Obfuscated WireGuard (TLS-wrapped) if you need to look like ordinary HTTPS. This is our default in restricted regions.

What about IKEv2?

IKEv2 deserves a mention. It is built into iOS and macOS, handles network handoffs gracefully, and is roughly as fast as WireGuard. Its main downsides are political (it was co-developed by Microsoft and Cisco, two organizations with cooperative-with-government track records) and operational (the kernel implementations have a long bug tail).

We support all three. The decision tree is: WireGuard, unless you can't, in which case Obfuscated WireGuard, unless that's blocked too, in which case IKEv2 or OpenVPN-over-TCP-443. The app picks for you by default.