Recently, I discovered that the OpenVPN package on my OPNSense devices will no longer be updated starting with version 26.1, which means starting in January 2026. Instead, the Decision team has integrated the WireGuard VPN server a few versions ago. What are the differences between the two products?
Possibility of configuration
WireGuard stands out first and foremost for its simplicity of configuration and deployment. Indeed, it is enough to simply add "users", and the configuration files are generated automatically. On the other hand, compared to OpenVPN, the configuration is limited. For example, you cannot choose the encryption protocol (only based on ChaCha20-Poly1305 for encryption), and only if you want the connected client to have its packets routed outside the LAN to which it is connected.
However, it is interesting to see that one can manually enter the client's private and public keys, which means that if an account is accidentally deleted, and one needs to recreate it, there will be no need to redeploy the client's configuration file.
Additionally, it is not possible to pass packets only over a TCP connection (which can be more cumbersome in some cases), but you can specify the listening port of the VPN server.
Communication security
First of all, both VPNs are secure, there's no doubt about that. However, what will differentiate them is the maturity of their encryption protocols. Indeed, OpenVPN is based on OpenSSL, which is a mature library that has proven itself, while WireGuard uses a more modern library (as specified above).
After doing some research, I discovered that OpenVPN's code has a lot more lines, and therefore there could be more vulnerabilities that could slip into the code. WireGuard on the other hand has a lot less lines, and is therefore easier to audit.
Performances
WireGuard is directly integrated natively into Linux, which allows for drastic performance improvements. We thus discover that OpenVPN cannot match WireGuard's performance (with the same configuration). WireGuard is originally designed for mobile clients such as tablets or cell phones, but works perfectly on computers.
To give a concrete example: when transferring a file between my infrastructure and my workstation, the OpenVPN link does not exceed 100mbit/s, but with the same configuration, WireGuard manages to reach 250Mbit/s without any problems.
Which one to choose?
In my case, knowing that my firewall is an OPNSense, I have no choice but to migrate to a WireGuard. On the other hand, if you just need a VPN server to remotely access an infrastructure, and you are not necessarily comfortable with managing a VPN server, WireGuard may be interesting.
OpenVPN remains a viable solution in cases where the VPN server is behind a restrictive firewall, and the configuration requires end-to-end control.
