WireGuard vs OpenVPN in 2026: Cryptographic Primitives, Codebase Size, and When Each Is the Right Default
WireGuard is newer, smaller, and uses modern primitives. OpenVPN is older, larger, and runs over TCP 443 to traverse restrictive networks. Both are open standards. Here is the honest protocol-choice framework.
What WireGuard and OpenVPN are, briefly
WireGuard is a VPN protocol designed by Jason A. Donenfeld and merged into the Linux kernel in 2020. The whitepaper at wireguard.com/papers/wireguard.pdf specifies its cryptographic primitives: Curve25519 for key exchange, ChaCha20 for symmetric encryption, Poly1305 for authentication, BLAKE2s for hashing, HKDF for key derivation, SipHash24 for hash-table key. The Linux kernel implementation is approximately 4,000 lines of code. OpenVPN is older (first released in 2001), GPL-licensed, runs in user space (not kernel), and uses OpenSSL or mbedTLS for cryptography. The OpenVPN 2.6 reference manual is published at openvpn.net.
Codebase size and audit-surface
WireGuard's small codebase (~4,000 lines in the Linux kernel implementation) is a deliberate design choice — the smaller the codebase, the smaller the audit surface and the fewer places for bugs to hide. OpenVPN's codebase is larger (the full project including the openvpn binary, plugins, and supporting libraries spans much more) — the trade-off is over two decades of CVE history, meaning every common corner case has been found, patched, and is now part of the test suite. Neither is unambiguously safer; the smaller codebase has had fewer eyes review it for a shorter time.
Transport: UDP vs TCP
WireGuard uses UDP only. OpenVPN supports both UDP and TCP. The implication: networks that block UDP — corporate Wi-Fi with restrictive egress rules, some hotel networks, networks with deep packet inspection that flags non-HTTPS UDP — will block WireGuard. OpenVPN's TCP mode runs on TCP port 443, the same port HTTPS uses, and is therefore harder to block without breaking ordinary web traffic. If you regularly connect from networks with restrictive egress, OpenVPN-TCP is the more reliable choice even if it is slower. Most major VPN clients let you switch protocols without changing accounts.
Performance differences come from kernel space
WireGuard's biggest performance advantage on Linux is that it runs in kernel space — packets do not have to cross the user/kernel boundary on every encrypt or decrypt operation. OpenVPN runs in user space, which historically has been a meaningful overhead. OpenVPN 2.6 with Data Channel Offload (DCO) moves the symmetric cipher work into the kernel and closes much of the gap. We do not publish raw throughput numbers because they vary heavily by network conditions, server load, and time of day; the published WireGuard whitepaper documents the protocol design and benchmarks the prototype, but real-world consumer-VPN throughput depends on the provider's infrastructure as much as the protocol.
Which audited VPNs implement which protocol
All five major audited paid VPNs support both WireGuard and OpenVPN: Mullvad ships its own WireGuard implementation alongside OpenVPN (Cure53 audited both server configurations in June 2024). Proton VPN supports WireGuard, OpenVPN, and a Stealth protocol (an OpenVPN-on-TLS variant for restrictive networks). NordVPN's NordLynx is a customized WireGuard implementation. ExpressVPN's Lightway is a custom protocol with its own audit history (Cure53 + Praetorian in 2024 reviewed the Rust rewrite of Lightway). Surfshark supports WireGuard and OpenVPN.
Recommendation
Default to WireGuard or the vendor's WireGuard-derived custom protocol (NordLynx, ExpressVPN's Lightway). Switch to OpenVPN-TCP when the network blocks UDP — corporate Wi-Fi, university Wi-Fi with restrictive egress, hotel networks with DPI. The protocol choice is rarely the bottleneck for consumer VPN performance; the provider's server selection and current load matter more. For privacy specifically, the protocol does not matter — the no-logs property is independent of protocol and is what audits exist to verify.
Sources
WireGuard whitepaper: wireguard.com/papers/wireguard.pdf. OpenVPN 2.6 reference manual: openvpn.net/community-resources/reference-manual-for-openvpn-2-6. Mullvad infrastructure audit (Cure53 June 2024, covered both OpenVPN and WireGuard server configurations): mullvad.net/en/blog/fourth-infrastructure-audit-completed-by-cure53. ExpressVPN Lightway audits: expressvpn.com/blog/lightway-audits-cure53-praetorian. All URLs accessed 2026-04-30.