Why We Chose WireGuard Over OpenVPN and IPSec
A technical deep-dive into why OxidVPN is built on the WireGuard protocol — examining performance, security, and code simplicity.
The Protocol Decision
When we started building OxidVPN, the choice of VPN protocol was the most consequential architectural decision we would make. After extensive evaluation, we chose WireGuard. Here is why.
Code Simplicity Matters for Security
WireGuard’s entire codebase is approximately 4,000 lines of code. Compare that to OpenVPN at over 100,000 lines, or IPSec implementations that can exceed 400,000 lines. This is not a vanity metric — it has direct security implications.
A smaller codebase is:
- Easier to audit — Security researchers can realistically review the entire protocol implementation.
- Less likely to contain bugs — Fewer lines of code means fewer places for vulnerabilities to hide.
- Simpler to reason about — The entire protocol fits in a single researcher’s head, making formal verification feasible.
WireGuard has been formally verified using the Tamarin prover, demonstrating that its key exchange satisfies the security properties it claims. No other mainstream VPN protocol can make this claim.
Modern Cryptography
WireGuard uses a carefully selected set of modern cryptographic primitives:
| Component | Algorithm |
|---|---|
| Symmetric encryption | ChaCha20-Poly1305 |
| Key exchange | Curve25519 (ECDH) |
| Hashing | BLAKE2s |
| Key derivation | HKDF |
| Hash table keys | SipHash24 |
There is no cipher negotiation, no TLS handshake, and no certificate infrastructure. This eliminates entire classes of vulnerabilities related to protocol downgrade attacks and misconfiguration.
OpenVPN and IPSec, by contrast, support dozens of cipher suites and configuration options. Each additional option increases the attack surface and the probability of misconfiguration.
Performance
WireGuard operates in kernel space (on supported platforms), eliminating the context-switching overhead that user-space VPN implementations like OpenVPN suffer from. In our benchmarks:
- Throughput: WireGuard achieves 80-95% of raw line speed, compared to 40-70% for OpenVPN.
- Latency: WireGuard adds approximately 1ms of latency per hop. OpenVPN typically adds 5-15ms.
- Connection time: WireGuard establishes connections in under 100ms. OpenVPN’s TLS handshake takes 1-3 seconds.
- Battery impact: On mobile devices, WireGuard uses significantly less battery due to fewer CPU cycles per packet.
Roaming and Reconnection
WireGuard handles network changes gracefully. When you switch from Wi-Fi to cellular, the connection seamlessly transitions without dropping. There is no reconnection handshake — packets simply start arriving from the new source IP, and WireGuard updates its endpoint accordingly.
This is a fundamental protocol-level advantage. OpenVPN and IPSec require explicit reconnection when the underlying network changes, resulting in seconds of downtime during transitions.
How We Extend WireGuard
While WireGuard provides an excellent foundation, OxidVPN adds several layers on top:
- Traffic Obfuscation — We wrap WireGuard packets in an obfuscation layer that makes them indistinguishable from HTTPS traffic, defeating DPI-based blocking.
- Multi-Hop — Our client can chain multiple WireGuard tunnels, routing traffic through 2 or more servers in different jurisdictions.
- Dynamic Key Rotation — We rotate WireGuard keys more frequently than the default, limiting the window of any potential key compromise.
The Trade-offs
WireGuard is not without limitations:
- No TCP mode — WireGuard only operates over UDP. In networks that block UDP, our obfuscation layer handles this by tunneling over TCP/443.
- Static IP assignment — WireGuard assigns static internal IPs, which could theoretically be used for tracking. We mitigate this by rotating assignments on each connection.
- Newer protocol — WireGuard is younger than OpenVPN (2015 vs. 2001). However, its formal verification and small codebase offset this concern.
Conclusion
WireGuard’s combination of code simplicity, modern cryptography, and superior performance made it the clear choice for OxidVPN. Combined with our Rust server implementation, it allows us to deliver a VPN service that is both faster and more secure than traditional alternatives.
The full source code of our WireGuard integration is available on GitHub.