logoalt Hacker News

rpcope1last Sunday at 8:06 PM3 repliesview on HN

Wireguard is cool, but there's some reasons it's worth considering OpenVPN (why I still use OpenVPN anyways). First, OpenVPN has kernel mode now (called DCO, which I think Netgate maybe has upstreamed to FreeBSD); I've found it's performance on hardware with AES-NI on Linux is actually often better than wireguard. Second, there's a lot of quality of life things that just work on OpenVPN that you've got to use a ton of duct tape to make work with Wireguard, a major one being handling DNS record change (think especially dynamic DNS, which is likely if this is IPv4 and a residential connection). This is a huge pain with Wireguard, but just works on OpenVPN. Similarly if you have multiple WAN links, like I do, for OpenVPN it's just two connection stanzas and it largely just works. Again for Wireguard you're adding lots of duct tape to make it work right. I know Wireguard is the new hot thing, but it leaves a lot to be desired in the resiliency and features department.

Replies

paranoidrobotlast Monday at 1:56 AM

One of the major advantages for Wireguard over OpenVPN (for me) is that it's quite difficult for random port scans to detect it.

With OpenVPN it's hanging out there responding to everyone that asks nicely that yes, it's OpenVPN.

So anyone with a new exploit for OpenVPN just has to pull up Shodan and now they've got a nice list of targets that likely have access to more private networks.

Wireguard doesn't respond at all unless you've got the right keys.

Also, fwiw - we're approaching 11 years since it was announced, and 5 years since it was accepted into the Linux/BSD kernels.

show 1 reply
ZeWarenlast Sunday at 8:33 PM

I use wireguard as my main VPN to connect to my homelab from my phone and my laptops.

I also have an OpenVPN as a backup option, running behind sslh. My same port on my router (443) serves both a webserver hosting photos, and that OpenVPN instance. This allows me to VPN into my home in most firewalled office networks.

show 1 reply
justsomehnguyyesterday at 12:57 AM

Wireguard is cool transport protocol.

OpenVPN is a proper VPN protocol with a serious performance troubles if you misstep even once.

Wireguard fanboys just never use it more than on a couple of devices where they could manually tinker everything what is needed, they never provided a VPN solutions for even dozens of users.