You're torn between OpenVPN and WireGuard for your self-hosted VPN on Contabo (or Hetzner, OVH). You read "WireGuard is faster" everywhere without ever seeing a verifiable number or understanding why. This technical comparison settles it: we look at the crypto under the hood, the handshake mechanics, the kernel vs userspace impact, mobile battery consumption, audit history — and we finish with 100 reproducible iperf3 runs on the same VPS.
Spoiler: WireGuard wins on every measurable axis. OpenVPN keeps two legitimate niches.
Architecture and crypto primitives
The performance delta comes first from the architectural model, not just the code.
OpenVPN
- Userspace (process
openvpn) - Crypto: configurable via
--cipher,--auth,--tls-cipher. AES-256-GCM by default since 2.6. - Classic TLS negotiation: multi-roundtrip, X.509 certificates, CRL, OCSP. Standard but heavy.
- External libraries: OpenSSL or mbedTLS. Every OpenSSL CVE hits OpenVPN.
- Codebase: ~70,000 lines of C (without dependencies).
WireGuard
- Kernel module (since Linux 5.6, mainline), or userspace impls (
wireguard-goon macOS/Windows). - Crypto: frozen by design. No negotiation. Curve25519 (key exchange), ChaCha20-Poly1305 (encryption), BLAKE2s (hash), HKDF (KDF), SipHash24.
- Noise IKpsk2 handshake: 1.5 round-trips, minimal server-side state, no certificate.
- No external crypto dependency: everything is in-tree.
- Codebase: ~5,000 lines of C kernel-side.
That order-of-magnitude difference (5k vs 70k) is why WireGuard could be fully audited end-to-end by Cure53 in 2021. You can do the same for OpenVPN — but it's ~6 months of work vs ~3 weeks for WireGuard.
Handshake speed
Simple test: how many milliseconds between wg-quick up and the first routable packet?
| Protocol | Median handshake RTT | Max observed (100 runs) |
|---|---|---|
| WireGuard | 38 ms | 71 ms |
| OpenVPN UDP (TLS 1.3, AES-256-GCM) | 412 ms | 1,020 ms |
| OpenVPN TCP | 680 ms | 1,850 ms |
The gap comes from the number of round-trips and the TLS certificate. WireGuard does its key exchange in 1.5 RTT; OpenVPN takes 6 to 8 (TCP handshake + TLS handshake + auth + push config).
Practical consequence: on 4G switching antennas (roaming), WireGuard reconnects instantly; OpenVPN takes 1-2 seconds sometimes more, and you lose visible packets in your tools.
Kernel module vs userspace: why this is huge
When a packet goes through userspace, it does the kernel → userspace → kernel trip: 2 CPU context switches, memory copies, scheduler involvement. At 1 Gbps, that's at least 80,000 packets/second, so 160,000 context switches.
With WireGuard as a kernel module, the packet never leaves the kernel. No context switch, no copy. Throughput depends on available CPU, but the effective ceiling is typically 3-5× that of OpenVPN userspace at equal CPU.
On a Contabo VPS S Cloud (4 vCPU AMD EPYC) we observe:
- WireGuard: ~3.2 Gbps server-side (loopback, internal link) before CPU saturation
- OpenVPN AES-256-GCM: ~850 Mbps before CPU saturation
- OpenVPN ChaCha20: ~920 Mbps before CPU saturation (slightly better since ChaCha benefits less from AES-NI)
At actual network egress (200 Mbps Contabo), neither saturates CPU — but the latency profile differs: WireGuard adds ~0.1 ms, OpenVPN adds ~1.5 ms per packet on average.
Real-world benchmarks: 100 iperf3 runs
Setup: Contabo VPS S Cloud (Ubuntu 24.04, kernel 6.8), MacBook M2 client on Orange fiber 1 Gbps, route Paris → Nuremberg via Telia.
100 runs spread across 3 time slots (9am, 2pm, 9pm), 30s per run, median kept.
| Configuration | Down (Mbps) | Up (Mbps) | Added latency | TCP retransmits |
|---|---|---|---|---|
| Baseline (no VPN) | 938 | 932 | — | 0.02% |
| WireGuard UDP | 901 | 893 | +0.1 ms | 0.03% |
| OpenVPN UDP (AES-256-GCM) | 684 | 678 | +1.5 ms | 0.11% |
| OpenVPN TCP (AES-256-GCM) | 412 | 408 | +3.2 ms | 1.8% |
| OpenVPN UDP (ChaCha20) | 712 | 706 | +1.3 ms | 0.09% |
Read it as: WireGuard loses 4% vs raw link, OpenVPN UDP loses 27%, OpenVPN TCP loses 56%.
Full methodology and raw JSON in the WireGuard vs OpenVPN benchmark guide.
Mobile battery impact
On iPhone 14 Pro (iOS 17.5), 4 hours of YouTube + Spotify + continuous web browsing, WiFi then 4G, tunnel always on.
| Protocol | Battery used | Estimated avg watts |
|---|---|---|
| No VPN | 18% | 1.6 W |
| WireGuard | 21% | 1.9 W |
| OpenVPN UDP | 27% | 2.4 W |
| OpenVPN TCP | 31% | 2.7 W |
WireGuard burns +3 points vs no-VPN. OpenVPN UDP: +9 points. The gap comes from simpler crypto (ChaCha vs AES-GCM with negotiation) and no TLS keepalive in WireGuard (just an optional UDP keepalive every 25s).
On a Paris-Marseille train trip (3h tunnel active, screen on), you save ~10% battery switching from OpenVPN to WireGuard.
Audit history and CVEs
OpenVPN
- First full independent audit: 2017 (OSTIF + QuarksLab + Cryptography Engineering). 2 major vulns found including one RCE.
- CVEs since: ~28 CVE entries (2018-2025), including 3 RCEs.
- Attack surface: OpenVPN + OpenSSL (combined codebase ~500,000 lines C/C++).
- Reputation: solid after 22 years in production, but the historical weight shows.
WireGuard
- Cure53 audit (2018) on the Linux implementation. 0 critical vulns.
- Formal audit of crypto primitives (IEEE S&P 2018 paper) — mathematical proof of the Noise IKpsk2 protocol.
- CVEs since: 0 critical kernel-side, a few
wireguard-go(userspace) impl bugs fixed in less than 7 days. - Attack surface: ~5,000 lines kernel C.
For an attacker, WireGuard is ~14× harder to fuzz deeply than OpenVPN simply because there's less code to fuzz.
When to keep OpenVPN
Three cases where OpenVPN remains defensible:
- TCP mandatory: some corporate firewalls block outbound UDP. OpenVPN does TCP natively. WireGuard needs a wrapper (
wstunnel,udp2raw) which complicates setup. - Standard port 443: OpenVPN on 443/TCP looks like HTTPS to basic DPI. Useful in hotels or strict enterprise networks.
- Legacy compatibility: Windows < 10, Android < 5, iOS < 12, low-end home routers — WireGuard doesn't always ship an official client. OpenVPN is everywhere since 2002.
For cases 1 and 2, you can still tunnel WireGuard via udp2raw in fake TCP/443 — see WireGuard templates 2026, template 7.
When to move to WireGuard
Everything else. Notably:
- Self-hosted VPN on personal VPS (Contabo, Hetzner, OVH) — perf gain + simple setup
- Mobile VPN (iOS, Android) — battery gain + fast reconnect
- Site-to-site with high-bandwidth links (>100 Mbps) — clear throughput gain
- Hub-and-spoke between several sites — config gain (5 lines vs 30 lines per peer)
- Multi-country roadwarrior — instant handshake on network change
If you're starting from scratch today on a fresh Contabo VPS, the default choice must be WireGuard. OpenVPN is a fallback for exotic cases.
OpenVPN → WireGuard migration without downtime
Already running OpenVPN in prod? Clean migration in 4 steps:
- Deploy WireGuard in parallel on the same VPS, port 51820, subnet 10.66.66.0/24 (distinct from OpenVPN's subnet).
- Adapt iptables rules: MASQUERADE both subnets, no FORWARD between them.
- Migrate clients one by one, testing connectivity from each before removing its OpenVPN cert.
- Disable OpenVPN:
systemctl stop openvpn-server@serverthendisable. Keep config 30 days just in case, thenapt remove openvpn.
No downtime, no client left without VPN. Over 14 months of prod here, we did this migration in ~2 weeks (38 peers).
Verdict
WireGuard is the default choice in 2026 for 95% of self-host cases. Faster (4% loss vs 27%), simpler (5k lines vs 70k), more efficient (mobile battery -10%), audited end-to-end. OpenVPN remains relevant for TCP-only, strict port 443, or legacy compatibility.
If you want the full WireGuard setup on Contabo VPS, the step-by-step guide takes 20 minutes from Contabo signup to first ping. The VPS we use ourselves is /go/contabo — VPS S Cloud 4.99 €/mo over 24 months.
And for paste-ready config templates: WireGuard Templates 2026.
★ Datacenter Nuremberg GDPR · ✓ IPv4 dédiée incluse · 200+ Mbps garantis
Get Contabo30 jours satisfait ou remboursé→
