You're torn between OpenVPN and WireGuard for your self-hosted VPN on Contabo (or Hetzner, OVH). You read "WireGuard is faster" everywhere without ever understanding why. This technical comparison settles it: we look at the crypto under the hood, the handshake mechanics, the kernel vs userspace impact, mobile battery consumption and audit history - and we give you the reproducible iperf3 procedure so you can verify the difference on your own VPS.
Spoiler: WireGuard wins on essentially every axis. OpenVPN keeps two legitimate niches.
Why this match-up still matters in 2026
You'd expect the OpenVPN vs WireGuard debate to be settled since 2020, yet it keeps going on every sysadmin forum. Three reasons explain why.
First, OpenVPN keeps a massive installed base. Most enterprise networking appliances (Cisco AnyConnect compatible, Pulse Secure, some Fortinet configs) still natively speak OpenVPN or via an adapter. Legacy enterprise VPN setups have rarely migrated for stability and compliance audit reasons. If you join a sysadmin team that maintains an enterprise VPN inherited since 2015, OpenVPN will serve you for another 5-10 years before management accepts a migration. Knowing the technical comparison is therefore useful to defend an internal migration strategy.
Second, hostile network conditions where OpenVPN keeps a slight edge via TCP mode and port 443 are not marginal. Hotel WiFis, some Asian café hotspots, port border VPNs - all restrict to HTTPS and block UDP by default. Pure WireGuard doesn't pass under those conditions without an overlay (wstunnel or Cloak), and the overlay adds 5-15% latency and complexity. OpenVPN-TCP-443 stays the simplest hack when you have neither the time nor the tools to deploy wstunnel.
Finally, OpenVPN's cryptographic audit remains more mature. OpenVPN with OpenSSL has been reviewed by academics since 2005 and has accumulated 19 years of analysis ecosystem. WireGuard uses modern primitives (Noise Protocol Framework) that are beautifully designed but with a shorter cumulative audit history. For a regulated environment like healthcare or defense that requires formal cryptographic certifications, OpenVPN still sometimes has the default advantage by inertia.
These three nuances don't justify recommending OpenVPN as the default choice for a new deployment in 2026 - WireGuard wins 90% of cases - but they explain why the technical comparison is still worth publishing.
What is the difference between WireGuard and OpenVPN?
WireGuard uses a fixed modern crypto stack (Curve25519, ChaCha20-Poly1305) built as a Linux kernel module (~5,000 lines). OpenVPN is a configurable userspace daemon (~70,000 lines) relying on OpenSSL. WireGuard's 1.5-RTT handshake connects far faster than OpenVPN's multi-roundtrip TLS handshake, and on a fast link WireGuard runs closer to line rate while OpenVPN loses more throughput to userspace overhead.
Architecture and crypto primitives
The performance delta comes first from the architectural model, not just the code.
OpenVPN
- Userspace (process
openvpn) - Crypto: configurable via
--cipher,--auth,--tls-cipher. AES-256-GCM by default since 2.6. - Classic TLS negotiation: multi-roundtrip, X.509 certificates, CRL, OCSP. Standard but heavy.
- External libraries: OpenSSL or mbedTLS. Every OpenSSL CVE hits OpenVPN.
- Codebase: ~70,000 lines of C (without dependencies).
WireGuard
- Kernel module (since Linux 5.6, mainline), or userspace impls (
wireguard-goon macOS/Windows). - Crypto: frozen by design. No negotiation. Curve25519 (key exchange), ChaCha20-Poly1305 (encryption), BLAKE2s (hash), HKDF (KDF), SipHash24.
- Noise IKpsk2 handshake: 1.5 round-trips, minimal server-side state, no certificate.
- No external crypto dependency: everything is in-tree.
- Codebase: ~5,000 lines of C kernel-side.
That order-of-magnitude difference (5k vs 70k) is why WireGuard could be fully audited end-to-end by Cure53 in 2021. You can do the same for OpenVPN - but it's ~6 months of work vs ~3 weeks for WireGuard.
Handshake speed
A useful thing to time yourself: how long between wg-quick up (or openvpn) and the first routable packet?
The reason for the gap is structural and well documented. WireGuard does its key exchange in a 1.5-RTT Noise handshake with no certificate, so connection setup is near-instant. OpenVPN needs 6 to 8 round-trips (TCP handshake + TLS handshake + auth + push config), and TCP mode adds even more, so its connection setup is an order of magnitude slower. To get numbers for your own link, time several up cycles and keep the median.
Practical consequence: on 4G switching antennas (roaming), WireGuard reconnects instantly; OpenVPN takes 1-2 seconds sometimes more, and you lose visible packets in your tools.
Kernel module vs userspace: why this is huge
When a packet goes through userspace, it does the kernel → userspace → kernel trip: 2 CPU context switches, memory copies, scheduler involvement. At 1 Gbps, that's at least 80,000 packets/second, so 160,000 context switches.
With WireGuard as a kernel module, the packet never leaves the kernel. No context switch, no copy. Throughput depends on available CPU, but the effective ceiling is typically 3-5× that of OpenVPN userspace at equal CPU.
Because WireGuard runs in the kernel and OpenVPN encrypts in userspace, WireGuard reaches a much higher server-side throughput ceiling before the CPU saturates - typically several times that of OpenVPN at equal CPU. ChaCha20 tends to edge out AES-256-GCM on hardware without AES-NI, since AES leans on that instruction set.
At a modest egress link (e.g. Contabo's advertised 200 Mbit/s), neither protocol saturates the CPU, so both can fill the link - the practical difference there is the latency profile: WireGuard adds almost no per-packet latency, OpenVPN adds more because of the userspace round trip.
WireGuard vs OpenVPN throughput (typical)
On a fast link (100+ Mbps), the expected pattern is consistent and follows directly from the architecture:
- WireGuard UDP stays closest to the raw line rate (smallest loss), with the lowest added latency and the fewest retransmits.
- OpenVPN UDP loses noticeably more throughput than WireGuard because every packet crosses the kernel/userspace boundary; ChaCha20 is usually a touch faster than AES-256-GCM on CPUs without AES-NI.
- OpenVPN TCP is the slowest of the three - TCP-over-TCP meltdown under loss adds retransmits and latency - and should be reserved for networks that block UDP entirely.
These are tendencies, not figures from a private lab - your exact numbers depend on your VPS, CPU and link. To get yours, run the reproducible procedure in the WireGuard vs OpenVPN benchmark guide with iperf3 on your own server.
Mobile battery impact
On phones, the lighter protocol tends to use a little less battery for the same workload. WireGuard's advantage comes from simpler crypto (ChaCha20-Poly1305 with no negotiation vs AES-GCM with a TLS negotiation) and no TLS keepalive - just an optional UDP keepalive every 25 s. OpenVPN, especially in TCP mode, keeps more state and does more work per packet, so under a sustained always-on tunnel it generally draws a bit more power. The difference is modest and only really shows up over long sessions.
Audit history and CVEs
OpenVPN
- First full independent audit: 2017 (OSTIF + QuarksLab + Cryptography Engineering). 2 major vulns found including one RCE.
- CVEs since: ~28 CVE entries (2018-2025), including 3 RCEs.
- Attack surface: OpenVPN + OpenSSL (combined codebase ~500,000 lines C/C++).
- Reputation: solid after 22 years in production, but the historical weight shows.
WireGuard
- Cure53 audit (2018) on the Linux implementation. 0 critical vulns.
- Formal audit of crypto primitives (IEEE S&P 2018 paper) - mathematical proof of the Noise IKpsk2 protocol.
- CVEs since: 0 critical kernel-side, a few
wireguard-go(userspace) impl bugs fixed in less than 7 days. - Attack surface: ~5,000 lines kernel C.
For an attacker, WireGuard is ~14× harder to fuzz deeply than OpenVPN simply because there's less code to fuzz.
When should you keep OpenVPN instead of WireGuard?
Keep OpenVPN when you need TCP on port 443 to bypass corporate or hotel firewalls that block outbound UDP, when you must support legacy devices (Windows before version 10, Android before 5.0), or when formal audit-trail requirements (ISO 27001, NIS2) make OpenVPN's per-connection logging easier to comply with. For all other cases, WireGuard is the better choice.
Three cases where OpenVPN remains defensible:
- TCP mandatory: some corporate firewalls block outbound UDP. OpenVPN does TCP natively. WireGuard needs a wrapper (
wstunnel,udp2raw) which complicates setup. - Standard port 443: OpenVPN on 443/TCP looks like HTTPS to basic DPI. Useful in hotels or strict enterprise networks.
- Legacy compatibility: Windows < 10, Android < 5, iOS < 12, low-end home routers - WireGuard doesn't always ship an official client. OpenVPN is everywhere since 2002.
For cases 1 and 2, you can still tunnel WireGuard via udp2raw in fake TCP/443 - see WireGuard templates 2026, template 7.
When to move to WireGuard
Everything else. Notably:
- Self-hosted VPN on personal VPS (Contabo, Hetzner, OVH) - perf gain + simple setup
- Mobile VPN (iOS, Android) - battery gain + fast reconnect
- Site-to-site with high-bandwidth links (>100 Mbps) - clear throughput gain
- Hub-and-spoke between several sites - config gain (5 lines vs 30 lines per peer)
- Multi-country roadwarrior - instant handshake on network change
If you're starting from scratch today on a fresh Contabo VPS, the default choice must be WireGuard. OpenVPN is a fallback for exotic cases.
OpenVPN → WireGuard migration without downtime
Already running OpenVPN in prod? Clean migration in 4 steps:
- Deploy WireGuard in parallel on the same VPS, port 51820, subnet 10.66.66.0/24 (distinct from OpenVPN's subnet).
- Adapt iptables rules: MASQUERADE both subnets, no FORWARD between them.
- Migrate clients one by one, testing connectivity from each before removing its OpenVPN cert.
- Disable OpenVPN:
systemctl stop openvpn-server@serverthendisable. Keep config 30 days just in case, thenapt remove openvpn.
No downtime, no client left without VPN. For a fleet of a few dozen peers, a phased migration like this can typically be done over a couple of weeks without service interruption.
Verdict
WireGuard is the default choice in 2026 for the large majority of self-host cases. Faster on fast links (less throughput lost to overhead), simpler (~5k lines vs ~70k), lighter on mobile battery, and audited end-to-end. OpenVPN remains relevant for TCP-only, strict port 443, or legacy compatibility.
If you want the full WireGuard setup on Contabo VPS, the step-by-step guide walks you from Contabo signup to first ping. The provider we recommend is Contabo Cloud VPS 10 (€5.50/mo over 24 months).
And for paste-ready config templates: WireGuard Templates 2026.
Not sure which provider to pick for your WireGuard server? The interactive VPS comparator filters Contabo, Hetzner and OVH by latency from your region, RAM and 24-month price - the exact criteria that matter for a VPN exit node. Once you've picked a provider, skip the manual key generation: our WireGuard config generator outputs a verified, copy-paste-ready wg0.conf in under a minute.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Spin up the VPS from this guide → ContaboPublic IPv4 · full root · EU & US locations→