You're torn between WireGuard and OpenVPN for your self-hosted VPN. You've read everywhere that "WireGuard is faster" without much explanation of why, or of when OpenVPN is still the right call. This guide compares both protocols honestly, on the things that actually matter for a self-hosted VPS VPN: throughput, latency, CPU cost, security model and compatibility - and gives a verdict per use case.
Short version: WireGuard generally wins on raw performance and simplicity, but OpenVPN keeps a legitimate, sometimes decisive, advantage in two specific situations.
Is WireGuard faster than OpenVPN on a VPS?
Generally, yes. WireGuard runs in the Linux kernel, uses a single modern cipher suite, and adds very little per-packet overhead, so on a fast VPS link it typically delivers throughput close to the raw line speed while using a fraction of the CPU. OpenVPN runs as a userland daemon: every packet crosses the kernel/userland boundary for encryption, which costs CPU and throughput - especially on low-power hardware. OpenVPN also reconnects more slowly on network changes, where WireGuard's stateless design resumes almost instantly.
WireGuard vs OpenVPN on a 1 Gbps VPS - qualitative comparison:
| Aspect | WireGuard | OpenVPN 2.6 |
|---|---|---|
| Raw throughput | Generally higher (near line speed) | Generally lower (TLS + userland overhead) |
| Latency overhead | Lower | Higher (more so over TCP) |
| CPU cost | Low (kernel space) | Higher (userland, per-packet context switches) |
| Codebase size | ~4,000 lines C | ~70,000 lines C (+ OpenSSL) |
| Kernel-space | Yes (Linux 5.6+, March 2020) | No (userland daemon) |
| Firewall bypass (TCP/443) | No (UDP only) | Yes |
| Audit history | Cure53 2018 - no critical vulns | OSTIF 2017/2018 - no critical RCE |
Verdict: Choose WireGuard for performance and simplicity on any modern VPS. Choose OpenVPN when you need TCP/443 firewall bypass (corporate/hotel networks) or must support legacy devices (DD-WRT routers, OpenWRT <21, very old client OSes).
This comparison is based on the published, well-documented characteristics of both protocols rather than a single private test run. Our methodology →
Why WireGuard is usually faster
The performance gap is not marketing - it follows directly from how each protocol is built.
WireGuard runs in kernel space. It ships as a kernel module (wireguard.ko), merged into the mainline Linux kernel in 5.6 (March 2020). Packets are encrypted and forwarded without leaving the kernel, avoiding the costly user/kernel context switches that dominate OpenVPN's cost on busy links.
WireGuard is small and fixed. Around 4,000 lines of C, with a single modern cipher suite (Curve25519, ChaCha20-Poly1305, BLAKE2s). There is nothing to tune and no negotiation overhead - you get the same fast path every time.
OpenVPN runs in userland on top of TLS. It's a daemon that uses OpenSSL; every packet does a kernel → userland → kernel round trip for encryption. That's flexible (it can do almost anything) but it costs CPU and throughput, and the effect is much larger on low-power hardware without AES acceleration.
The protocol overhead itself is small for both. A VPN header plus UDP/IP framing eats a few percent of any link regardless of protocol - that part is just arithmetic, not inefficiency.
Latency and jitter
WireGuard generally adds less round-trip latency than OpenVPN, and OpenVPN over TCP is the worst case: running TCP inside a TCP tunnel ("TCP-over-TCP") causes cascading retransmits as soon as the underlying link drops a packet, which spikes latency and jitter. On a clean wired link it's tolerable; on lossy Wi-Fi or mobile it degrades badly.
For everyday use - browsing, 4K streaming, video calls - WireGuard's overhead is imperceptible, and OpenVPN over UDP stays smooth too. The case to avoid for latency-sensitive use (competitive gaming, demanding VoIP) is OpenVPN over TCP, unless you specifically need it to get through a firewall.
CPU consumption
Because WireGuard runs in the kernel, it uses noticeably less CPU per megabit than OpenVPN, which spends cycles shuttling each packet between userland and kernel. On a multi-core VPS this rarely matters for a personal tunnel. It matters a lot on low-power ARM hardware (e.g. a Raspberry Pi without AES-NI), where OpenVPN can saturate a core well before the link is full while WireGuard stays comfortable - leaving CPU headroom for whatever else the box runs (a password manager, a small cloud, analytics).
On hardware with AES acceleration (most modern x86 CPUs, Apple Silicon), OpenVPN's AES-256-GCM is hardware-accelerated and the CPU gap narrows; on hardware without it, ChaCha20 is the better OpenVPN cipher choice. WireGuard's ChaCha20-Poly1305 is fast on both.
Stability and mobile roaming
WireGuard is stateless by design: there's no "connection" to establish, just known peers. When a client moves from Wi-Fi to mobile data and back, the tunnel resumes almost instantly without a renegotiation. OpenVPN has to redo a TLS handshake on each network change, which takes a few seconds. For a phone that switches networks all day, WireGuard's roaming behaviour is a real, tangible advantage.
A datacenter aisle: a self-hosted VPN runs on a single VPS in a facility like this - the protocol choice mostly affects how efficiently that one server moves your traffic.
Security analysis
The security debate is often biased by "OpenVPN has existed for 20 years so it's more mature." Let's look at the facts:
WireGuard:
- Modern, fixed crypto primitives: Curve25519 (key exchange), ChaCha20-Poly1305 (AEAD), BLAKE2s (hash), SipHash24 (hash table).
- ~4,000 lines of C in the kernel module - a small, reviewable attack surface.
- Formal audit by Cure53 published in 2018 - no critical vulnerability found. A separate Trail of Bits review (2020) looked at the macOS implementation.
- In the mainline Linux kernel since 5.6 (March 2020), reviewed by the netdev community.
- No crypto configuration possible by design: you can't accidentally pick a weak option.
OpenVPN:
- Configurable primitives: the modern default is AES-256-GCM, but a careless config copied from an old tutorial could still select something weak.
- ~70,000 lines of C plus OpenSSL as a large dependency - a much larger surface to reason about.
- OSTIF audits in 2017 and 2018 - some bugs found and fixed, no critical RCE.
- Historically exposed to OpenSSL issues (e.g. Heartbleed in 2014 affected deployments using OpenSSL).
Honest verdict: both are solid in 2026. WireGuard has an architectural edge (small attack surface, modern primitives, no foot-guns). OpenVPN has a maturity edge (two decades in production, widely audited, enormous deployment base). For a self-host, WireGuard is the easy default - the simplicity-to-security ratio is excellent.
Throughput by client platform
Across the desktop platforms with native WireGuard support (Linux, macOS, Windows), sustained throughput is broadly similar, with newer kernels and the modern native Windows driver having closed most of the historical gap. Where you'll see a real difference is on phones: under a sustained, full-speed transfer, mobile devices throttle for thermal and battery reasons and won't match a desktop. That's expected mobile behaviour and is irrelevant for normal use (browsing, streaming) - it only shows up if you push a phone with iperf3 or a heavy backup.
If you want to measure your own setup rather than rely on anyone's numbers, the reproducible test commands are at the end of this article.
When OpenVPN remains relevant in 2026
WireGuard marketing is so dominant that we forget OpenVPN still has solid use cases. Here are the situations where it's still the right tool.
Case 1: corporate/hotel firewall bypass
Many enterprise firewalls (Fortinet, Palo Alto, Check Point) block outbound non-DNS UDP. You can hit this on a client's Wi-Fi, in some hotels, or on some onboard transport hotspots. Because WireGuard is UDP-only, the tunnel silently fails (the handshake never completes). You can wrap WireGuard with wstunnel or Cloak to carry it over TCP/443, but that's an extra layer to maintain.
OpenVPN natively supports TCP on port 443, with a TLS handshake that resembles ordinary HTTPS traffic, so it slips past many simpler DPI setups. As a "backup VPN for when I'm on an unfriendly corporate Wi-Fi", keeping an OpenVPN TCP/443 profile ready is pragmatic.
Minimal setup on the same Contabo VPS, alongside an existing WireGuard install:
sudo apt install -y openvpn easy-rsa
sudo make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca nopass
sudo ./easyrsa build-server-full vpnsmith nopass
# Config /etc/openvpn/server/server.conf with:
# proto tcp
# port 443
# dev tun
# cipher AES-256-GCM
Open TCP/443 on UFW, then systemctl enable --now openvpn-server@server. The client picks which profile to use (WireGuard by default, OpenVPN TCP/443 as fallback).
Case 2: legacy OS compatibility
If you need to grant tunnel access to a Windows 7/8.1 machine, an old Synology DSM, or an aging Android TV box, the official WireGuard client may not exist or may be unmaintained there. OpenVPN has had a client for almost everything for many years - including old DD-WRT routers that will never support WireGuard. For a relative stuck on an old OS, spinning a second OpenVPN instance dedicated to that account on the same VPS is a clean fix.
Case 3 (bonus): detailed audit logging
OpenVPN logs each connection, disconnect and TLS renegotiation cleanly. WireGuard keeps logging minimal by design (you mostly see interface up/down via journalctl -u wg-quick@wg0). If your threat model or compliance regime (e.g. DORA, NIS2, ISO 27001) wants a formal audit trail, OpenVPN is easier to satisfy out of the box.
Honest verdict: for a 2026 personal VPN, WireGuard first. But keeping an OpenVPN TCP/443 profile as a secondary config on the same VPS is sensible pragmatism - it costs a few minutes to set up and saves you when UDP is blocked.
Verdict per use case
| Use case | Recommendation |
|---|---|
| Personal self-host VPN (1-10 devices) | WireGuard - no debate |
| Mobile switching Wi-Fi/4G | WireGuard - near-instant roaming |
| Bypass corporate firewall (TCP/443 required) | OpenVPN TCP on port 443 |
| Site-to-site between two datacenters | WireGuard - minimal overhead |
| Competitive gaming / demanding VoIP | WireGuard - lower latency and jitter |
| Raspberry Pi / low-power ARM hardware | WireGuard - far less CPU |
| Legacy OS compat (Windows 7, old Android) | OpenVPN - wider client support |
| Anti-DPI obfuscation (Iran, China, Russia) | Neither raw → wstunnel or Cloak as a wrapper |
If you're starting from scratch to host your own VPN on a Contabo VPS, follow our step-by-step WireGuard guide - and you copy-paste the scripts.
If you're fighting corporate or state-level DPI, look at the custom routing guide with DPI bypass which combines WireGuard with an obfuscation layer.
If you're still hesitating on the VPS provider (Contabo vs Hetzner vs OVH), we compared the three under real conditions.
Measure it yourself with iperf3
Rather than trust any published figure, measure your own VPS and link. Install iperf3 on the server, run it as a server, then test from your client with and without the tunnel active:
# Server side (your VPS)
sudo apt install -y iperf3
sudo iperf3 -s -D
# Client side (Mac/Linux)
# Baseline (no VPN)
iperf3 -c IP_VPS -t 30 -O 5 --json > baseline.json
# WireGuard (tunnel active)
iperf3 -c 10.66.66.1 -t 30 -O 5 --json > wireguard.json
# OpenVPN UDP (tunnel active)
iperf3 -c 10.8.0.1 -t 30 -O 5 --json > openvpn-udp.json
Run several iterations in a for loop and compute the median with jq:
jq -s 'map(.end.sum_received.bits_per_second) | sort | .[length/2]' wireguard.json
If your numbers look off, check the MTU (ping -M do -s 1372 IP), the quality of your link (an mtr to the VPS should show <1% loss), and that the VPS isn't suffering CPU steal (mpstat -P ALL 1). A WireGuard tunnel that connects but crawls on large transfers is almost always an MTU problem - our WireGuard MTU fix guide shows how to find and set the right value.
Order a VPS for your tunnel
A small VPS is plenty for a personal WireGuard tunnel: Contabo Cloud VPS 10, 24-month plan (~€5.50/mo equivalent). It comfortably runs a personal tunnel alongside a couple of light self-hosted services.
Once your VPS is ready, skip the manual key-writing step: our WireGuard config generator outputs a wg0.conf with the correct crypto params in seconds. For a broader protocol-and-provider decision, see the best self-hosted VPN hub for 2026 - it covers WireGuard, Tailscale, Headscale, Nebula and OpenVPN.
Sources
- Cure53 - WireGuard formal verification (2018)
- WireGuard whitepaper (Jason A. Donenfeld)
- Official OpenVPN 2.6 documentation
- iperf3 user documentation
- Phoronix WireGuard benchmarks on kernel 6.x
- Trail of Bits WireGuard macOS audit (2020)
This article is a qualitative technical comparison based on the public, documented characteristics of WireGuard and OpenVPN. It does not report a private benchmark run. For figures specific to your hardware and connection, run the iperf3 procedure above on your own VPS.
Affiliate disclosure: the Contabo link above is a tracked link that pays us a commission if you subscribe. It doesn't change your price.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→

