Why must everyone be removing OVPN ๐
this post was submitted on 18 Aug 2025
36 points (100.0% liked)
Privacy
2725 readers
302 users here now
Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
Because wireguard is vastly better.
It isn't in a lot of ways
How so? EDIT: I see you've already elaborated in other comments.
- It is inefficient in both tunnel and transport mode, sacrificing 20-30% of available bandwidth.
- It is cryptographically expensive, making your clients work harder and costing the VPN provider more money to host nodes.
- It is complex to setup and deploy.
- Uses outdated crypto.
- Operates in Userspace.
- WireGuard is essentially better in every one of these regards.
OpenVPN operates in kernel space as of 6.16. Well specifically for the data channel. Control channel is still managed in userspace so you don't have to do asymmetric TLS in the kernel. This also reduces the overhead and increases performance substantially. It is slightly more complicated to setup but barely tbh (I'm speaking from the server side). Is the crypto outdated? Not as far as I'm aware.
And user-space implementations of WireGuard are used a lot anyway, especially on mobile. Every VPN provider app ships with one, at least as a backup (It's wireguard-go usually since boringtun is not well maintained).
Yeah, I'm just pointing out that OpenVPN has a kernel implementation since it does seem to make quite a large performance difference when available.
May I ask why its needed?
The big thing for public VPNs is the server can push the configuration to the client rather than having it be static. Config push, specifically for addressing is basically the only viable way to do a NATless VPN. Additionally while unrelated to public VPN providers wg does not have the ability to bind to individual IPs which is a headache for my internal VPN use case.
Thanks for sharing
that sucks, surely some people needed it