What Is OpenVPN?
OpenVPN is an open-source VPN protocol first released in 2001. For nearly two decades it was the gold standard for VPN security - Widely audited, highly configurable, and supported on virtually every platform. Today it remains a trusted fallback while WireGuard has become the speed-optimised alternative.
OpenVPN Technical Overview
| Property | Detail |
|---|---|
| Transport | UDP (default, faster) or TCP (more reliable, firewall-friendly) |
| Encryption | AES-256-GCM (recommended), ChaCha20-Poly1305 |
| Authentication | TLS 1.3, RSA/ECDSA certificates, optional HMAC firewall (tls-auth/tls-crypt) |
| Key exchange | TLS handshake with Perfect Forward Secrecy (DHE/ECDHE) |
| Codebase size | ~400,000 lines - Large but extensively audited |
| Ports | Commonly 1194 UDP; can run on TCP 443 to bypass firewalls |
| Platform support | Windows, macOS, Linux, iOS, Android, routers (DD-WRT, OpenWRT) |
| License | GPL v2 (open source) |
OpenVPN vs WireGuard - When to Use Each
| Criteria | OpenVPN | WireGuard |
|---|---|---|
| Speed | Moderate (userspace overhead) | Significantly faster (kernel-level) |
| Firewall bypass (TCP 443) | Excellent - Looks like HTTPS traffic | UDP only - Easier to block |
| Security audit history | Decades of independent audits | Newer but clean audit record |
| Mobile battery life | Higher CPU usage | Lower CPU usage |
| Configuration flexibility | Highly configurable (.ovpn config files) | Simpler, less configurable by design |
| Censorship-resistant networks | TCP 443 mode is hardest to block | Obfuscation wrappers needed |
| Legacy device support | Works on very old hardware/OS | Requires kernel 5.6+ or kernel module |
How to Choose Your Protocol
- Use WireGuard as your default - It is faster and simpler.
- Switch to OpenVPN TCP on port 443 if you are on a restricted network (hotel, workplace) that blocks common VPN ports - TCP 443 is nearly impossible to block without also breaking HTTPS.
- Use IKEv2 on mobile if your VPN provider does not offer WireGuard - IKEv2 handles network switches gracefully via MOBIKE.
For a full protocol comparison, see VPN Protocols Explained. For WireGuard-specific details, see What Is WireGuard?. Verify any protocol is working correctly with our VPN Leak Test.
How We Evaluate VPNs
Every recommendation in our VPN guides is weighed against the same five criteria:
- No-logs policy and audits - We prioritise providers whose no-logs claims have been verified by independent auditing firms, and we note real-world events (subpoenas, server seizures) that tested those claims.
- Leak-test results - A VPN must not expose your real IP, DNS servers, or WebRTC addresses. You can run the same checks we use with our free VPN Leak Test.
- Speed impact - We favour providers supporting modern protocols (WireGuard, or equivalents like NordLynx and Lightway) that keep overhead low.
- Jurisdiction - Where a provider is incorporated determines which governments can compel it to hand over data.
- Price transparency - Clear renewal pricing and honest refund terms. We avoid quoting specific prices in guides because promotions change frequently - Always check current pricing on the provider's site.
Our assessments are based on published third-party audits, vendor documentation, and our own leak-testing tooling - We do not have insider access to any provider's infrastructure. These pages are reviewed periodically and updated when audits, ownership, or features change.
Once you have picked a provider, two practical checks matter more than any review: if your connection fails, see how to fix a VPN that won't connect; and to confirm you are actually protected, learn how to test if your VPN is working.
ⓘ Affiliate disclosure: Some links to VPN providers in these guides are affiliate links - We may earn a commission at no extra cost to you. This never affects rankings or evaluations.
Last updated: June 2026