Introduction
Choosing a VPN protocol is a real decision with trade-offs. WireGuard is fast but limited. OpenVPN is flexible but slow. IPsec is powerful but complex. SoftEther supports everything but is heavy. This guide gives you the practical information to choose.
Quick Comparison
| Feature | WireGuard | OpenVPN | IPsec/IKEv2 | SoftEther |
|---|---|---|---|---|
| Throughput | ★★★★★ | ★★★ | ★★★★ | ★★★★ |
| Latency overhead | ~1-3ms | ~5-15ms | ~2-5ms | ~3-8ms |
| Setup complexity | Low | Medium | High | Medium |
| Client support | Good | Excellent | Good | Good |
| Multi-protocol | No | No | No | Yes |
| Firewall traversal | UDP only | TCP/UDP | UDP/ESP | TCP 443 |
| Authentication | Public keys | Certs/PSK | Certs/PSK | Certs/PSK/RADIUS |
| Code size | ~4K lines | ~100K lines | Kernel | ~200K lines |
| License | GPLv2 | GPLv2 | Various | Apache 2.0 |
WireGuard
Best for: New deployments, performance-critical use cases, mobile clients, IoT.
Setup (5 minutes)
# Install
sudo apt install wireguard
# Generate keys
wg genkey | tee server_private.key | wg pubkey > server_public.key
wg genkey | tee client_private.key | wg pubkey > client_public.key
# Server config
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = $(cat server_private.key)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = $(cat client_public.key)
AllowedIPs = 10.0.0.2/32
EOF
# Start
sudo systemctl enable --now wg-quick@wg0
# Client config
cat > client.conf << EOF
[Interface]
Address = 10.0.0.2/24
PrivateKey = $(cat client_private.key)
DNS = 1.1.1.1
[Peer]
PublicKey = $(cat server_public.key)
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
WireGuard Strengths
✓ Near wire-speed throughput (950 Mbps on 1 Gbps link)
✓ Minimal latency overhead (~1-3ms)
✓ Tiny attack surface (~4,000 lines of code)
✓ Fast reconnection (< 100ms after network change)
✓ Battery-efficient on mobile
✓ Built into Linux kernel since 5.6
WireGuard Limitations
✗ UDP only — blocked by some firewalls
✗ No built-in user authentication (only public keys)
✗ No dynamic IP assignment without extra tools (wg-dynamic)
✗ Logs all peer IPs in config (privacy consideration)
✗ No built-in multi-factor authentication
When NOT to use WireGuard: Corporate environments requiring RADIUS/LDAP authentication, networks that block UDP, or when you need TCP 443 to bypass firewalls.
OpenVPN
Best for: Maximum compatibility, corporate environments, firewall traversal.
Setup
# Install
sudo apt install openvpn easy-rsa
# Set up PKI
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey secret /etc/openvpn/ta.key
# Server config
cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
# Modern cipher suite
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
EOF
sudo systemctl enable --now openvpn@server
OpenVPN Strengths
✓ Works on TCP 443 — bypasses almost any firewall
✓ Broad client support (every platform, including old ones)
✓ Mature, extensively audited
✓ Flexible authentication (certs, PSK, LDAP, RADIUS, MFA)
✓ Large community and documentation
OpenVPN Limitations
✗ 2-3x slower than WireGuard
✗ Complex configuration
✗ High CPU usage
✗ Slow reconnection after network changes
IPsec/IKEv2
Best for: Enterprise environments, native OS support, site-to-site VPNs.
Setup with strongSwan
# Install
sudo apt install strongswan strongswan-pki
# Generate certificates
ipsec pki --gen --type rsa --size 4096 --outform pem > ca.key.pem
ipsec pki --self --ca --lifetime 3650 --in ca.key.pem \
--type rsa --dn "CN=VPN CA" --outform pem > ca.cert.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --type rsa | \
ipsec pki --issue --lifetime 1825 --cacert ca.cert.pem \
--cakey ca.key.pem --dn "CN=vpn.example.com" \
--san vpn.example.com --flag serverAuth --outform pem > server.cert.pem
# /etc/ipsec.conf
cat > /etc/ipsec.conf << 'EOF'
config setup
charondebug="ike 1, knl 1, cfg 0"
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=server.cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1
rightsendcert=never
eap_identity=%identity
ike=aes256gcm16-sha256-ecp256!
esp=aes256gcm16-sha256!
EOF
sudo systemctl restart strongswan
IPsec Strengths
✓ Native support in Windows, macOS, iOS, Android
✓ No client software needed on most platforms
✓ Excellent performance with kernel offload
✓ Strong enterprise authentication (certificates, EAP)
✓ Site-to-site VPN standard
IPsec Limitations
✗ Complex configuration — easy to misconfigure
✗ NAT traversal can be problematic
✗ Blocked by some firewalls (UDP 500, 4500, ESP protocol)
✗ Steep learning curve
SoftEther VPN
Best for: Multi-protocol support, bypassing deep packet inspection, complex network topologies.
Key Features
✓ Supports: SSL-VPN, L2TP/IPsec, OpenVPN, SSTP, L2TPv3, EtherIP
✓ TCP 443 (HTTPS) — bypasses almost any firewall
✓ Virtual hub architecture for network segmentation
✓ Built-in RADIUS/LDAP authentication
✓ Windows, Linux, macOS, FreeBSD
# Install SoftEther on Ubuntu
wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.43-9799-beta/softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz
tar xzf softether-vpnserver-*.tar.gz
cd vpnserver
make
sudo cp -r . /usr/local/vpnserver
sudo /usr/local/vpnserver/vpnserver start
# Configure via management console
/usr/local/vpnserver/vpncmd localhost /SERVER
SoftEther Limitations
✗ Large codebase (~200K lines) — larger attack surface
✗ Less performance than WireGuard
✗ More complex to maintain
✗ Smaller community than OpenVPN/WireGuard
Decision Guide
Need maximum performance?
→ WireGuard
Need to bypass corporate firewalls?
→ OpenVPN on TCP 443, or SoftEther
Need native OS support (no client install)?
→ IPsec/IKEv2
Need RADIUS/LDAP/Active Directory auth?
→ OpenVPN with auth plugin, or SoftEther
Building IoT/embedded VPN?
→ WireGuard (small footprint)
Need site-to-site with existing Cisco/Juniper?
→ IPsec
Need multiple protocols from one server?
→ SoftEther
Starting fresh with no legacy requirements?
→ WireGuard
Comments