TL;DR
I ran 100 iperf3 sessions on the same Contabo VPS, comparing WireGuard, OpenVPN UDP, and OpenVPN TCP under three time slots. Raw numbers:
| Protocol | Throughput | Latency | CPU | Handshake |
|---|---|---|---|---|
| Raw link (baseline) | 1000 Mbps | 16 ms | 0% | — |
| WireGuard | 960 Mbps | +18 ms | 12% | 38 ms |
| OpenVPN UDP | 730 Mbps | +32 ms | 68% | 210 ms |
| OpenVPN TCP | 412 Mbps | +52 ms | 78% | 260 ms |
Full methodology + per-run CSV: VPNSmith.
Zenodo DOI: 10.5281/zenodo.20512442.
Setup
- VPS: Contabo VPS S (4 vCPU, 8 GB RAM, Ubuntu 22.04, Nuremberg DE)
- Client: Paris 15th, Orange 1 Gbps fiber (validated baseline 1000 Mbps)
- Kernel: Linux 6.5
- Tools: iperf3 3.16, wireguard-tools 1.0.20210914, openvpn 2.6.x
100 iperf3 runs per protocol (TCP + UDP, 30s window) distributed across 9:00 / 14:00 / 21:30 Europe/Paris to capture network variance.
Why WireGuard wins on throughput
1. WireGuard caps at 96% of the raw link. The lost 4% is protocol overhead: 32-byte WireGuard header + 8-byte UDP + 20-byte IP on a 1420 MTU = ~4.2%. Math, not implementation inefficiency.
2. OpenVPN UDP loses ~27%. TLS protocol overhead + OpenVPN encapsulation are expensive. This matches Phoronix 2024 benchmarks (-25 to -30% across similar setups).
3. OpenVPN TCP is a trap. TCP-over-TCP causes cascading retransmits as soon as a packet drops. On our stable fiber (0.02% loss), we still hold 412 Mbps. On Wi-Fi or 4G with even moderate loss, it collapses to <100 Mbps.
Why WireGuard wins on CPU
WireGuard runs in kernel space (Linux 5.6+). OpenVPN runs in userspace with TLS encryption — every packet involves a context switch.
WireGuard kernel: packet → kernel crypto → wire
OpenVPN userspace: packet → userspace TLS → kernel → wire (3 context switches)
On a 1 Gbps link, that's the difference between 12% CPU (WireGuard) and 68% CPU (OpenVPN UDP).
Why WireGuard wins on handshake
| Protocol | Handshake | Why |
|---|---|---|
| WireGuard | 38 ms | Single round-trip (1-RTT), Noise IK pattern |
| OpenVPN UDP | 210 ms | TLS handshake (4 round-trips at minimum) + OpenVPN-specific negotiation |
| OpenVPN TCP | 260 ms | TLS over TCP, additional TCP 3-way handshake |
The 5× faster handshake matters for short-lived connections (mobile networks, captive portal probes, app cold-starts).
What WireGuard cannot do
Three legitimate reasons to still use OpenVPN:
- TCP-only environments. Some corporate firewalls block UDP entirely. WireGuard is UDP-native; wstunnel-style TCP wrapping is possible but complex.
- Port 443 obfuscation. OpenVPN can be configured on TCP/443 to look like HTTPS. WireGuard cannot natively.
- Audit conservatism. OpenVPN has been audited for 20+ years. WireGuard's audits (Cure53 2018, Trail of Bits 2020) are solid but younger.
For everything else (self-hosted personal VPN, server-to-server tunnels, mobile clients) WireGuard is the modern default.
Security comparison
| Aspect | WireGuard | OpenVPN |
|---|---|---|
| Cipher | ChaCha20-Poly1305 | AES-GCM (configurable) |
| Key exchange | Curve25519 | RSA/ECDH (configurable) |
| Hash | BLAKE2s | SHA-256 |
| Code size | ~4k lines C | ~70k lines C |
| Audit history | Cure53 2018, Trail of Bits 2020 | Multiple 2004-2024 |
WireGuard's smaller attack surface (14× less code than OpenVPN) is its strongest security argument.
Reproducibility
Everything is on the Zenodo deposit:
- Raw iperf3 CSV per run
- Exact software versions
- Kernel parameters
- Server + client configs (with credentials redacted)
- Network conditions documented per time slot
If you reproduce on similar hardware, you should land within ±3% of these numbers. If not, file an issue on VPNSmith GitHub.
Verdict
For self-hosted VPN on VPS in 2026: WireGuard, always, unless you have a specific reason for OpenVPN. The performance gap (+32% throughput, -78% CPU, 5× faster handshake) is too large to ignore.
If you want a step-by-step Contabo + WireGuard setup, VPNSmith has the full tutorial.
This is the developer-focused version. The full methodology with per-run logs and acknowledged limitations is on the original article.
→ Read the full benchmark: vpnsmith.com/en/blog/wireguard-vs-openvpn-vps-benchmarks-2026
Top comments (0)