VPN connections have become indispensable in modern business operations. Whether for remote work, site-to-site connectivity, or secure access to internal resources — businesses of all sizes need reliable and high-performance VPN solutions. With WireGuard, a modern VPN protocol is available that is natively integrated into OPNsense and represents the best choice for new deployments in many scenarios.
Summary: WireGuard is the most modern VPN protocol with only ~4,000 lines of code, excellent performance, and simple configuration. On OPNsense, it is available natively as a plugin and is particularly suited for remote access, mobile users, and performance-critical connections.
What Is WireGuard?
WireGuard is a modern, lean VPN protocol developed by Jason A. Donenfeld. Unlike established solutions such as OpenVPN (~100,000 lines of code) or IPsec (~400,000 lines of code), WireGuard comprises only about 4,000 lines of code. This minimal codebase means a significantly smaller attack surface and makes security audits considerably easier.
Since Linux kernel 5.6, WireGuard has been integrated directly into the kernel — a strong trust signal, as Linus Torvalds described the code as a “work of art”. WireGuard exclusively uses modern, proven cryptography:
- ChaCha20 — symmetric encryption (faster than AES on hardware without AES-NI)
- Poly1305 — data packet authentication
- Curve25519 — key exchange via Elliptic-Curve Diffie-Hellman
- BLAKE2s — cryptographic hashing
This fixed selection of algorithms is deliberate: there is no cipher negotiation as with IPsec or OpenVPN. This eliminates an entire class of configuration errors and downgrade attacks.
VPN Protocol Comparison
| Criterion | WireGuard | OpenVPN | IPsec/IKEv2 |
|---|---|---|---|
| Code complexity | ~4,000 lines | ~100,000 lines | ~400,000 lines |
| Performance | Very high | Medium | High |
| Latency | Very low | Medium | Low |
| Encryption | ChaCha20-Poly1305 | AES-256-GCM | AES-256-GCM |
| Key exchange | Curve25519 | RSA/ECDH | DH/ECDH |
| Protocol | UDP only | UDP or TCP | ESP/UDP |
| Configuration | Simple | Complex | Complex |
| Mobile roaming | Excellent | Good | Good (IKEv2) |
| Audit surface | Small | Large | Large |
| OPNsense integration | Native plugin | Built-in | Built-in |
Advantages of WireGuard on OPNsense
OPNsense offers native WireGuard integration via the os-wireguard plugin, which integrates seamlessly into the firewall management. Compared to other VPN protocols, this provides clear advantages:
- High throughput — WireGuard often achieves 2 to 3 times the throughput of OpenVPN. In benchmarks, speeds beyond 1 Gbit/s on modern systems are common.
- Low CPU usage — The efficient implementation makes WireGuard ideal for smaller hardware and edge firewalls where computing power is limited.
- Simple configuration — A WireGuard tunnel requires only a key pair and a peer definition. This significantly reduces configuration errors compared to IPsec with its numerous Phase 1/Phase 2 parameters.
- Fast connection establishment — WireGuard establishes connections in approximately 100 milliseconds. OpenVPN and IPsec typically require several seconds.
- Excellent roaming — When a mobile device switches between WiFi and mobile networks, the WireGuard connection persists. The protocol is designed from the ground up for modern mobile use.
- Cross-platform clients — WireGuard clients are available for Windows, macOS, Linux, iOS, and Android. Client-side setup takes only a few minutes.
Typical Use Cases
Remote Access (Road Warrior)
Employees accessing corporate resources from the road or home office benefit particularly from WireGuard. The fast connection establishment, seamless roaming between networks, and minimal battery impact on mobile devices make WireGuard the first choice here.
Site-to-Site Connectivity
WireGuard is also suitable for connecting business locations. However, IPsec is often the more pragmatic choice in this scenario when third-party endpoints need to be integrated — many routers and firewalls from other manufacturers support IPsec but not always WireGuard.
Cloud Connectivity
When connecting to cloud services such as AWS, Azure, or Google Cloud, IPsec is often the only protocol supported by the cloud provider. For your own cloud infrastructure with Linux servers, WireGuard is an excellent option.
IoT and Edge Devices
Devices with limited resources particularly benefit from WireGuard’s efficiency. The low memory and CPU requirements make the protocol ideal for IoT gateways and edge deployments.
When to Use Which Protocol?
WireGuard is recommended for:
- New VPN deployments without legacy requirements
- Remote access for employees and mobile users
- Performance-critical connections
- Environments with limited hardware resources
OpenVPN is recommended for:
- Restrictive firewalls that only allow TCP port 443 (WireGuard uses UDP exclusively)
- Existing deployments with certificate-based authentication
- Scenarios requiring an established PKI ecosystem
IPsec is recommended for:
- Site-to-site connectivity with third-party equipment (Cisco, Juniper, Fortinet)
- Cloud provider VPNs (AWS VPN Gateway, Azure VPN Gateway)
- Regulatory requirements demanding standardised protocols
Security Considerations
WireGuard takes a fundamentally different security approach compared to older VPN protocols:
- Fixed cryptography — There is no cipher negotiation. All peers use the same algorithms. This completely eliminates downgrade attacks and misconfigurations.
- No certificate infrastructure — WireGuard works with simple key pairs (public/private key). This is simpler than PKI but offers less granular access control. For organisations with complex permission structures, supplementary authentication may be advisable.
- Pre-shared keys — For an additional security layer, WireGuard supports optional pre-shared keys per peer connection. This provides post-quantum protection against future quantum computer attacks.
- No dynamic IP assignment — WireGuard itself has no DHCP. IP addresses are configured statically or assigned via OPNsense-side mechanisms.
- Minimal attack surface — With only ~4,000 lines of code, the entire implementation can be audited in a fraction of the time needed for OpenVPN or IPsec.
Our Recommendation
For new VPN deployments on OPNsense, we recommend WireGuard as the default protocol. The combination of high performance, simple configuration, and modern cryptography makes it the best choice for most business scenarios — especially for remote access and mobile users.
For site-to-site connectivity with existing third-party infrastructure, IPsec remains the standard. OPNsense supports all three protocols, so you can choose the optimal solution for each use case.
DATAZONE supports you with the planning, implementation, and operation of your VPN infrastructure on OPNsense. Whether WireGuard, IPsec, or a combination of both — we find the right solution for your network.
Planning a new VPN setup or looking to modernise your existing VPN solution? Contact us for a no-obligation consultation.
More on these topics:
More articles
Backup Strategy for SMBs: Proxmox PBS + TrueNAS as a Reliable Backup Solution
Backup strategy for SMBs with Proxmox PBS and TrueNAS: implement the 3-2-1 rule, PBS as primary backup target, TrueNAS replication as offsite copy, retention policies, and automated restore tests.
OPNsense Suricata Custom Rules: Write and Optimize Your Own IDS/IPS Signatures
Suricata custom rules on OPNsense: rule syntax, custom signatures for internal services, performance tuning, suppress lists, and EVE JSON logging.
Systemd Security: Hardening and Securing Linux Services
Systemd security hardening: unit hardening with ProtectSystem, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet, systemd-analyze security, sandboxing, resource limits, and creating custom timers.