• cellardoor@lemmy.world
      3·
      23 hours ago
      • It is inefficient in both tunnel and transport mode, sacrificing 20-30% of available bandwidth.
      • It is cryptographically expensive, making your clients work harder and costing the VPN provider more money to host nodes.
      • It is complex to setup and deploy.
      • Uses outdated crypto.
      • Operates in Userspace.
      • WireGuard is essentially better in every one of these regards.
      • Scoopta@programming.dev
        1·
        22 hours ago

        OpenVPN operates in kernel space as of 6.16. Well specifically for the data channel. Control channel is still managed in userspace so you don’t have to do asymmetric TLS in the kernel. This also reduces the overhead and increases performance substantially. It is slightly more complicated to setup but barely tbh (I’m speaking from the server side). Is the crypto outdated? Not as far as I’m aware.

        • ISO@lemmy.zip
          1·
          6 hours ago

          And user-space implementations of WireGuard are used a lot anyway, especially on mobile. Every VPN provider app ships with one, at least as a backup (It’s wireguard-go usually since boringtun is not well maintained).

      • Scoopta@programming.dev
        2·
        22 hours ago

        The big thing for public VPNs is the server can push the configuration to the client rather than having it be static. Config push, specifically for addressing is basically the only viable way to do a NATless VPN. Additionally while unrelated to public VPN providers wg does not have the ability to bind to individual IPs which is a headache for my internal VPN use case.