WireGuard vs OpenVPN for home use: what actually matters
April 23, 2026 · 8 min read
If you're setting up a VPN tunnel from your phone or laptop back to your home network, you've probably hit the usual fork in the road: WireGuard or OpenVPN. Both work. Both have been production-tested at scale. But for the specific job of "make my phone act like it's on my home Wi-Fi," they behave very differently.
Here's a practical breakdown from the perspective of running a VPN server on a small always-on device in your closet, accessed from your iOS or Android phone when you're out of the house.
The core difference
OpenVPN is old, battle-tested, and flexible. It runs over TCP or UDP, can be wrapped in TLS to look like HTTPS traffic, and has been the default VPN protocol for two decades.
WireGuard is new (stabilized around 2020), minimal, and fast. It runs only over UDP, has about 4,000 lines of kernel code compared to OpenVPN's 100,000, and uses modern cryptography as first-class primitives rather than as a configuration option.
On paper, WireGuard wins almost every head-to-head comparison. In practice, OpenVPN still has a role in specific network conditions. Let's walk through what matters.
Speed
WireGuard is meaningfully faster. On the low-power hardware most home VPN boxes run on, expect:
- WireGuard: ~80-120 Mbps sustained throughput, CPU around 40-60%.
- OpenVPN: ~20-35 Mbps sustained throughput, CPU pegged at 95-100%.
OpenVPN's overhead comes from its TLS handshake per-packet, its userspace processing loop, and its older cipher defaults. WireGuard runs in the kernel, uses ChaCha20-Poly1305 natively, and has no per-packet encapsulation overhead comparable to OpenVPN's.
For a home user streaming Netflix back through the tunnel, OpenVPN's speed isn't enough for reliable 4K. WireGuard handles it comfortably.
Battery
This is where WireGuard pulls further ahead. OpenVPN on iOS or Android wakes the CPU constantly to handle keepalives and re-authentication. A phone running OpenVPN full-time drains battery 10-15% faster than baseline. WireGuard's design sends almost no traffic when idle; the phone goes to sleep normally.
If you want an "always-on" VPN that's tunneling through your home IP 24/7, the battery math only makes WireGuard practical.
Reliability across network changes
Your phone switches between Wi-Fi and cellular constantly. Each switch tears down your IP stack and rebuilds it.
- OpenVPN has to renegotiate the entire TLS session after a network change, which takes 3-8 seconds and often fails on flaky hotel Wi-Fi.
- WireGuard's "stateless" design means the next packet after a network change just goes through. No handshake, no delay.
For travel use cases, this is a huge usability difference. WireGuard feels like your connection is always there; OpenVPN feels like you're waiting for a reconnect every time you move.
When OpenVPN still wins
There's one scenario where OpenVPN is actually the better choice: restrictive networks that block UDP.
Some corporate firewalls, hotel networks, and airplane Wi-Fi only allow TCP 443 outbound (HTTPS traffic). WireGuard can't run over TCP at all. OpenVPN can run over TCP 443 and will be indistinguishable from normal HTTPS traffic to a simple packet inspector.
If you're traveling somewhere with aggressive firewalls (conference venues, some countries with state-level filtering), keeping OpenVPN over TCP as a fallback is worth it. For everything else, WireGuard.
Configuration complexity
WireGuard's configuration is almost embarrassingly simple. A full working config fits on one screen:
[Interface]
PrivateKey = <client-private-key>
Address = 10.7.0.2/24
DNS = 10.7.0.1
[Peer]
PublicKey = <server-public-key>
Endpoint = home.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25OpenVPN's equivalent is 30+ lines of directives, plus certificate authority setup, plus client certs, plus server configs. This matters because most home users set this up once and don't touch it. Any complexity that creeps in at setup time usually stays in for years.
Mobile app quality
Both have official apps. The WireGuard iOS app is minimalist, reliable, and handles on-demand rules (connect when joining specific Wi-Fi networks) cleanly. The OpenVPN Connect app is functional but older-feeling and has rougher UX around certificates and profile management.
For a product that ships VPN configs to non-technical users, WireGuard's app consistently produces fewer support tickets.
Cryptographic choices
WireGuard uses a fixed, modern cipher suite. No negotiation, no downgrade attacks. If WireGuard ever needs new crypto, the protocol is versioned and the whole stack moves together.
OpenVPN supports many ciphers, which sounds like a feature but is usually a source of misconfiguration. The default ciphers are fine; the long tail of legacy options ("what if I'm using OpenVPN 2.3.4 from 2015") is where mistakes happen.
The practical recommendation
For a home VPN built today, default to WireGuard. Your phone gets a full-tunnel config, routes all traffic through your home IP, and battery life is fine. Connection survives Wi-Fi → cellular handoffs. Speed is whatever your home upload can provide (usually the real bottleneck, not the protocol).
Keep an OpenVPN config around for the 5% of networks that block UDP. Most users never hit this. If you do, swap configs for that trip and swap back when you're home.
What ProxyBox does
Every ProxyBox ships with a WireGuard server running out of the box. Adding a new client takes 10 seconds in the app: tap add, name the device, scan the QR code with WireGuard iOS or Android. WireGuard VPN is included on the Premium tier. No command-line config editing, no certificate authority setup, no renewals.