Offering options that support OpenVPN and WireGuard for max compatibility

Preface: Previous post Reviewing Privacy Guides's Criteria for VPNs, and Cryptostorm and AirVPN was deleted due to having multiple criteria suggested instead of one per post for some reason, so breaking it up here. If you disagree with something, please be constructive and specific so a discussion can be had. New posts VPN Anonymous Registration & Payments criteria and Add VPNs that support port forwarding .

This is Post/Suggestion 3: Supporting Both VPN Protocols (OpenVPN and Wireguard)

Supporting both OpenVPN and Wireguard ensures maximum compatibility in places where one might be blocked and since neither seems to be particularly more secure than the other (also considering how new WireGuard is vs OpenVPN, it’s had less time to be analyzed and had vulnerabilities found, so 1-1 comparisons aren’t necessarily fair).

As a baseline, if we consider what other criteria one might consider make a VPN a supporter of privacy, security, and anonymity, one might start with the basics: having no logs, no analytics, anonymous payments (meaning they accept at least one of either XMR or cash), and anonymous registration/logins (i.e. email is not required and/or generates a random alphanumeric “account”), and is (relatively) well known [such as showing up on Techlore’s list VPN Comparison Tool | Techlore VPN Toolkit ], we have: Mullvad VPN, IVPN, Windscribe, hide\.me, AirVPN, Cryptostorm, AzireVPN, and ShockVPN. Now, if we narrow this to only those that support both OpenVPN and Wireguard (and that also support port forwarding, see post 2), we have: AirVPN, Cryptostorm, AzireVPN, and ShockVPN [Windscribe is excluded because they expire after 7 days, but will mention anyway]. Finally, if we further constrict the options to the larger of these providers (just to simplify the options and use age/time existing without security issues as a useful benchmark), that leaves AirVPN and Cryptostorm.

So, why not add Cryptostorm and/or AirVPN (or others) since this would allow us once again to have options that allow both protocols, which is vital for many applications, locations, and services?

Not saying ALL VPNs HAVE to support both, but having options that have good privacy/anonymity practices like these two but that also support OpenVPN ensure maximal compatibility.

I don’t think there is any reason to have OpenVPN be a requirement. This would cause something like Mullvad to be de-listed. We should be encouraging users to use Wireguard protocol.

Well, Wireguard has no known vulnerabilities yet. That makes it, for all that it is, the best protocol out there for VPNs. OpenVPN is objectly inferior to it, no?

You keep saying this and yet is incorrect. VPN does not make you anonymous. This is VPN 101. Please stop saying this. It’s not true.

–

Let me ask you - would your recommendations also meet PG’s other criteria they have set for evaluating VPNs? I don’t think so.

This is certainly not true.

Maybe I am just an idiot, but why? Wireguard has been well audited at this point, and the codebase is way smaller. Additionally, your criteria would exclude some of the biggest names (like Mullvad) in the privacy sphere…

Plus, it would add other VPNs that, I am sure, have been excluded from the PG recommendations for a reason.

I am sorry, I just don’t get the point of this

The answer was in the post. Supporting both OpenVPN and Wireguard ensures maximum compatibility in places where one might be blocked and since neither seems to be particularly more secure than the other.

But I can expand further, sure. Some ports are blocked by default by different internet setups, so being restricted to just one limits your options. What if WireGuard is blocked by an ISP or corporation or country? What if OpenVPN is? What if, since WireGuard is UDP only, they only allow TCP? I have a VPN right now where WireGuard is blocked where I work, so this is just one example, but there’s infinite cases. Just supporting both maximizes compatibility.

If one protocol is blocked, what makes you think the other won’t be either? It would not make sense to only block one and not the other (all). Under what circumstances would this be the case/reality? Feels very niche.

First of all, that’s a sign to never connect your personal devices to your work internet connection. They are actually doing you a favor if you think about it.

Careful, read what I said. I never said that VPNs make you anonymous. I said VPNs that support anonymity practices (meaning of users).

Because it’s not blocked, and I tested it? Not every security practice is consistent or even deliberate. Maybe one is blocked just due to firewall rules that had the intent of blocking something else entirely, but inadvertently also block another service. So, having the extra options allows more avenues to bypass that

This is easily misinterpret-able given your verbiage. My understanding is not inaccurate. You left room for ambiguity so it is not upon the reader but the writer to be more careful. It’s basic English.

You pointing out very niche and particular cases to make your point at large is not helping.

I don’t understand where you’re coming from for the most part for your requests here but alright. Thanks for the posts and engaging here. You do you.

Just to be clear, right now our current requirement is that VPN providers must support WireGuard, but there is not a problem if they optionally support OpenVPN as well. That criteria is based on the logical conclusion of these discussions:

• Requiring both OpenVPN and WireGuard in Jan 2024
• Removing the OpenVPN requirement in Feb 2025

Do you want a change that says we should allow VPN providers that only support OpenVPN and not WireGuard? I am guessing not, since both of the VPN providers you mentioned do support WireGuard.

Do you want a change that says we should revert the Feb 2025 decision and require both protocols for compatibility reasons?

Otherwise, if you are fine with our current criteria then no change is necessary from this discussion, right?

Definitely not. Even disregarding security for a second, this is counter to my wish to maximize compatibility.

Hmm, this hearkens back to the previous comment I made on the other post I think. I see what you guys are saying about the security now (my previous understanding was that the vulnerabilities for OpenVPN were quite old, but I didn’t see the new ones last year from MS upon researching), so I agree that having WireGuard should be a requirement. BUT, I think there should always be at least one VPN option with OpenVPN for compatibility sake… So not sure if that’d be better as a “criteria” that at least one must be vs. a “guideline” that WireGuard only ones get preferred over others.

Mullvad no longer supports OpenVPN, but I suppose IVPN & Proton VPN still do. But AirVPN and Cryptostorm, for example, if approved, could also satisfy this category

I’m going to ask this straight since no one has yet: what is your connection to these VPN companies? Are you affiliated with them in any way?

The problem is that we can’t create criteria exactly like this, because there is ambiguity if none of the providers we recommend can meet it, but all of them meet all our other criteria.

All of the criteria we list has to be independently evaluated per provider. We cannot add criteria that depends on the existence of other providers and whether or not they meet the criteria. There will not be minimums or quotas in our categories, no.

So… the way we would have to write your proposal is:

Minimum criteria:

• Supports WireGuard

Best case criteria:

• Supports WireGuard and OpenVPN (to maximize compatibility)

This would technically accomplish what I think you want. However, I think people will disagree with this change, and I also think it will be confusing because the way we’d have to word it will make it kind of seem like we think OpenVPN is equal or better than WireGuard, even with the note that it is only a best case criteria for compatibility reasons.

The truth is that we do not currently recommend VPNs for censorship circumvention in the first place. We only recommend VPNs to protect against passive network surveillance, not active network tampering.

They do provide some protections against that inherently, but I’m just saying if we want to start saying that the ability of VPNs to bypass invasive network censorship is an important criteria for our VPN providers, then that will require a much larger change on the site and we will want to add more information about how/when/why VPNs can be used to circumvent censorship to our knowledge base.

…should we do that?

It could help people understand VPNs better as a tool and a technology - if more about it is explained and talked about including some of the niche or particular cases for which VPNs should be used and how if so.

I would not be against it if more clarity, info, and context is made available for people to learn about it as they discover the importance of the tool and the tech in the world of growing lunacy of nation states against the idea of internet freedoms, civil liberties, free speech, and of course privacy/security.

Short answer: yes.

Well, and maybe this will have to be a separate discussion, because what I should point out is that the reason we don’t do this right now is that is because the VPNs that are good at this are almost entirely separate tools. Like I really see tools like Amnezia, Lantern, Outline, Shadowsocks, etc. as a totally different category of tools, so to talk about them alongside traditional VPN protocols/providers could actually be more misleading, not less.

I think it would probably be a good idea to cover anti-censorship tools/providers in more depth, since we basically don’t outside of Tor right now unfortunately, but to do so without overly confusing them with anti-surveillance tools like our current VPN recommendations is something we should figure out first, and if anyone has a good idea you should make a Site Development post about it

Hmm. I see what you’re saying. Makes sense.

Nothing, and I’ll thank you to not be so baselessly cynical. I started my discussion from literally dozens of possible VPNs if you followed the logic through my posts. The virtue that these two VPNs come up is simply because they were the largest of those that met all of the criteria I put forward as important for privacy and anonymity. But, I also mentioned those including but not limited to Mullvad VPN, Windscribe, IVPN, AzireVPN, etc. They just fell apart because of the port forwading prerogative I had as one of my specific goals for the former, and largeness for the latter like I mentioned. So if you had read my post, this question should never have even crossed your mind.

Also, if I were some undercover corporate shill, why would I be supporting two companies that aren’t affiliated? So, yeah no, there’s nothing fishy going on here.

I think framing it the way you put it accomplishes what you say, and that is, making OpenVPN seem more than it really is. I think a better way to word it, like I said, is something that accomplishes a similar effect of that the main criteria should be supports WireGuard, and that under the guidelines for different individual VPNs, you list support OpenVPN as a bonus, not a criterion of absolute necessity.