Require both Wireguard and OpenVPN support in VPN criteria

Minimum to qualify is :

Support for strong protocols such as WireGuard &OpenVPN

Best case is :

WireGuard and OpenVPN support.

This is confusing. Should the first quesion read as “such as Wireguard OR OpenVPN” ?

But since Wireguard is now the industry standard I will say that WG support is a
minimum and not optional

Yes. But… you’re right that the criteria can just be changed to require both as minimum instead of best-case.

I see no reason to not mark this as approved, so I will, and we’ll accept a PR which makes this change. Thanks for noticing this :slight_smile:


Is there anything OpenVPN brings to the table when we have Wireguard? Mullvad, for example only supports Wireguard on mobile. Would that make them not meet the criteria anymore?

I’d also expect there will be more Wireguard-only providers down the line as it’s a better protocol overall and has in-tree kernel implementation on Linux and Free/OpenBSD.

1 Like

I don’t think enforcing WireGuard explicitly should be the case at this time. WireGuard is a lot more performant, but OpenVPN is also quite battle tested, albeit old and a larger attack surface.

Instead of binary yes or no, maybe we can have a scoring system? OpenVPN is better than none, but WireGuard is preferred moving forward.

If you compare both protocols , Openvpn has been better privacy-wise and is also recommended if privacy is your top most priority and you are okay with slightly lower speeds.
I think VPN companies also know importance of OpenVPN as wireguard is still much newer protocol.
OpenVPN also has much widely supported by devices like router.

OpenVPN provides better privacy than WireGuard.

I think this shouldn’t be approved now. Unless you have done enough research about why wireguard would be sufficient to protect users privacy , we could still keep both as criteria. I myself have considered using OpenVPN on sensitive devices.

Edit by mods: removed screenshot, incolude direct link.

Can we please link to articles and not screenshots. Secondly, there are solutions to those issues WireGuard VPN protocol for privacy - start using with IVPN

The article also is incorrect:

This, however, is still far from full anonymity and unacceptable for users from countries with strict censorship.

  • All VPN protocols will have connection data in the server’s routing tables.

  • A VPN provider won’t hand over such information if hosted in a country with a decent legal jurisdiction.

  • Single-hop VPNs do not provide absolute anonymity anyway in this scenario, as they can de-anonymize users if they want to, regardless of protocol.

If that is in your threat model then the only solution is Tor (or something where the trust is decentralized) and no single party holds the ability to deanonymize you.

I read through the rest of that blog post, and it looks like SEO blogspam garbage, often repeating itself without any real fact. That’s not surprising as the company behind it is trying to sell SSO solutions. The point of this post is not to inform users, but rather stimulate keyword searches to point to this site.

The surface area of wireguard is a lot smaller, and there are implementations like wireguard-go which are a lot safer.


My bad will include link for reference next time.

Point was not to focus on the blog itself or its publisher , but nobody in the above 2 posts pointed out any limitations of wireguard protocol.
There maybe better articles explaining , pros and cons of wireguard .

Here is the list of limitations as per official wireguard page.

I am no expert in technicals of cryptography or assessing any of the mitigations put in place by VPNs companies about how effective is. Perhaps an audit report could or people with expertise in this field. could explain more about these limitations

Obviously , not seeking any anonymity from wireguard single hop but pointing out that a user has an option to use much more tested protocol when in doubt or unsure about mitigations used in the relatively newer protocol.

This has nothing to do with security (other than Post-Quantum Secrecy), WireGuard connections are known to be easily identified by firewall, they don’t want to add obfuscation. etc to keep their code minimal. It is not an issue if your country doesn’t use DPI (deep packet inspection).

VPN providers could add modifications or use available modified versions of WireGuard protocols that implement features to overcome these limitations.