BEST Remote Access VPN - OpenVPN vs WireGuard vs L2TP

The Fritz routers for home users, home offices or small offices, which are very popular in Germany, have had a built-in Wireguard server since last year. That changed everything for me. Super easy to set up. Create an account for each device, in the simplest case photograph a QR code and that's it. It couldn't be better or easier.

BachusNRW

One thing I appreciate about Wireguard vs OpenVPN, for my personal use, is I find that very few public access points filter it out. Whereas, my OpenVPN tunnels are often blocked on public wifi. Another great vid!

matthewbond

I did extensive testing between all three of these about 8 months ago for a big engineering firm (CAD drawings) and for SMB heavy stuff connected from a mini-datacenter, wiregaurd is a no-brainer for raw performance. Will nailed it though having zero ADDS integration!!

JBRules

There's an additional layer of complexity. If you're using vpn in a benign environment, that's one thing.

When you're using it in an actively hostile environment where the opfor (think China or Russia) it's quite different. For example, openvpn traffic can be actively blocked by state-imposed DPI on provider level easily. Then one has to consider adding shadowsocks to the equation, for example.

It also can quickly change and depends on provider as well (since implementation of DPI can be different) - e.g. NordVPN works fine on my fiber provider right now, while cellular provider blocks it completely no matter which protocol I choose. ZT works and I suspect a custom VPN running on some outside-of-Mordor VPS will most likely work, but again, openvpn and wireguard are easily identifiable as obfuscation was not their objective.

BoraHorzaGobuchul

It's Ubiquiti Teleport for me. Especially now that there's now a WifiMan for Windows client!

IntoxicatedVortex

Some comments to complement: (1) L2TP doesn't push routes for interesting traffic unless you have a default route on the clients. That's a major drawback on L2TP/IPSec. (2) WireGuard doesn't provide any additional authentication methods like MFA which is a drawback for Businesses plus onboarding is a manual task (only viable if the number of endpoints are small)

kirksteinklauber

Thanks! I have both set up. WireGuard is by far the fastest and most convenient. Whenever it’s not working (this happened on just a few occasions) I switch over to OVPN. No issues. Hopefully as you said WG will improve on monitoring and debugging possibilities soon.

jaspermuziek

I'm a home user self hosting. I just have immediate family set up on the VPN. I initially used OpenVPN but switched to WireGuard. In terms of performance there is only one winner, WireGuard all the way! Having said that I totally get the OpenVPN pros if you need to scale up.

adrian

Such a great breakdown and was fun to listen and learn.

Sam-nvs

As for WireGuard.
I have a simple script that creates configuration files, this part is easy.
I agree about debugging though. But once you setup your server right and tested against 1 client it should work for everyone else. And if it's not then those are usually some ports on client side or some other program that pushes its own dns and clears up others.
I disagree about interface problem. It's pretty straightforward on all OSes. There was some problem with GUI on Linux under Gnome-Shell but KDE worked fine. On Windows GUI is ok, it clearly shows whether it is active or not. The only downsides i know of are on Windows sometimes it's not connected after you shutdown(because it doesn't play well with Windows hybrid shutdown option) and GUI isn't shown if you click on it, so you have to kill the process and start the client again. And on Android if you've added it within Android quick settings it starts automatically all the time, so it's better not to do it and simply use icon launcher.

yoloyolovich

Wireguard is simple and lightweight, hence the speed. If you decide to use it, the admin is aware of the manual setup, which is not that hard. Moreover, you hand a tunnel to a person you trust, or a device you trust. Once they are connected, it is as if they are on the local network with minimal latency and one can always enforce user/password authentication when connecting to assets. All in all, it depends on the environment and the scale of implementation. It seems that WG is more suited for SMB deployments

maksabgvar

Very informative video. I think the average remote user would prefer an actual green connection light to me “all good”. Hope WireGuard makes their interface simpler in the future because speed does matter.

garynagle

Timely video. My Nord 2yr sub is nearly up, they don’t support Wireguard, and I recently got a mini travel router that has Wireguard and OpenVPN clients on its openwrt firmware.

ChimpRiot

And there is sort of a way to self host tailscale. It’s via headscale.

Suhayl_Khatib

can you make a more detailed video about tailscale. Not just the basics, but some of the advanced management features.

supernumex

access VPN: from outside your home to your home - right? I just moved from Tailscale to Headscale and this seems to me like both: Wireguard + Tailscale in 1 place: Headscale. Fully owned by me. I think this is what bougth me completely.

zyghom

I got both open VPN and wireguard set up on my pfsense router and by far wireguard was the hardest to set up! need more videos on YouTube on how to set it up! love your videos tho man

GotWire

Thank you for updating on the subject!

dklima

Thank you for breaking this down so well.

marcebinger

Thank you fot that Will! Can you also make a comparison video for all of us home users with Synology routers which also have the Synology VPN option?

npapan