Why still use OpenVPN?

[JGrana]

I know that OpenVPN is a stable legacy “vetran” when it comes to VPNs. It also complex, especially for home/personal use.
After moving to wireguard then tailscale (tailmon) I have never had the need to look back.
Other than legacy enterprise, what are the reasons home users are still using OpenVPN?

 

[Tech9]

Can you run WireGuard on port 443/TCP?

 

[Seth Harman]

A lot of the major VPN providers don't have a Wireguard implementation you can use with Merlin but have a workable OpenVPN option.

 

[RMerlin]

It also complex, especially for home/personal use.

It's not. In Asuswrt, you can get OpenVPN working for remote access with just a few clicks.

1) Set access to LAN, LAN + Internet or Internet.
2) Add a user/password
3) Enable it
4) Export the config file

Everything else can be left to the default setting - they are only there for people needing special features or particular security hardening.

On the client:

1) Install OpenVPN
2) Copy config file to c:\users\USERNAME\OpenVPN\config\ if on Windows, or import file if using a mobile client.
3) Run it, and select "Connect"

hat are the reasons home users are still using OpenVPN?

Debugging a non-working Wireguard setup is horrible. Wireguard is a silent protocol, meaning you get zero logging. If a tunnel does not work, then you have no idea why it's not working, and are left with guessing if it's a routing issue, a firewall issue, a key mismatchh, etc... A Wireguard tunnel may silently stop working, and once again you won't even notice until you try to use it, and it will just not work. No error message, no notification that something went wrong.

OpenVPN does extensive logging (and you can even increase verbosity when troubleshooting things). It's also far more flexible, you can change port, change protocol (UDP for performance, or TCP for reliablility if you have frequent issues with latency spikes or lost packets). You can make it very simple (username/password authentication), or you can make it highly secure by using user-specific certificates, which can be revoked if one is lost/compromised/user no longer needs remote access. The choice is yours.

You can easily implement complex rules for split tunneling. For example, I have a customer who have access to a web application that's only reachable from their office's IP address. Remote worker only need one line added to their OpenVPN config file to be able to access that website through a VPN:

route 100.101.102.103 255.255.255.255

And website at 100.101.102.103 will go through the tunnel, while the rest of their Internet traffic will keep going directly to the Internet. Split tunneling configuration is that easy with OpenVPN.


OpenVPN is not complex. What OpenVPN is, is flexible. You can make it even simpler to use than Wireguard if you wish, or you can make it as complex as a high-end enterprise solution with user-specific certificates, a key strength of your chosing, etc...

 

[maxbraketorque]

I tried Wireguard. Couldn't make it work. OTOH, my OVPN setup has worked flawlessly for many years.