Why still use OpenVPN?

[JGrana]

I know that OpenVPN is a stable legacy “vetran” when it comes to VPNs. It also complex, especially for home/personal use.
After moving to wireguard then tailscale (tailmon) I have never had the need to look back.
Other than legacy enterprise, what are the reasons home users are still using OpenVPN?

 

[Tech9]

Can you run WireGuard on port 443/TCP?

 

[Seth Harman]

A lot of the major VPN providers don't have a Wireguard implementation you can use with Merlin but have a workable OpenVPN option.

 

[RMerlin]

It also complex, especially for home/personal use.

It's not. In Asuswrt, you can get OpenVPN working for remote access with just a few clicks.

1) Set access to LAN, LAN + Internet or Internet.
2) Add a user/password
3) Enable it
4) Export the config file

Everything else can be left to the default setting - they are only there for people needing special features or particular security hardening.

On the client:

1) Install OpenVPN
2) Copy config file to c:\users\USERNAME\OpenVPN\config\ if on Windows, or import file if using a mobile client.
3) Run it, and select "Connect"

hat are the reasons home users are still using OpenVPN?

Debugging a non-working Wireguard setup is horrible. Wireguard is a silent protocol, meaning you get zero logging. If a tunnel does not work, then you have no idea why it's not working, and are left with guessing if it's a routing issue, a firewall issue, a key mismatchh, etc... A Wireguard tunnel may silently stop working, and once again you won't even notice until you try to use it, and it will just not work. No error message, no notification that something went wrong.

OpenVPN does extensive logging (and you can even increase verbosity when troubleshooting things). It's also far more flexible, you can change port, change protocol (UDP for performance, or TCP for reliablility if you have frequent issues with latency spikes or lost packets). You can make it very simple (username/password authentication), or you can make it highly secure by using user-specific certificates, which can be revoked if one is lost/compromised/user no longer needs remote access. The choice is yours.

You can easily implement complex rules for split tunneling. For example, I have a customer who have access to a web application that's only reachable from their office's IP address. Remote worker only need one line added to their OpenVPN config file to be able to access that website through a VPN:

route 100.101.102.103 255.255.255.255

And website at 100.101.102.103 will go through the tunnel, while the rest of their Internet traffic will keep going directly to the Internet. Split tunneling configuration is that easy with OpenVPN.


OpenVPN is not complex. What OpenVPN is, is flexible. You can make it even simpler to use than Wireguard if you wish, or you can make it as complex as a high-end enterprise solution with user-specific certificates, a key strength of your chosing, etc...

 

[maxbraketorque]

I tried Wireguard. Couldn't make it work. OTOH, my OVPN setup has worked flawlessly for many years.

 

[elorimer]

Here's another reason: if you have an OpenVPN server active on the router with a non-working WIreguard server, you can keep on accessing the router remotely while you figure out how to fix the Wireguard setup.

 

[m0rF1uS]

It’s a personal preference- oldschools are used to OpenVPN and don’t want to switch, because it’s something new to learn and rather stick with the good old stuff. people who never used a vpn before like the new technology, the simplicity and the speed. It does exactly what it’s needed in a very efficient way. No need for 50+ config options that in a couple of years are going to be deemed “not secure”, compromised or something else.
That’s why wireguard app for iOS for example hasn’t been updated in several years - just there’s no need for it. Simple code, almost no bugs.

I Personally had only issues with OpenVPN - dns leaks, random crashes, errors, slow unreliable speeds, kill switches not working, you name it! Got really tired of reading all the logs and endless messages for what went wrong.

Switched to wireguard 3 years ago and Tailscale personal use for 2 years now. Never had a single problem.

 

[Seth Harman]

It’s a personal preference- oldschools are used to OpenVPN and don’t want to switch, because it’s something new to learn and rather stick with the good old stuff.

My VPN provider has a proprietary implementation of Wireguard that requires you to use their app, meaning you can't run it on a router unless it's one of a select group of routers that also support their proprietary firmware which would take the place of Merlin. So no, it's not strictly down to personal preference and has nothing to do with "oldschools"; if my provider offered it I'd use it and I'm definitely one of the "oldschools".

 

[Ripshod]

I prefer wireguard to connect back to home, but there's also openvpn active as a fall-back.
Point to note: NordVPN supports OpenVPN and Wireguard (if you know how).

 

[Tech9]

I use both. Some of my residential ISPs are CG-NAT now and UniFi features like Site Magic (site-to-site VPN, WireGuard, Tailscale) and Teleport (client-to-site VPN, WireGuard, via WiFiman) need few clicks configuration in UI. I also have OpenVPN servers set originally as Plan B, but find myself using them more often than WireGuard options for client-to-site. The connections when traveling are often not the best and the speed doesn't matter much. My upload speed is also limited to below OpenVPN processing capabilities of the gateways.

 

[Wisiwyg]

I prefer wireguard to connect back to home, but there's also openvpn active as a fall-back.
Point to note: NordVPN supports OpenVPN and Wireguard (if you know how).

Proton VPN supports both too. Have been using it with Wireguard for years.

 

[cptnoblivious]

I prefer wireguard to connect back to home, but there's also openvpn active as a fall-back.
Point to note: NordVPN supports OpenVPN and Wireguard (if you know how).

Slight tangent, but boy wouldn't it be nice if Nord didn't make it such a gong show?