πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Protocols β†’ OpenVPN

OpenVPN
Explained.

The protocol that powered most commercial VPNs for over a decade. Slower than WireGuard but more flexible, and still the right fallback when networks misbehave.

The historical context

OpenVPN was created by James Yonan in 2001 as an open-source alternative to commercial VPN solutions. By 2010 it had become the de-facto standard for commercial consumer VPN providers, and stayed that way for over a decade. Mullvad, NordVPN, ExpressVPN, Surfshark, every name brand β€” all of them shipped OpenVPN as their primary protocol until ~2020.

The arrival of WireGuard around 2019-2020 changed the landscape. Most providers now use WireGuard as default and OpenVPN as a fallback. It's a quieter role for a still-vital piece of software.

How OpenVPN works

OpenVPN is more complex than WireGuard, but the basic operation is similar:

  1. The client connects to the server (UDP or TCP).
  2. They perform a TLS handshake to authenticate each other (uses certificates, optionally combined with username/password).
  3. They negotiate a session key.
  4. Packets get encrypted and tunneled.

The differences from WireGuard:

  • Negotiated cipher: OpenVPN doesn't hardcode a cipher suite β€” it negotiates between client and server. Typically AES-256-GCM or ChaCha20-Poly1305 these days.
  • Authentication options: certificates, username/password, pre-shared keys, two-factor β€” OpenVPN supports all of them.
  • TCP or UDP: OpenVPN can run over either. TCP is slower but pierces more networks.
  • Userspace implementation: runs as a normal process on most platforms (Linux kernel module exists but isn't standard).
  • Configurable everything: routes, DNS, MTU, ping, compression β€” OpenVPN exposes hundreds of configuration options.

TCP vs UDP modes

UDP mode

The default for performance. UDP doesn't require acknowledgment of every packet, which means lower latency and higher throughput. The trade-off is that UDP is a first-class citizen on the internet (used by DNS, gaming, video streaming) but some restrictive networks block it.

TCP mode

OpenVPN's secret weapon. TCP traffic looks like normal HTTPS, and is allowed by almost every firewall on the planet. If a network blocks UDP, OpenVPN-over-TCP usually still works. Performance cost: 20-40% throughput reduction and higher latency.

The classic configuration: TCP port 443 (the same port HTTPS uses). On the wire, this looks indistinguishable from regular web traffic. Useful when:

  • You're on a corporate network that blocks non-HTTPS outbound traffic.
  • You're on hotel/airport WiFi that's overly restrictive.
  • You're in a country with deep packet inspection but you're not specifically the target.

Note: TCP-over-TCP can have performance issues called "TCP meltdown" β€” both the outer (network) TCP and the inner (application) TCP try to retransmit at the same time on packet loss, causing exponential backoff. In practice it's fine for normal web browsing but can be rough for large file transfers.

Performance

Comparing OpenVPN-UDP vs WireGuard on identical hardware and connections:

MetricOpenVPN (UDP)WireGuard
Throughput250-400 Mbps900+ Mbps
Handshake50-500ms5-50ms
Battery (mobile)ModerateLow
CPU usageHigherLower
UDP block resistanceBetter (TCP mode)Worse (UDP only)
Configuration complexityHighLow

Security

OpenVPN has a strong security track record but its larger code base (~70,000 lines) means a wider attack surface. Notable CVEs over the years:

  • CVE-2017-12166 β€” buffer overflow in older versions, patched within days.
  • CVE-2020-15078 β€” authentication bypass in certain configurations, also quickly patched.

No catastrophic incidents, no recurring patterns of systemic flaws. OpenVPN has been formally audited multiple times (notably by Cure53 in 2017 for OSTIF). The protocol is considered solid.

Key thing for users: use a recent OpenVPN client (3.x branch as of 2026). Older versions may have unpatched vulnerabilities.

When to use OpenVPN over WireGuard

  1. UDP is blocked. Some corporate networks, restrictive hotel WiFi, certain censored regions. OpenVPN-TCP gets through.
  2. You need TCP-port-443 stealth. If you want VPN traffic to look like normal HTTPS at a casual inspection level.
  3. WireGuard is misbehaving on your network. MTU issues, weird NAT, ISP-level interference β€” sometimes OpenVPN works when WireGuard doesn't, for non-obvious reasons.
  4. Compatibility requirements. Older routers and embedded devices may only support OpenVPN.

OpenVPN at ClownVPN

Our Android app ships both WireGuard and OpenVPN. WireGuard is the default; you can switch to OpenVPN in Settings β†’ Protocol. We support both UDP and TCP modes for OpenVPN.

If your WireGuard connection is unstable or slow, switching to OpenVPN-TCP is the standard troubleshooting step.

Related reading

πŸŽͺ FAQ

Is OpenVPN still relevant in 2026?
Yes, as a fallback. WireGuard is faster, simpler, and the default for most modern deployments β€” but OpenVPN's TCP mode can pierce networks that block UDP, and its larger configurability handles edge cases WireGuard doesn't. Most reputable VPN providers (us included) offer both: WireGuard as primary, OpenVPN as a fallback for restrictive networks.
TCP or UDP β€” which should I use with OpenVPN?
UDP unless you have a reason. UDP is faster (no acknowledgment overhead) and handles packet loss gracefully. TCP is needed when networks block UDP entirely β€” some corporate firewalls, restrictive hotel networks, certain national infrastructures. TCP mode wraps OpenVPN traffic in TCP packets that look like normal HTTPS, which gets through more places but with a performance penalty.
Is OpenVPN's security comparable to WireGuard's?
Yes, when properly configured. Both use modern ciphers (AES-256 or ChaCha20 in OpenVPN's case, ChaCha20 in WireGuard's). The difference is in attack surface β€” OpenVPN's ~70,000 lines of C code means more potential bugs than WireGuard's ~4,000. In practice both have strong security track records. OpenVPN has had a few CVEs over the years, all promptly patched.
Why does OpenVPN drain my phone battery more?
Two reasons. First, OpenVPN runs entirely in userspace on most mobile OSes, which means more context switching and CPU time than a kernel-level implementation. Second, OpenVPN's per-packet cryptographic overhead is higher than WireGuard's (AES-256 vs ChaCha20 with hardware acceleration differences). For background use, WireGuard is noticeably gentler on battery.
Does ClownVPN offer OpenVPN?
Yes β€” OpenVPN is available in our Android app as an alternative protocol. Most users should stay on WireGuard (the default), but if you're on a network blocking UDP or experiencing connection issues, switching to OpenVPN-TCP usually fixes it. Settings β†’ Protocol β†’ OpenVPN.

πŸŽͺ Both Protocols, Free

WireGuard default, OpenVPN fallback. Switch in app settings.

πŸ€– Get The Free App