New videos every week — proxies, VPNs & antidetect browsers, explained.

Subscribe

Your privacy is exposed — websites can see your IP, location and device.

Try Surfshark urgently →

OpenVPN

Intermediate

The veteran open-source VPN protocol — slower than modern rivals but battle-tested for two decades and uniquely good at slipping past restrictive firewalls.

In depth

OpenVPN is the open-source protocol that carried the consumer VPN industry for most of its history. Released in 2001 and audited continuously since, it remains the compatibility and trust baseline every newer protocol is measured against — and it still does one thing better than any of them.

How it works

OpenVPN builds its tunnel using TLS — the same cryptographic machinery that secures HTTPS — typically with AES-256 encryption negotiated between client and server. It runs in two modes: UDP (faster, the default) and TCP (slower but more reliable on lossy or filtered networks).

Its enduring superpower

  • TCP port 443 camouflage: run over TCP on port 443, OpenVPN traffic travels on the same port as all HTTPS browsing, making it awkward for firewalls to block without breaking the web. On networks that kill WireGuard's UDP outright — hotels, offices, censored regions — OpenVPN TCP often connects where nothing else will.
  • Configurability: ciphers, ports, compression, and routing are all adjustable, which suits unusual deployments (and explains its complexity).
  • Universality: ancient routers, enterprise appliances, and every VPN app on earth speak it.

The trade-off

OpenVPN's user-space processing and protocol overhead make it measurably slower than WireGuard, with slower handshakes and reconnections. Its massive codebase is also harder to audit exhaustively, though its long history of scrutiny compensates in practice.

When to reach for it

Use WireGuard by default; switch to OpenVPN TCP 443 when a network blocks UDP or filters VPN traffic. Think of it as the reliable all-terrain fallback in your protocol toolkit.

Examples

  • A traveler whose hotel Wi-Fi blocks UDP connects via OpenVPN over TCP port 443 and gets online.
  • An enterprise site-to-site tunnel built on OpenVPN runs untouched for years on legacy router hardware.
  • A user compares protocols on the same server: WireGuard is faster, but OpenVPN is the only one that connects at their office.

Common use cases

Firewall-hostile networksLegacy device supportEnterprise tunnelsFallback connectivity

FAQs

Yes — not as your default (WireGuard is faster), but as the fallback that connects when networks block UDP or filter VPN traffic. Its TCP port 443 mode blends with HTTPS in ways WireGuard cannot.

UDP by default — it's faster and handles packet timing better. Switch to TCP when UDP is blocked or the network is so lossy that UDP tunnels keep dropping; TCP's reliability then outweighs its overhead.

Yes, when configured with modern settings (TLS with AES-256 or ChaCha20). It has twenty years of audits and real-world attack pressure behind it. Weak configurations are possible given its flexibility, but commercial VPN apps handle this correctly.

Related terms