What is a VPN?
A Virtual Private Network (VPN) allows you to securely connect devices over the Internet as if they were on the same private network. VPNs protect your data with encryption and can help link remote offices, mobile users, or individual devices safely. IPFire supports three popular VPN technologies — IPsec, WireGuard, and OpenVPN — giving you flexible options to create secure connections tailored to your needs.
Comparison Of VPN Technologies
| IPsec | WireGuard | OpenVPN |
|---|---|---|
| IPsec has been standardised in RFC7296 and become the defacto standard protocol for VPNs | WireGuard is a new standard which is designed to be a very lightweight VPN | OpenVPN is built on top of SSL/TLS for key exchange and vastly available across all operating systems |
| Encryption | ||
| A large amount of ciphers is available. | WireGuard uses a hard-coded, modern cipher suite using ChaCha20, Curve25519, BLAKE2, SipHash24 and HKDF. | OpenVPN uses OpenSSL to implement its encryption. |
| Security | ||
| There are no known vulnerabilities in this protocol. | WireGuard has not yet seen the vetting that other protocols have received, but has a very small code-base which allows easier audits. | There are no known vulnerabilities in this protocol. |
| Speed | ||
| With modern ciphers, IPsec is one of the fastest options around. | Due to low overhead and fast cryptographic primitives, WireGuard is very fast, even on weaker devices. | Implemented in user-space, OpenVPN is significantly slower than its competitors. |
| Compatibility | ||
| Every appliance that supports VPN will support IPsec. It is the defacto implementation in the industry and IPFire is highly compatible with all of them. There are built-in clients in many operating systems like Windows, macOS/iOS and Android. | WireGuard has very good client applications available for all major operating systems. In the enterprise world, it is rarely found. | OpenVPN is compatible with all major operating systems as it is implemented as a user-space application. |
| Verdict | ||
| IPsec is an excellent choice for any application. It is extremely fast, secure and reliable. It is built into many appliances and therefore never a bad choice. | WireGuard is a great choice for very simple VPNs that don't require any complex configuration. | OpenVPN is highly compatible with many platforms which makes it a great choice for roadwarriors networks. |
Benefits
VPNs offer a vast amount of benefits:
- End-To-End Encryption - VPNs protect traffic in transit by encapsulating packets inside a cryptographically secure tunnel, mitigating eavesdropping and on-path attacks even across untrusted networks.
- Network-Layer Authentication - VPN peers mutually authenticate (e.g., via certificates or pre-shared keys), ensuring only authorized endpoints can participate and reducing the attack surface compared to ad-hoc service authentication.
- Transparent Routing And Policy Control - VPNs create a virtual IP topology independent of underlying networks, enabling secure site-to-site links, dynamic routing, and fine-grained access control without exposing internal infrastructure.
Caveats
On the other hand, VPNs have some caveats as well:
- Performance Overhead - Encryption, encapsulation, and extra headers introduce CPU load and reduce effective throughput and MTU, which can lead to packet fragmentation if not tuned (e.g., MSS clamping).
- Single Point Of Failure/Bottleneck - Central VPN gateways concentrate traffic; if they go down or become overloaded, they can disrupt connectivity for many users.
- Key And Certificate Management - Secure generation, distribution, and rotation of cryptographic material is critical; weak keys, expired certificates, or poor revocation practices can undermine security.
- Complexity And Misconfiguration Risks - VPNs add layers of routing, firewall rules, and cryptographic settings. Incorrect configuration (e.g., weak ciphers, split tunneling errors) can negate security benefits.
- Detection And Blocking - Some networks employ deep packet inspection or active probing to detect and throttle or block VPN protocols, which may require obfuscation techniques or alternative ports.
FAQ
Can I run a VPN if I am behind Carrier-Grade NAT (CGNAT)? Yes, but there will be some limitations. When a VPN connection is being brought up, one party is acting as the client and the other one as the server. The server side will always have to have a public IP address so that the client can initiate a new connection to it. That means that usually, if either endpoint of the VPN has a public IP address, setting up a net-to-net tunnel is possible. A roadwarrior server behind CGNAT is not possible.