OpenVPN vs WireGuard, IKEv2, Shadowsocks — Comparison 2026

When I started figuring out VPN protocols ten years ago, the choice was simple: OpenVPN — end of story. Now everything is different. It's March 2026, Roskomnadzor is tightening screws through TSPU, and there are so many protocols that your head spins. OpenVPN vs WireGuard, IKEv2, VLESS, Shadowsocks, AmneziaWG — what really works and what is already dead?

I spent the last few months testing different protocols under real conditions with Russian ISPs. This article is the result. Without marketing fluff, with concrete numbers and task-specific recommendations.

What is OpenVPN and why it is compared with other protocols

OpenVPN appeared in 2001. Over 25 years it became the de facto standard — supported by routers, corporate networks, almost all VPN providers. The protocol is open source, audited many times, uses the OpenSSL library for encryption.

But any long-lived solution has a problem: it's been studied too well. And not just by security researchers — but by DPI systems too.

How OpenVPN works: UDP and TCP modes

OpenVPN can work in two modes. UDP — faster, lower overhead, suitable for streaming and gaming. TCP — slower, but can masquerade as regular HTTPS traffic on port 443. TCP mode was long the lifesaver for bypassing blocks.

Architecturally, OpenVPN runs in userspace — not in the kernel. This means additional context switches when processing each packet. On a powerful computer you won't notice the difference. On a router with MIPS processor and 128 MB RAM — you'll hit a ceiling of 5-10 Mbps.

Why OpenVPN was the standard — and what changed by 2026

OpenVPN held the crown for three reasons: open source code, configuration flexibility, support on any device. Alternatives simply didn't exist — IPsec was complex, L2TP was flawed, PPTP was dead.

What changed? First, in 2018 WireGuard appeared — faster, simpler, more modern. Second, TSPU learned to detect OpenVPN even over TCP 443: the protocol has a distinctive TLS-handshake that differs from normal browser traffic. Third, protocols like VLESS+Reality appeared, specifically designed to bypass DPI. OpenVPN vs modern alternatives — this is no longer an obvious choice.

OpenVPN vs WireGuard: speed, security, blocking bypass

This is the main rivalry, and the difference here is not cosmetic. WireGuard is a fundamentally different approach to VPN. About 4,000 lines of code versus roughly 100,000 for OpenVPN. Runs in the Linux kernel. Uses modern cryptography (ChaCha20, Curve25519) with no choice of alternatives — and that's a plus, not a minus.

Speed test: OpenVPN UDP vs WireGuard on a real channel

I tested on a 500 Mbps channel (Rostelecom, Moscow) with a server in the Netherlands. Results:

WireGuard is faster than OpenVPN UDP by about 40-50%. OpenVPN TCP mode is even slower due to double encapsulation: TCP within TCP creates retransmission problems. On gigabit channels the gap is even more noticeable.

Battery consumption on Android and iPhone

On mobile devices WireGuard wins even more convincingly. The reason — it doesn't maintain a constant connection, but sends keepalive packets every 25 seconds. OpenVPN maintains a TLS session continuously.

In my tests on Samsung Galaxy S24 over 8 hours: WireGuard consumed 3% battery, OpenVPN UDP — 7%, OpenVPN TCP — 9%. On iPhone 15 the numbers are similar. If VPN runs all day — the