- WireGuard offers the best performance and the simplest configuration. Its minimal codebase reduces the attack surface. Limitation: dynamic IP assignment and central management require additional tools.
- OpenVPN is the proven all-rounder with maximum flexibility and compatibility. It runs on every operating system and can be adapted to almost any requirement. Downside: complex configuration and lower performance than WireGuard.
- IPsec (IKEv2) is the standard for site-to-site VPNs and natively integrated into most operating systems. It offers strong encryption and good performance but is difficult to debug.
- For remote access VPN (home office, mobile working), WireGuard is the recommendation for new installations. For site-to-site connections between locations, IPsec is the established standard.
- Regardless of protocol: MFA is mandatory. A VPN connection protected only by username and password is an invitation for attackers.
Why you need a corporate VPN
A Virtual Private Network (VPN) creates an encrypted tunnel between the user's device and the corporate network. All traffic through the tunnel is protected from eavesdropping and manipulation, regardless of whether the user is in their home office, a hotel Wi-Fi or on a train.
With the growing prevalence of remote working, cloud services and distributed locations, a VPN is indispensable for most SMEs. ISO 27001 requires the protection of remote access to corporate resources in Annex A.8.20 (Network security) and A.6.7 (Remote working).
The central question is not whether you need a VPN, but which VPN protocol and architecture suit your company.
VPN types: remote access vs. site-to-site
Remote access VPN
Connects individual devices (laptops, smartphones) to the corporate network. Typical use case: an employee working from home accesses the file server and ERP system via VPN.
Site-to-site VPN
Permanently connects two or more locations. Typical use case: headquarters and branch office share a common IT infrastructure. The tunnel is permanent and established automatically.
Cloud VPN / SASE
Connects users via a cloud service to the corporate network and/or cloud applications. Typical providers: Cloudflare WARP, Zscaler Private Access, Tailscale. These solutions move the VPN endpoint to the cloud and combine VPN with zero-trust principles.
WireGuard: modern minimalism
WireGuard was developed in 2015 by Jason Donenfeld and incorporated into the Linux kernel in 2020. It is the youngest of the three protocols and was built from the ground up with the goal of making VPN connections as simple and secure as possible.
Technical fundamentals
Cryptography: WireGuard uses a fixed selection of modern algorithms: Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for authentication, BLAKE2s for hashing. There is no configuration option for other algorithms, which reduces the attack surface.
Codebase: The WireGuard kernel module comprises approximately 4,000 lines of code. For comparison: OpenVPN has over 100,000 lines, IPsec implementations several hundred thousand. Less code means fewer potential vulnerabilities and easier auditability.
UDP-based: WireGuard uses UDP exclusively. There is no TCP mode. This has performance advantages (no TCP-over-TCP problem) but can cause connectivity issues in networks that block UDP (some corporate firewalls, hotel Wi-Fi).
Roaming: WireGuard supports seamless roaming. When a client changes IP address (e.g. from Wi-Fi to mobile data), the tunnel persists because WireGuard identifies the peer by its cryptographic key, not by IP address.
Strengths
- Best performance of all three protocols (significantly higher throughput, lower latency)
- Minimal attack surface due to small codebase
- Simple configuration (one configuration file per peer)
- Seamless roaming between networks
- Fast connection establishment (under one second)
- Integrated into the Linux kernel (highest performance on Linux servers)
- Natively available on all major platforms: Windows, macOS, Linux, iOS, Android
Weaknesses
- No dynamic IP assignment in the standard (each peer gets a statically configured IP)
- No integrated authentication against Active Directory or RADIUS (requires additional tools)
- No TCP fallback (problems in restrictive networks)
- Logging is intentionally minimal (privacy by design, but harder for auditing and troubleshooting)
- Enterprise features (MFA, central management, dynamic policies) require add-on solutions
WireGuard in enterprise deployment
WireGuard alone is a VPN protocol, not a VPN product. For enterprise deployment, you need a management layer on top. Options:
- Tailscale: Mesh VPN based on WireGuard with central management, SSO integration and ACLs. Very easy setup.
- Headscale: Open-source alternative to Tailscale that you can self-host.
- Netbird: Open-source WireGuard-based mesh VPN with web UI and identity provider integration.
- Firezone: Open-source WireGuard gateway with web UI, OIDC integration and policies.
OpenVPN: the proven all-rounder
OpenVPN has existed since 2001 and is the most widely used open-source VPN protocol. It is extremely flexible, runs on virtually every operating system and can be adapted to almost any requirement.
Technical fundamentals
Cryptography: OpenVPN is based on the OpenSSL library and supports a broad range of encryption algorithms: AES-256-GCM (recommended), AES-256-CBC, ChaCha20-Poly1305. Key exchange occurs via TLS with configurable cipher suites.
Transport: OpenVPN supports both UDP (recommended for performance) and TCP (for restrictive networks). In TCP mode, OpenVPN can run on port 443 and is indistinguishable from normal HTTPS traffic, enabling the circumvention of firewall blocks.
Authentication: OpenVPN natively supports: certificates (PKI), username/password, LDAP/Active Directory (via plugin), RADIUS (via plugin), multi-factor authentication (via plugin or PAM).
Strengths
- Maximum flexibility in configuration and deployment
- TCP mode as fallback for restrictive networks
- Broad support by firewalls and appliances
- Integrated PKI management (easy-rsa)
- Granular access control via client-specific configurations
- Extensive logging and monitoring
- Huge community and extensive documentation
Weaknesses
- Lower performance than WireGuard (userspace implementation, TLS overhead)
- Complex configuration with many options (error-prone)
- Older codebase with larger attack surface
- Client software not optimal on some platforms (particularly the Windows client)
- Split tunnelling and routing can become complex
OpenVPN Access Server
For companies that prefer a turnkey solution, OpenVPN Inc. offers the OpenVPN Access Server. It combines the OpenVPN server with a web UI for management, integrated user management, LDAP/AD integration and MFA support. The Access Server is paid (per user) but significantly simplifies administration.
IPsec (IKEv2): the industry standard
IPsec (Internet Protocol Security) is a collective term for several protocols that operate at the network layer (Layer 3) and encrypt and authenticate IP packets. IKEv2 (Internet Key Exchange Version 2) is the current key exchange protocol within IPsec.
Technical fundamentals
Architecture: IPsec consists of two main protocols: AH (Authentication Header) for authentication without encryption and ESP (Encapsulating Security Payload) for encryption and authentication. In practice, ESP is used almost exclusively. IKEv2 negotiates the keys and security parameters.
Operating modes: IPsec has two modes: transport mode (only the payload is encrypted, the IP header remains unchanged) and tunnel mode (the entire IP packet is encrypted and wrapped in a new IP packet). Tunnel mode is used for VPNs.
Cryptography: IPsec supports a broad range of algorithms. Recommended: AES-256-GCM for encryption, SHA-384/512 for integrity, Diffie-Hellman Group 19/20 (ECP) for key exchange.
Strengths
- Natively integrated into most operating systems (Windows, macOS, iOS, Android), no additional client needed
- Excellent performance (kernel-level implementation on most platforms)
- The industry standard for site-to-site VPNs
- Supported by every enterprise firewall (FortiGate, Palo Alto, Cisco, Sophos)
- IKEv2 supports MOBIKE (seamless roaming between networks)
- Extensive standardisation by IETF (RFCs)
Weaknesses
- Complex configuration and troubleshooting (IKE negotiation, proposals, selectors)
- Interoperability issues between different vendors
- UDP ports 500 and 4500 must be open (can be blocked in some networks)
- NAT traversal can cause problems
- Configuration syntax varies significantly between implementations
IKEv2 for remote access
IKEv2 has established itself as a remote access VPN protocol, particularly because it is natively integrated into Windows, macOS, iOS and Android. The advantage: no additional VPN client needs to be installed. The disadvantage: native integration often offers fewer configuration options than a dedicated client.
Typical setup: strongSwan as the IKEv2 VPN server on Linux, authentication via EAP-MSCHAPv2 (against Active Directory) or EAP-TLS (certificates), native VPN client on the devices.
The comparison: WireGuard vs. OpenVPN vs. IPsec
| Criterion | WireGuard | OpenVPN | IPsec (IKEv2) |
|---|---|---|---|
| Performance | Very high | Medium | High |
| Configuration effort | Low | High | High |
| Codebase | ~4,000 lines | ~100,000 lines | >200,000 lines |
| Native client needed | Yes (lightweight) | Yes | No (OS-integrated) |
| TCP fallback | No | Yes | No (UDP 500/4500) |
| AD/LDAP integration | Via add-on tools | Native (plugin) | Native (EAP) |
| MFA integration | Via add-on tools | Plugin (PAM, RADIUS) | EAP-TLS, RADIUS |
| Site-to-site | Possible but uncommon | Possible | Standard |
| Roaming | Excellent | Limited | Good (MOBIKE) |
| Audit logging | Minimal | Extensive | Extensive |
| NAT traversal | No issues (UDP) | No issues | Works (NAT-T) |
| Restrictive networks | May fail (UDP only) | TCP 443 as fallback | May fail |
Recommendation by use case
Remote access for home office and mobile working
Recommendation: WireGuard (with a management layer like Tailscale, Firezone or Netbird)
WireGuard offers the best user experience for remote employees: fast connection establishment, seamless roaming when switching between Wi-Fi and mobile data, high performance even with large files. With a management layer like Tailscale or Firezone, you get the enterprise features (SSO, MFA, policies) that WireGuard alone does not provide.
Alternative: OpenVPN Access Server, if you need maximum compatibility (restrictive networks, older clients) or if your existing firewall already integrates OpenVPN.
Site-to-site connection between locations
Recommendation: IPsec (IKEv2)
IPsec is the industry standard for site-to-site VPNs and is supported by every enterprise firewall. If you need to set up a connection between two FortiGate firewalls or between a FortiGate and a Sophos XGS, IPsec is the natural choice.
Access for external contractors
Recommendation: OpenVPN or WireGuard with time-limited credentials
External contractors often need short-term, restricted access. OpenVPN allows the creation of time-limited certificates. WireGuard-based solutions like Firezone offer a portal for temporary access with automatic deactivation.
Security best practices for any VPN
Multi-factor authentication (MFA)
A VPN connection protected only by username and password is a preferred target for attackers. Compromised credentials (through phishing, credential stuffing or dark web leaks) enable direct access to the corporate network.
MFA is not optional but mandatory. Options:
- TOTP (Time-based One-Time Password) via authenticator apps
- Push notifications via authentication apps
- Hardware tokens (YubiKey, FIDO2)
- Certificate-based authentication (EAP-TLS) as an implicit second factor
Split tunnelling vs. full tunnelling
Full tunnelling: All client traffic runs through the VPN tunnel, including internet access. Advantage: full control, DNS filtering and content filtering apply even in the home office. Disadvantage: higher load on the VPN gateway, slower internet access for the user.
Split tunnelling: Only traffic to the corporate network runs through the tunnel. Internet access goes directly to the internet. Advantage: better performance, less load on the VPN gateway. Disadvantage: the user's internet access is not filtered by the corporate firewall.
Recommendation: Full tunnelling as the default, with exceptions for bandwidth-intensive cloud services (Microsoft 365, video conferencing) that can be connected directly (inverse split tunnelling).
Kill switch
A kill switch blocks all network traffic when the VPN connection drops unexpectedly. Without a kill switch, the client sends unencrypted traffic to the internet for the duration of reconnection, which poses a security risk in untrusted networks (public Wi-Fi).
Most VPN clients support a kill switch. Ensure it is activated, especially for employees who regularly work in public networks.
Least-privilege access
Not every VPN user needs access to all resources. Define per user group in accordance with your authorisation concept which network segments and services the VPN access is authorised for:
- IT administration: access to management VLAN and server zone
- Accounting: access to the ERP system and file server
- Sales: access to CRM and email
- External contractors: access only to the specific system they need to maintain
Logging and monitoring
Log all VPN connections: who connected when, from which IP address, for how long, how much traffic? In ISMS Lite, you can document your VPN policy as a control and traceably record the access rules per user group. Monitor unusual patterns: connections outside business hours, connections from unusual countries, unusually high data volumes.
Further reading
- Firewall configuration for SMEs: rules, zones and best practices
- Secure remote working: protecting home office and mobile working
- Implementing MFA: multi-factor authentication in the enterprise
- Wi-Fi security in the enterprise: WPA3, 802.1X and guest networks
- Zero trust for mid-market companies: principles and practical implementation
The choice of VPN protocol is a technical decision, but the security of VPN access is an organisational one. The best protocol is useless if access is not protected by MFA, if access rights are too broad, or if nobody monitors the connection logs. Protocol, configuration and operations must work together.
