Last Updated: May 1, 2025
VPN Types Comparison
| Feature | WireGuard | OpenVPN | IPsec (IKEv2) |
|---|---|---|---|
| Performance | Fastest (kernel) | Moderate (userspace) | Fast (kernel) |
| Codebase | ~4,000 lines | ~70,000+ lines | Large + complex |
| Config simplicity | Very simple (few options) | Moderate | Complex |
| Port | 51820 (UDP default) | 1194 (UDP), 443 (TCP) | 500/4500 (UDP) |
| Roaming | Seamless (stateless) | Needs reconnect | Mobility & Multihoming (MOBIKE) |
| Crypto agility | Single suite (opinionated) | Pluggable (many options) | Negotiable (many suites) |
Split Tunneling
| Item | Description |
|---|---|
Full tunnel | ALL traffic routes through VPN (secure but slower) |
Split tunnel | Only corporate traffic through VPN; internet goes direct |
Split-include | Route specific subnets (10.0.0.0/8) through VPN tunnel |
Split-exclude | Route everything through VPN EXCEPT specific IPs (streaming) |
DNS split | Corporate DNS queries through VPN; public DNS uses local resolver |
Benefit | Reduces VPN bandwidth costs; keeps personal traffic private from employer |
WireGuard Quick Config
[Interface]Define local endpoint: PrivateKey, Address, ListenPort
[Peer]Define remote peer: PublicKey, AllowedIPs, Endpoint
wg genkey | tee privatekey | wg pubkey > publickeyGenerate WireGuard keypair
wg-quick up wg0Bring up WireGuard interface
wg-quick down wg0Bring down WireGuard interface
wg showShow WireGuard interface status and peers
AllowedIPs = 0.0.0.0/0Route all traffic through this peer (full tunnel)
AllowedIPs = 10.0.0.0/8, 192.168.1.0/24Split tunnel — only these subnets
VPN Deployment Patterns
| Item | Description |
|---|---|
Client VPN | Individual devices connect to corporate network remotely |
Site-to-site | Two office networks connected as one (always on) |
Hub-and-spoke | HQ connects to all branch offices (central management) |
Mesh | Every site connects to every other site (full connectivity) |
Zero Trust VPN | VPN + identity context: only access specific apps, not full network |
Pro Tip: WireGuard is the go-to for most new VPN deployments — kernel-level speed, simple config (under 100 lines), and built into Linux kernel 5.6+. Use it unless you need IPsec compatibility.