I currently have a setup where my Synology NAS acts as my VPN server, using OpenVPN. It works but as with all things to do with technology and home labs - I want to improve it in anyway I can. I’m looking at building a big Dedicated Proxmox server and will run two DNS Pi-hole like servers (one for redudency) and would like two VPN servers as I’d like to keep my Synology NAS purely for files and only accessable on my local network. I’d like for all my mobile devices to have a constant connection to either VPN/DNS pair for privacy and ads.
Which brings me to the question, which is better in terms of security and speed? Tailscale, Wireguard or OpenVPN?
I know there is no definitive answer, just want peoples opinions and what you use currently?
Tailscale is wireguard with extra steps. I personally use plain wireguard, it’s already pretty easy to set up with config files, but now there’s even graphical front-ends for it which generate the config for you, including a QR code that you just have to scan on your phone, so really simple. I don’t think you can set up OpenVPN by just scanning a QR code
WireGuard is an absolute breath of fresh air. I have WireGuard enabled on my main router bridged to the cable modem. My phone is connected to the VPN on my router 24/7.
Sometimes when I’m working with clients and they are in restricted environments which would force me to jump through all kinds of VPN routes, jump hosts, and Remote Desktop gateways just to get to a system or desktop that I can’t actually place the tools I need on, I can jump through those hoops to the host and then just WireGuard out to my network, and then that server looks like another host on my network that I can access directly, i.e. 10.0.0.5.
So, now I can just bring up a link, and then VS Code over SSH directly to the server, automate Docker tasks, apply configuration as code, or anything else that was going to be impossible to do from a locked down corporate VDI desktop.
Naturally, that exposes the host to other threats that could potentially originate from my network, which is why I’d like to move this capability to a separate isolated pfSense device or or hardened VM that can only be accessed via physical console.
I’d still keep my phone connected at the edge for all of the advantages that presents. Namely, overall network performance is seemingly improved by having all traffic on a low bandwidth high latency network route through a 1.5Gbps upstream connection. Not to mention, I have direct access to every other service or IPMI interface I might need to get a finger on.
Using wireguard with a front-end like pivpn is as easy as running the command pivpn -a to setup a new profile for a new device while displaying a QR code for it
One problem with raw wire guard is no support for tcp 443. Many a times when traveling, especially internationally, you may connect to shady hotspots which block everything except web browsing.
OpenVPN can be run in port 443 and Tailscale will use derp for proxy and still work in those situations. Witeguard being udp will not.
I have not used Tailscale so cannot comment on it.
In the traditional hub-and-spoke model, I think OpenVPN makes sense for you if you really want redundant VPN servers. With OpenVPN you can set multiple remotes (server A and server B) and the client will automatically fail over if one goes down. WireGuard is stateless, does not care about the peer being down and does not have a built-in failover mechanism so you would have to build your own failover routing on top. There are examples of that if you google it. Otherwise you could go full mesh networking and just not have to worry about VPN servers. There are tools to make that easier, like Tailscale.
FYI there is also an open source self-hosted implementation of Tailscale control plane (server), it’s called Headscale and it can be used in combination with Tailscale clients, very cool project.
OpenVPN is a slow, finicky, deprecated mess. The only reason to use it is because it is already widespread and lots of documentation exists. Wireguard is the new version of it and outperforms it in every way. Tailscale is a proprietary mesh building wrapper for wireguard. Usually with wireguard two peers have to communicate through the server. With tailscale they all connect directly to each other.
I see most people here are recommending Wireguard, but I don’t think the answer is that straightforward. If OpenVPN works fine for you, I’d stick to it and maybe enable MFA if you haven’t done it to increase security (something which is not possible with wireguard from what I remember when I was testing it).
I personally use OpenVPN, because it offers superior authentication options and logging.
WireGuard offers better speed, but depending on your use case and home internet connection speed, there is a question you need to ask yourself “will you actually benefit from it?” For example, I have 40 mbps upload speed and I am generally maxing it out on OpenVPN, so increased speed that Wireguard offers, wouldn’t be any benefit.
I’ve basically given up on OpenVPN. So many better options out there now.
You should check out Twingate as well if you’re testing stuff out. They have free tier. I personally find Twingate’s model to be the most sensible and strikes the right balance of speed & security. You can be very specific about what routes you want to expose, who can get access to it, etc.
Network Chuck did a video on them a few weeks ago.
