[g45y45]

I say this on every VPN threat and its still the best advice: Just use algo (IPSEC VPN): https://github.com/trailofbits/algo

Wireguard is great, but is not supported on many devices, and does not auto provision configuration files for all your devices. Please look into algo, it really is the best solution for 99% of people.

[tptacek]

IPSEC and OpenVPN are far more dangerous than Wireguard is, so while it might be simpler for some kinds of users to boot up an OpenVPN connection, that doesn't necessarily make it the "best solution".

[handzbagz]

What's wrong with OpenVPN?

[wolf550e]

OpenVPN depends on TLS and basically all the code in openssl (many lines of code, not possible to audit by one person).

In a version I used, after TLS handshake it used a custom bulk data protocol and defaulted to blowfish for the crypto (these defaults might have changed since).

It runs in userspace so the speed is not good.

IPSec has better performance because it runs in the kernel, but the protocol is bad and the amount of code in the kernel is enormous, as much as all of openssl, and this cannot be audited by a single person.

Wireguard has good performance, has only ~4000 lines of code that need to be audited (designed to be audited by a single person) and uses very modern crypto.

[jacobtwotwo]

Can you explain why? At least one other person in this thread said that Algo supports wireguard.

[pvg]

Algo supports Wireguard these days so you can algo your way to both.