VPN Protocol Reference

// wireguard · openvpn · ipsec · l2tp · ports · configs

WireGuard

UDP 51820 (default)

Performance

Excellent — ~10Gbps on modern hardware

Setup Complexity

Very simple — minimal config

Security

Modern crypto — ChaCha20/Poly1305

OpenVPN

UDP 1194 / TCP 443

Performance

Good — userspace overhead

Setup Complexity

Moderate — PKI + certs required

Security

Strong — TLS + OpenSSL

IPSec/IKEv2

UDP 500 + 4500

Performance

Very good — hardware accel support

Setup Complexity

Complex — lots of parameters

Security

Very strong when configured correctly

L2TP/IPSec

UDP 1701 + 500 + 4500

Performance

Moderate — double encapsulation

Setup Complexity

Moderate — native OS support helps

Security

Adequate — depends on IPSec layer

// protocol comparison matrix

Protocol	Default Port	Speed	NAT Traversal	Firewall Bypass	Mobile Support	Best For
WireGuard	UDP 51820	Excellent	Yes (UDP)	Port change needed	Excellent	Site-to-site, remote access, modern deployments
OpenVPN	UDP 1194 / TCP 443	Good	Yes	TCP 443 bypasses most firewalls	Good	Remote access, restrictive networks, legacy support
IPSec/IKEv2	UDP 500, 4500	Very Good	Yes (NAT-T)	Often blocked	Good (native iOS/Android)	Enterprise site-to-site, native OS clients
L2TP/IPSec	UDP 1701, 500, 4500	Moderate	Limited	Frequently blocked	Good (built-in clients)	Legacy environments, Windows built-in client
PPTP	TCP 1723	Fast	Poor	Moderate	Wide	⚠ AVOID — broken encryption, obsolete

// wireguard — minimal server config

Minimal WireGuard server config (/etc/wireguard/wg0.conf):

      
      [Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address    = 10.0.0.1/24
ListenPort = 51820
PostUp     = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey           = PEER_PUBLIC_KEY
AllowedIPs          = 10.0.0.2/32
# PersistentKeepalive = 25  # add if peer is behind NAT
    

Minimal WireGuard client config:

      
      [Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address    = 10.0.0.2/24
DNS        = 1.1.1.1

[Peer]
PublicKey           = SERVER_PUBLIC_KEY
Endpoint            = your.server.ip:51820
AllowedIPs          = 0.0.0.0/0  # route all traffic through VPN
PersistentKeepalive = 25
    

Generate key pair:

wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey   # your private key — keep secret
cat publickey    # share this with peer

// openvpn — server quick reference

Key directives for /etc/openvpn/server.conf:

      
      port      1194
proto     udp          # use tcp for firewall bypass
dev       tun
ca        ca.crt
cert      server.crt
key       server.key
dh        dh2048.pem
server    10.8.0.0 255.255.255.0
push      "redirect-gateway def1 bypass-dhcp"
push      "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher    AES-256-GCM
tls-auth  ta.key 0      # HMAC firewall
user      nobody
group     nogroup
persist-key
persist-tun
verb      3
    

// decision guide — which protocol to choose

      New deployment, performance matters?      → WireGuard
Restrictive network / port 443 needed?    → OpenVPN over TCP 443
Enterprise site-to-site between routers?  → IPSec/IKEv2
Need native Windows/iOS/Android client?   → IKEv2 or L2TP/IPSec
Legacy environment, no new software?      → L2TP/IPSec
PPTP?                                      → Never. It's broken.
    