VPN Technologies: IPSec vs SSL VPN vs WireGuard

A VPN creates an encrypted tunnel between two endpoints, ensuring that data traversing an untrusted network (typically the internet) cannot be read or tampered with by third parties. VPNs serve two primary use cases:

• Site-to-site VPN: permanently connects two or more office networks over the internet, replacing expensive private WAN links like MPLS. Traffic flows between sites as if they were on the same LAN.
• Remote-access VPN: allows individual users — working from home, a hotel, or a coffee shop — to securely connect back to the corporate network and access internal resources.

IPSec (Internet Protocol Security) is a suite of protocols that operates at Layer 3 of the OSI model. It has been the industry standard for site-to-site VPNs for over two decades and is built into virtually every enterprise firewall and router. IPSec negotiates encryption using the Internet Key Exchange (IKE) protocol — most commonly IKEv2 today — and then encapsulates traffic using either tunnel mode (encrypts the entire IP packet, used for site-to-site) or transport mode (encrypts only the payload, used for host-to-host communication).

IPSec's greatest strength is its robust, well-audited security. It supports a wide range of encryption algorithms (AES-256, AES-GCM), integrity checks (SHA-256, SHA-384), and authentication methods (pre-shared keys, X.509 certificates). However, its complexity is legendary: configuring Phase 1 and Phase 2 proposals, managing transform sets, and troubleshooting IKE negotiation failures requires deep expertise. NAT traversal (NAT-T) adds another layer of complication when one side sits behind a NAT device.

SSL/TLS VPNs operate at Layer 4–7 and leverage the same TLS encryption used by HTTPS websites. This approach has two significant advantages: it works through nearly any firewall (since it uses TCP port 443, the same port as HTTPS), and it can provide clientless access via a web browser — ideal for contractors or BYOD users who cannot install software.

For full-tunnel remote access, OpenVPN is the most widely deployed open-source SSL VPN solution. It creates a TUN or TAP virtual interface on the client and routes traffic through an encrypted TLS tunnel. OpenVPN supports both UDP and TCP transport, certificate-based authentication, and integrates with LDAP, RADIUS and SAML for enterprise identity management. Commercial SSL VPN gateways from Cisco (AnyConnect), Fortinet (FortiClient) and Palo Alto (GlobalProtect) offer similar functionality with polished management consoles and endpoint compliance checks.

The main drawback of SSL VPNs is performance. TLS runs in user space and adds overhead compared to kernel-level protocols. OpenVPN in particular can struggle to saturate high-bandwidth links due to its single-threaded architecture, although the newer OpenVPN Data Channel Offload (DCO) kernel module addresses this limitation.

WireGuard is a modern VPN protocol that has been part of the Linux kernel since version 5.6 (March 2020). It was designed with a radically different philosophy: simplicity above all else. The entire WireGuard codebase is roughly 4,000 lines of code — compared to over 100,000 for OpenVPN or IPSec/IKEv2 implementations. Fewer lines of code means a smaller attack surface and easier auditing.

WireGuard uses a fixed set of modern cryptographic primitives: ChaCha20 for symmetric encryption, Poly1305 for message authentication, Curve25519 for key exchange, and BLAKE2s for hashing. There is no cipher negotiation — if a vulnerability is found in one of these primitives, the entire protocol version is updated. This eliminates the configuration complexity and downgrade attacks that plague IPSec and TLS.

Performance is where WireGuard truly shines. Because it runs inside the Linux kernel (and as a kernel extension on Windows and macOS), it achieves throughput and latency figures that rival or exceed IPSec and comfortably outperform OpenVPN. WireGuard is also stateless in its design: it uses a concept called Cryptokey Routing where each peer is identified by its public key and associated with a list of allowed IP addresses. Configuration is remarkably simple — often just a few lines in a config file or a QR code scanned by the mobile app.

Split tunnelling is a configuration where only traffic destined for corporate resources is sent through the VPN tunnel, while general internet traffic (web browsing, streaming) goes directly to the internet from the user's local connection. This reduces VPN bandwidth consumption and improves the user experience for non-corporate traffic. However, it means the user's internet traffic is not inspected by the corporate firewall, which can be a security concern.

Always-on VPN (sometimes called "full tunnel") routes all traffic through the VPN at all times, ensuring that every packet is subject to corporate security policies. This is the preferred approach for organisations with strict compliance requirements. IKEv2 and WireGuard both support seamless reconnection after network changes (e.g., switching from Wi-Fi to mobile data), making always-on VPN practical for mobile users.

There is no single "best" VPN technology — the right choice depends on your requirements:

• Site-to-site between firewalls: IPSec remains the standard. Every enterprise firewall speaks IPSec, and interoperability between vendors (while sometimes painful) is well documented.
• Remote access for employees with managed devices: WireGuard or IKEv2 offer the best performance and seamless reconnection. WireGuard's simplicity makes it particularly attractive for smaller IT teams.
• Remote access for contractors or BYOD: SSL VPN with clientless browser access is hard to beat. No software installation means no endpoint compatibility issues.
• High-security environments: IPSec with certificate-based authentication and IKEv2 provides the most granular control over cipher suites and compliance with standards like FIPS 140-2.