The Core Architectural Difference
When you build a remote-access VPN, every connecting client needs an IP address inside the tunnel — an address on the corporate virtual network that other internal resources can route to. How a VPN protocol assigns and tracks those tunnel IPs is not an implementation detail; it is a fundamental architectural decision that affects scalability, security policy, and day-to-day IT management.
OpenVPN treats IP assignment as a DHCP problem. WireGuard treats it as a cryptographic identity problem. Both approaches work, but each creates distinct operational tradeoffs that become important when you are managing hundreds or thousands of remote employees.
WireGuard AllowedIPs vs OpenVPN topology routes
WireGuard’s cryptokey routing table explicitly lists which remote tunnel IPs may source traffic; omitting a peer subnet silently drops packets. OpenVPN’s iroute pushes routes to clients through control-channel config, often combined with server directives and NAT rules on the gateway. Migration testing should include split-tunnel vs full-tunnel policies and overlapping RFC 1918 space on both sides.
How OpenVPN Allocates IPs
OpenVPN operates a virtual TUN (layer 3) or TAP (layer 2) network adapter on the server. When a client authenticates and connects, the OpenVPN server assigns it an IP address from a configured pool, typically a /24 or /22 subnet defined in server.conf. The assignment uses an internal DHCP-like mechanism, and the mapping of client certificate to IP is written to an ipp.txt file for persistence across server restarts.
When the client disconnects, the IP returns to the pool. If 200 employees connect simultaneously, 200 IPs are consumed. If only 50 are online, only 50 IPs are in use. This dynamic pooling model is efficient and familiar to any network engineer who has managed DHCP.
OpenVPN relies on the TLS handshake for authentication, using either certificate-based mutual TLS or username/password with optional certificates. The IP assignment happens after TLS negotiation completes. This means the IP a user receives is not inherently tied to their cryptographic identity — the same user could receive different IPs on successive connections unless ifconfig-push directives are used in per-client config files to force a static assignment.
How WireGuard Allocates IPs: Cryptokey Routing
WireGuard's approach is fundamentally different. Every peer (client or server) has a Curve25519 public/private keypair. The server's wg0.conf configuration lists every permitted peer by public key, and each peer entry includes an AllowedIPs directive that specifies which IP addresses are valid for that peer.
There is no pool. There is no dynamic assignment. If Bob's public key is paired with AllowedIPs = 10.0.0.5/32, then Bob always has IP 10.0.0.5 inside the tunnel. Every time Bob connects from any device, from any location, that is his address. If someone tries to send packets claiming to be from 10.0.0.5 using a different keypair, WireGuard drops them silently. The IP and the cryptographic identity are bound together.
This is called cryptokey routing: the routing table is derived from the public key—to-AllowedIPs mapping rather than from dynamic state. It is stateless from an allocation perspective — there is no session, no connection table, no DHCP lease. WireGuard simply forwards packets if the source IP matches the registered AllowedIPs for the keypair that signed the encrypted packet.
Architectural Comparison
| Feature | OpenVPN | WireGuard |
|---|---|---|
| IP assignment model | Dynamic pool (DHCP-like) | Static per-peer (cryptokey routing) |
| Authentication | TLS certificates or username/password | Curve25519 public/private key only |
| IP bound to identity? | No (unless manually forced) | Yes, inherently |
| Protocol | TLS over TCP or UDP | UDP only (custom WireGuard protocol) |
| Kernel integration | Userspace daemon | Kernel module (Linux 5.6+) or userspace |
| Handshake latency | TLS: multiple round trips | 1.5 round trips (1-RTT) |
| Code size | ~100,000+ lines | ~4,000 lines (kernel implementation) |
| Adding a new user | Issue cert, user gets pool IP on connect | Generate keypair, manually assign AllowedIPs, distribute configs |
| Scalability challenge | Pool exhaustion at very large scale | Manual config management at large scale |
| MFA / LDAP integration | Native via plugins (e.g., openvpn-auth-ldap) | Requires external orchestration layer |
Real-World Use Cases
10,000-Employee Enterprise (OpenVPN): A global bank with 10,000 remote workers chooses OpenVPN because it integrates directly with Active Directory via LDAP authentication plugins. When an employee is offboarded, their AD account is disabled and the VPN immediately rejects their connection. No keypair revocation process is needed. The dynamic IP pool means IP management is automatic.
50-Person Engineering Team (WireGuard): A startup with 50 engineers prefers WireGuard for its performance. Each engineer has a fixed internal IP tied to their keypair. The IT admin can write firewall rules like ACCEPT src 10.0.0.5 dst 10.0.1.0/24 and know with certainty that this rule applies only to the engineer whose keypair maps to .0.5, not to whoever happens to draw that IP from a pool.
IoT Device Fleet: WireGuard's static IP model is ideal for IoT or embedded devices that need a persistent tunnel identity. Each device has a keypair baked in at manufacturing. The AllowedIPs assignment means the server always knows which physical device corresponds to which IP, making monitoring and policy enforcement straightforward.
High-Churn Contractor Network (OpenVPN): A company that onboards and offboards hundreds of contractors monthly benefits from OpenVPN's certificate-based workflow. Issuing and revoking X.509 certificates from an existing PKI integrates well with IT ticketing systems and requires no manual IP management.
Common Misconceptions
Misconception 1: WireGuard Is Always Faster Than OpenVPN
WireGuard's kernel implementation gives it a meaningful throughput advantage on high-bandwidth tunnels, particularly because it avoids the context-switching overhead of OpenVPN's userspace daemon. However, raw throughput difference is negligible for typical remote workers doing email and video calls. The latency improvement from WireGuard's 1-RTT handshake is more practically significant than throughput for interactive traffic.
Misconception 2: Dynamic IP Assignment in OpenVPN Is Less Secure
Dynamic IP assignment does not weaken security by itself. OpenVPN's security rests on certificate authentication, not on which IP a client is assigned. The TLS mutual authentication ensures only holders of valid certificates can connect. The IP is just a routing label inside the tunnel, not a trust boundary.
Misconception 3: WireGuard's Static IPs Make User Management Easier
The opposite is often true at scale. With OpenVPN, offboarding a user means revoking their certificate and the IP pool reclaims the address automatically. With WireGuard, you must remove the [Peer] block from the server config, reload the interface, and manage the freed AllowedIPs entry manually — or build tooling to automate this. At 10,000 users, that tooling is a non-trivial engineering project.
Misconception 4: WireGuard Cannot Assign IPs Dynamically
WireGuard's core protocol does not include dynamic IP assignment, but projects like Tailscale and Headscale build a coordination layer on top of WireGuard that handles keypair distribution, IP assignment, and access control policies. These platforms give you WireGuard's performance with OpenVPN-like operational simplicity, at the cost of adding a dependency on the coordination server.
Pro Tips
- Force static IPs in OpenVPN using per-client config files: Create files under the
ccd/directory named after each client's Common Name (CN). Addifconfig-push 10.0.0.50 10.0.0.51to give a specific client a fixed IP. This lets you write deterministic firewall rules in OpenVPN without switching to WireGuard. - Use WireGuard's AllowedIPs to implement split tunneling: Set
AllowedIPs = 10.0.0.0/8, 192.168.100.0/24on the client to route only corporate subnets through the tunnel. Using0.0.0.0/0forces all traffic through — useful for compliance but adds latency for non-corporate destinations. - Monitor WireGuard peers with
wg show: The output shows each peer's last handshake time and transferred bytes. A peer whose last handshake is more than 3 minutes old is effectively disconnected. Script this to feed into your monitoring system since WireGuard has no explicit connection state. - Use OpenVPN's management interface for live connection visibility: Telnet to
127.0.0.1:1194(or your configured management port) and issuestatusto see all currently connected clients, their assigned IPs, and bytes transferred. This is invaluable for troubleshooting without restarting the service. - Pre-share WireGuard configs via a secrets manager: Never distribute WireGuard private keys over email or chat. Use a secrets manager (HashiCorp Vault, AWS Secrets Manager) to generate and deliver keypairs to devices during provisioning. The private key should be written to the device and never leave it.
- Run OpenVPN over UDP when possible: OpenVPN defaults to TCP on port 1194 in many configs, but TCP-over-TCP (tunneling TCP inside a TCP VPN connection) causes severe performance degradation under packet loss. Use UDP transport with
proto udpin both server and client configs whenever your firewall environment permits.
Choosing between OpenVPN and WireGuard is not a simple performance question — it is an operational architecture decision. Match the protocol's IP allocation model to your user management workflow, and you will avoid rebuilding your VPN infrastructure two years later. Check your current IP and VPN configuration here.