VPNs on OpenWrt: WireGuard vs. IKEv2/IPSec vs. OpenVPN TAP mode

1. Goals

My goal is to be able to connect to my home network from anywhere in the world and access everything on it the same way as I would be in my local WiFi.

2. Why three different VPN protocols?

3. When do you need a Layer 2 network?

Most VPNs work on Layer 3, but Layer 2 can be useful if:

The only protocol I've found that supports Layer 2 bridging is OpenVPN in TAP mode. However, Android doesn't support connecting to it.

On a local network, your DHCP server could propagate a default NTP server to use to all clients.

WireGuard doesn't offer a way to set an NTP server just for one network, neither does NetworkManager.

So you lose some functionality with WireGuard and IKEv2/IPSec, compared to being directly connected to your home network.

I think for most people in most cases, you do not need Layer 2. If all you need is access to your home servers, NAS, SSH, or web interfaces, a Layer 3 VPN such as WireGuard is usually sufficient.

But be aware that a VPN connection might lack features you would have if you were connected to your WiFi directly.

4. Feature matrix

What VPN is missing, compared to a local connection:

Feature WireGuard IKEv2/IPSec OpenVPN TAP
Dynamic IP addresses via DHCP No, only fixed IPs No, only fixed IPs Yes
Same subnet No, own subnet No, own subnet Yes
DNS propagation No Only via manual config Yes, via DHCP
NTP propagation No Supported on protocol level, not via swanctl Yes, via DHCP
Ethernet broadcasts No(?) No(?) Yes
avahi No No Yes
Wake-on-LAN (WOL) No No Yes

5. Issues of OpenVPN in TAP mode

If you look at the matrix above, you could think: Well, I just go with OpenVPN TAP then.

However, OpenVPN TAP has its own problems:

Since WireGuard is much more convenient, I will only use OpenVPN TAP as a fallback solution when I need one of the Layer 2 features listed above.

For daily use cases WireGuard is usually sufficient for me.

6. Blocked connections

Some networks or providers block VPN connections.

All of these protocols can be identified and blocked by sufficiently restrictive networks.

OpenVPN has a TLS mode, which should be indistinguishable from HTTPS traffic, especially if your server operates on port 443, but it still can be detected, because the packet structure, sizes and timings differ from a browser HTTPS connection.

For full firewall penetration, stunnel and v2ray look promising. But I haven't tested them.

7. Verdict

I found it very complicated to set up all of the protocols.

I found no easy, simple way to really connect to your home like a local WiFi connection would.

I will use WireGuard as my main protocol, and occasionally use OpenVPN in TAP mode when I want to use my WiFi's DHCP, DNS, NTP or when I want to send broadcasts on Layer 2, for example for avahi.