WireGuard vs OpenVPN: what goes in a client config file

A VPN client config is a small text file, but every line controls how and where your traffic is tunneled. WireGuard and OpenVPN, the two dominant protocols, take very different approaches, and the config reflects that.

The core difference

WireGuard is deliberately minimal: a few thousand lines of code, modern cryptography with no algorithm choices to misconfigure, and a config that fits on a postcard. It runs over UDP and is fast to connect. OpenVPN is older, far more configurable, can run over TCP or UDP, and is more flexible at traversing restrictive networks, at the cost of a heavier, more complex setup.

For most new deployments WireGuard is the simpler, faster default; OpenVPN earns its place where you need its flexibility or are stuck on a hostile network.

Reading a WireGuard config

[Interface]
PrivateKey = <your private key>
Address = 10.0.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = <server public key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0

• [Interface] describes your end: your private key, the address you take on inside the tunnel, and the DNS server to use while connected.
• [Peer] describes the server: its public key and Endpoint.
• AllowedIPs is the one to understand. 0.0.0.0/0 routes all your traffic through the tunnel; a narrower range tunnels only specific networks (split tunneling).

The key pair

Both protocols rest on a key pair per client. The private key stays on the device and never leaves it; only the public key is shared with the server. Treat a config file containing a private key like a password.

The VPN Config Generator builds a valid client configuration for you, generating keys in your browser so the private key is never transmitted. If your interest is the other side of VPNs, how networks detect them, see how VPN and proxy detection works.