I assume this is because, in addition to the missing ciphers as referenced in the linked article, OpenVPN, even though it uses TLS, it initially uses a very identifiable handshake before initiating TLS, which is not hard to block. I have personally had problems specifically with OpenVPN being targeted/blocked in this way.
this post was submitted on 18 Aug 2025
178 points (98.9% liked)
Privacy
41960 readers
532 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Wireguard is not difficult to block either, it's not designed to be hidden. China, Russia, etc have learned long ago how to detect and block it. The only semi-reliable way to bypass sophisticated VPN blocking techniques is to use protocols that mask as regular https traffic (and self-host it since well know public VPNs will of course be dealt with by simply blocking packets to their ip addresses).
But why disable it for the people who can use it? Unless there's a security implication to the handshake?
And I specifically had luck with OpenVPN TCP on port 443 on network which DPI-blocked Wireguard.
Yeah OpenVPN is often used for business reasons (e.g. by remote workers), so it's usually not blocked wholesale, only throttled (and known public VPNs providers and blocked via blacklisting their endpoints' ip addresses). Wireguard meanwhile is used much more rarely so there is less fallout from blocking it completely.
Yea every network may do things differently... in my case tcp/443 openvpn is blocked at several places that I frequent.
Wireguard is not Sensorship and DPI resilient at all, it relies solely on UDP. They state it on their official website that it's not their priority at all
First port-forward and now this I mean I get it but being versatile is more important in a VPN for me so no more Mullvad for me. I'll be moving to either windscribe or AirVPN
I switched to Air, its the slowest VPN I've ever used and I'm considering switching back once my subscription is up
Can second AirVPN being slow as shit
Good to hear I'm not alone
Is that so. I also think that windscribe is better
Hide.me is decent. Last i read Azire is solid too.
windscribe goes on sale a few time in the year. You can get it for 29$ a year which is a great price and for 20$ more you have static IP and permanent port-forwarding. It's a great deal for a trustworthy and feature rich VPN in my opinion
I find when using Mullvad a lot of sites are blocked vs other VPNs. Are all their IPs on a blacklist somewhere?
I find frequently switching works well. It's a bit of effort, but I have a small list of countries that work best with certain websites.
Yes, that was the technique used by interpol to get mullvad to comply with a csam investigation. The terms were ”give us user information or drop port forwarding unless you wanna remain on a global blacklist” and mullvad chose to drop port forwarding.
And remained on a blacklist anyway.
Not in the slightest. Web accessibility using mullvad before and since has tracked the ongoing trend of websites blocking vpn services and almost all their endpoint ips have rolled over since then.
In my own experience, sites that weren’t blocking mullvad before and were blocking during the csam investigation aren’t blocking now. That’s because the blocking was mostly happening at the cdn level.
They didn’t remain on the blocklist but the web is becoming hostile to vpn ips. One way around this is by using a web proxy defined in your browsers settings.
Well that's annoying. When using it with Gluetun, I'm not sure I can even use Wireguard there.
I used Mullvad wire gluetun for about a year without issues. I'm pretty sure it's just a simple config difference
Maybe, but I'm using Gluetun's API too (which is very badly documented), and it seems to me some of the endpoints only work for OpenVPN. But I'll have to look into it properly.
Ah, no idea about that then
Why this change?
Mullvad has stated years ago that "WireGuard is the future" because it supports different cryptographic primitives that they prefer to what OpenVPN supports, it uses less lines of code which makes implementations less prone to errors, and it has a different architecture that reduces the risk from certain kinds of cryptographic attacks.
At least, that's what they claimed back in 2017. It seems they still believe that WireGuard is better than OpenVPN now, but I don't know if they have any more reasoning beyond what they wrote about in 2017 as to why.
Can you run multiple wire guard connections simultaneously? The reason I stick with OpenVPN is because my work uses wire guard and I can run two connections at the same time.
Yes.
It would depend on whatever the client-side software you use to manage it supports.
You could theoretically have an implementation that sends packets across 1 VPN connection, 5 connections, or 1,000,000, just like how you can make a program that just sends a ping request to one web server, or make one that sends ping requests to 1,000. But if the VPN software your work uses doesn't support it, then you'd be out of luck.
It's probably more likely that any legacy software would support multiple connections with OpenVPN, but not necessarily WireGuard, since OpenVPN's just been around longer, but since WireGuard's codebase is much simpler, it could be something they've put a little time into implementing.
Though since I have no clue what your work uses, there's no way for me to know if it'd support multiple or not without you testing it yourself.
My work uses tailscale to get to work things. and I just want a VPN to get into my network at home. Maybe every once in a while connect to something like Mulvad. All 3 distinct programs that have virtually no idea about each other.
With OpenVPN just add as many taps as you need. With wire guard it doesnt way to play nicely with any other Wireguard VPNs running.
Thank you for the reply!
did you read the article?
AirVPN also really good. Plus they have static port forwarding. And very easy flipping of OpenVPN to wireguard
Only downside is it's based in Italy, the government of which has been somewhat hostile to privacy as of late. Still, AirVPN itself has been a longtime supporter of privacy and projects like Tor.
anyone know alternative VPNs that also include http or socks proxies?