IPsec and OpenVPN still have specific "superpowers" that might make them better for your technical infrastructure.
Here is the breakdown of how they compare for your OPNsense/Proxmox lab:
1. WireGuard: The "Modern Speedster"
WireGuard is a lean, high-performance protocol that runs inside the Linux/BSD kernel.
Pros: Extremely fast (lowest latency and highest throughput), connects almost instantly, and uses very little CPU. It’s perfect for mobile devices because it doesn't drain the battery.
Cons: It uses UDP only, which can be blocked by restrictive firewalls (like at a hotel or office). It also lacks "dynamic" IP assignment features found in older protocols.
Best For: Remote Access (Phone/Laptop to Home) and Site-to-Site tunnels between two OPNsense boxes.
2. IPsec: The "Corporate Standard"
IPsec is the veteran of the group, designed for high-security, hardware-accelerated environments.
Pros: Built-in support on almost every device (iPhone, Android, Windows, Mac) without needing an extra app. If your NICs support AES-NI acceleration (which your HPE Gen10 Plus servers do), IPsec is incredibly efficient.
Cons: Very complex to configure. If one "Phase 1" or "Phase 2" setting is off by a single digit, the whole thing fails silently.
Best For: Connecting to a corporate office or creating a permanent, high-speed bridge between two data centers.
3. OpenVPN: The "Swiss Army Knife"
OpenVPN is the most flexible and can "climb" through almost any network restriction.
Pros: Can run on TCP Port 443, making it look like standard web traffic. This allows it to bypass almost any firewall. It is highly mature and supports complex multi-factor authentication (MFA) natively.
Cons: The slowest of the three. Because it runs in "User Space" (not the kernel), it has high overhead and can struggle to hit Gigabit speeds.
Best For: Bypassing censorship or connecting from highly restricted networks where UDP is blocked.
Comparison Table
| Feature | WireGuard | IPsec | OpenVPN |
| Performance | Excellent (Fastest) | Great (w/ hardware accel) | Moderate (Slowest) |
| Setup Difficulty | Very Easy | High | Moderate |
| Security | Modern Cryptography | Verified / Standard | Highly Customizable |
| Bypass Power | Low (UDP only) | Low | High (TCP/443 support) |
| Code Base | ~4,000 lines (Audit-friendly) | Hundreds of thousands | Hundreds of thousan |