My home router, a TP-Link Archer AX55, can be configured as a VPN server using any of these protocols:
OpenVPN
L2TP/IPSec
WireGuard
I intend to use it with iOS and macOS at domestic and international locations where I’m not confident of the integrity of public WiFi, e.g., airports, coffee shops, etc.
What are the advantages/disadvantages of each protocol? How should I decide which one to set up?
To start things off, here are some articles that I’ve read on the subject:
OpenVPN is a very popular open source VPN solution. They have a community version which is open source. A former employer used the community version to set up remote access to a company lab-network. It worked very well for us.
Here’s a link to the OpenVPN client installers. I’ve used the Windows version. Setting it up can be a pain in the neck, but you only need to do it once. Once you get a configuration file that works for your LAN, you can distribute that with the software to anyone else who needs to connect.
L2TP and IPSec are two IETF-standard protocols for creating network tunnels between networks. L2TP is for layer-2 (e.g. virtual Ethernet links) and doesn’t provide security on its own, but it may be layered with other encryption protocols, including IPSec. I assume that when your router says “L2TP/IPSec” they are describing this configuration - an L2TP tunnel encrypted using IPSec.
You won’t find an official app for these, because they are Internet standards, not software products. But I’m sure there are open source clients available from multiple sources. No clue about specific packages for macOS or how friendly it would be to use one of them.
I personally think that any one of the three should (in theory) be sufficient for whatever you need. Assuming that your router’s implementation is sufficiently secure (which might not be a reasonable assumption), then I’d pick one of the three protocols/products based on the features and ease-of-use of the client applications.
If you can find some kind of review/analysis of TP-Link’s implementations, and you find that one is significantly more secure than the others, use that.
Or forget using what’s built-in to your router and consider setting it up yourself on a computer on your LAN. It doesn’t have to be your main system. Any inexpensive computer (maybe even a Raspberry Pi) may be OK for this. It will probably be more difficult to set it up, but you’ll be 100% in control and you won’t have to rely on TP-Link to provide security updates.
I used OpenVPN for a number of years. It’s solid and reliable, but the code base is large and complex and configuration parameters are many and sometimes seem poorly understood even by the enthusiast community.
Wireguard is the relative newcomer, being only ten years old. It recently (five years ago?) became officially a part of the Linux kernel, so well-reviewed and tested implementations abound. It is quite streamlined. The code base is small and lightweight. I have found it much easier to configure to do what I need – though I don’t use VPNs in the way most consumers do. It has been a much more approachable, reliable, and solid protocol for me than OpenVPN, and I have completely transitioned to it.
WireGuard is the underlying technology used by Tailscale which a lot of TidBITS Talkers seem to like.
Ordinarily I’d pick WireGuard, but macOS in Ventura and Sonoma only has built-in support for L2TP/IPSec. So if you want OpenVPN or WireGuard, you need to install a third-party client.
If it were me I’d stick to what’s built-in, unless I already had an OpenVPN or WireGuard client for some other purpose.
I suggest double-checking your AX55’s hardware version. I saw a discussion in another forum that some of the earlier AX55 models (v1.6, v2.6) are at end-of-life and no longer receive security updates. It looks like at least some of the newer hardware versions (v4.6) are good until 2028.
Sorry if this is opening up a can of worms, but another consideration is whether to even use a TP-Link networking product in the first place. For they’ve been in the news at the end of last year for multiple security issues and risks. I haven’t tried to keep abreast of the latest on this, so maybe the risks were overblown.
As for choice of VPN protocol, I’d favor WireGuard heavily. The IPSec implementations are, if I remember correctly, not considered to be as strong as the others. And OpenVPN, while very seasoned and secure, is so complex that it’s quite easy for the developer of a package to unknowingly get something wrong and thereby undermine the security of the implementation. WireGuard, however, is much smaller and simpler, making it much easier to implement correctly. It’s also thought to be faster in many applications.
As Bruce Schneier and other security experts have said non-stop, complexity is the enemy of security.
I assumed he’s referring to TP-Link’s implementation of IPSec. But as you wrote, it will depend entirely on what cipher is used and how good that cipher’s implementation may be.
The AX55 I have is hardware version 1.0 and the latest firmware build date is 2024-12-11, slightly more recent than the latest available for hardware version 4.6.
There are some threads on the TP-Link support site that suggest that hardware versions 1.0 and 1.6 are identical, though it’s not clear to me why the have different numbers. I do notice that the respective firmware updates for 1.0 and 1.6 are identical, as verified by checksum.
The v1.6 hardware is listed as “End of Life” in the “Home Networking” section of the TP-Link EOL list for the US as of July 2025, when the 2024-12-11 firmware build was published. I presume that the 2024-12-11 update is the final update for both v1.0 and v1.6.
If you are not located in the US, it’s possible your router may have a different EOL date.
Thank you for the work you’ve done apparently indicating that v1 and 1.6 firmware updates are identical as well as passing along passing along information that TP-Link AX-55’s status is end-of-life (EOL).
Yes, I’m located in the US.
I find the status of TP-Link AX-55 v 1.0 very confusing. I found its alternative product name, Archer AX3000 V1, listed on TP-Link’s Home Networking EOL status webpage. However, I called TP-Link support and was assured that it is still supported and not EOL.
Now today, I see that TP-Link recently released a firmware patch:
Interesting. My guess is that the 12/2024 patch degraded performance badly enough that TP-Link had to come out with a fix, even if the device may (or may not) have been EOL.
I tend to trust publish documents more than tech support personnel, but who knows? With some luck, maybe your router actually is still supported, despte the confusion. Good luck!
