WireGuard handles cellular roaming, MTU fragmentation and encryption correctly. L2TP/IPsec does not. Speedroute uses WireGuard throughout for this reason.
Protocol comparison
| Property | WireGuard | L2TP/IPsec | OpenVPN |
|---|---|---|---|
| Year introduced | 2018 (kernel 2020) | 1999 | 2001 |
| Native encryption | Yes — ChaCha20/Poly1305 | No — requires IPsec | Yes — OpenSSL |
| Handles IP change during roaming? | Yes — by design | No — tunnel drops | No |
| MTU overhead | ~60 bytes | ~80–120 bytes | ~100+ bytes |
| Teltonika RutOS support | Native | Native (with caveats) | Via package |
| Silent to port scanners? | Yes | No | No |
Why L2TP fails on 4G
MTU fragmentation: L2TP/IPsec adds 80–120 bytes overhead per packet. On cellular this causes fragmentation and throughput collapse on CCTV streams and SCADA traffic. WireGuard overhead is ~60 bytes and handles MTU discovery correctly.
IP changes during roaming: When an eUICC SIM switches carrier, the device IP changes. L2TP tunnels drop and must reconnect. WireGuard detects the new IP and re-establishes within seconds automatically.
Security: L2TP alone has zero encryption. WireGuard uses Curve25519, ChaCha20, Poly1305, BLAKE2s — formally audited and modern.
Request your free IPv4 Guide and we will follow up with the right solution for your installs.