WireGuard VPN - Stable, Quick, and Widely Available
A Fairly New VPN Protocol Offering a Great Blend of Speed and Security
Jan 21,2023 January 21,2023
Pros of WireGuard
- Very fast
- Stable connections
- Secure code base
- Wide platform support
- Best cryptography available
Cons of WireGuard
- Does not assign dynamic IPs
- No obfuscation
- Only supports the UDP transmission protocol
VPNs are nowadays pretty much ubiquitous, becoming a mainstay of cyber defense for regular users all around the globe. According to the latest data, 41% of adult internet users utilize a VPN in 2021 (in 2020, it was 49%, but usage fell due to workers staying home). Next to reliable antivirus software, pretty much everyone is advised to use a VPN to protect their privacy and security online.
VPN service providers rely on VPN protocols to route and encrypt your data flows. One of the youngest protocols out there is WireGuard. Launched in 2018, it brought many improvements compared to older protocols, especially in terms of simplicity, speed, and security.
However, the WireGuard VPN protocol also has a few weaknesses, including some in the security department. Both new and experienced VPN users might be at an impasse, unable to decide which protocol to go with. Let’s take a peek under the hood and see whether getting a VPN with WireGuard is the best choice to make.
What is a VPN Protocol?
Before we get into the nitty-gritty of it all, let’s take a step back and examine what VPN protocols are in the first place. In short, VPN protocols are a set of rules and processes that determine how data will be routed from your device to the VPN server set up by the provider. These protocols are essential for ensuring a stable and secure connection for VPN users.
VPN protocols can differ greatly in what they bring to the table. Their main two components are transmission protocols, which are in charge of transmitting data between you and the VPN server, and encryption techniques that serve to hide your internet activity from prying eyes.
Each protocol defines several key parameters that determine the nature of the connection: packet size, authentication techniques, encryption, error connection types, and address format, among others.
Each protocol, with its defined parameters, comes with certain advantages and disadvantages. Based on a protocol’s parameters, VPN protocols vary in speed and anonymity they provide, their capability to circumvent geo-blocking, ability to bypass firewalls, security, and so forth.
For example, when streaming Netflix, you might look for two things: the ability to unblock the Netflix US library and good connection speed to allow for an enjoyable streaming experience. Alternatively, if you want to torrent safely, without your ISP catching wind of it, you want a protocol that masks your connection - such as TCP or UDP protocols.
Besides WireGuard, which we’ll speak about extensively later in the article, these are the most commonly used VPN protocols out there:
- PPTP (Point-to-Point Tunneling Protocol) - created in 1996 by Microsoft, PPTP is the first public VPN protocol. While useful for accessing geo-restricted content, it’s very lax on security by today’s standards.
- IPSec - a very secure network protocol that encrypts data routed through the network. One of its main advantages is its ability to encrypt your connection without the end-point application being aware of it. On the flip side, IPSec is somewhat difficult to configure and set up.
- L2TP/IPSec - a more secure but slower version of PPTP that utilizes double encapsulation.
- IKEv2/IPSec - IKEv2 (Internet key exchange version two) is combined with IPSec to form a VPN protocol known as IKEv2/IPSec. Unlike IPSec proper, IKEv2/IPSec is faster, more stable, and has no known vulnerabilities.
- OpenVPN - probably the most commonly used VPN protocol, OpenVPN is the one you’ll most often see being compared to WireGuard. OpenVPN has several things going for it: platform availability, stability, and it can easily circumvent VPN blocks. It can operate on both UDP and TCP protocols.
How Does WireGuard Work?
WireGuard was launched in 2018, although some snippets of its code base were available as early as 2016. The WireGuard tunnel protocol was developed by Jason A. Donenfeld, a vulnerability researcher that found existing tunneling protocols to be too vulnerable to attack from third parties. Many of WireGuard’s early adopters - Mullvad, IVPN, AzireVPN - also contributed to the protocol’s development.
Seeing how other VPN protocols might be easily-compromisable security, and being a vulnerability researcher himself, Donenfeld set out to make the VPN WireGuard protocol that will be both secure and easy to implement.
When WireGuard became public, the first noticeable difference was how smaller and simpler its code was compared to its predecessors. While OpenVPN runs on 400,000 lines of code and IPSec on 600,000, WireGuard has only 4,000.
This means that the WireGuard setup and implementation process is pretty much painless, and the protocol works as it should. The same cannot be said for OpenVPN and IPSec, which are all-too-prone to crashes.
Another benefit of having a significantly smaller code is that it results in a smaller attack surface. The term “attack surface” refers to the sum of all potential access points an attacker could use to breach security and extract data. In the context of VPNs, that means that malicious third parties, ISPs, or government agencies could potentially gain access to your browsing history or your actual location and IP.
This protocol has been open-source since its early code was made public in 2016. This allows for independent security audits, enabling the protocol’s developers to learn of any vulnerabilities quickly.
Besides a much simpler code, WireGuard also features a more straightforward and secure approach to encryption and cryptography. Most other protocols adhere to the principle of cryptographic agility, which allows users to use an alternative to the original cryptographic method and configure encryption, key exchange, and hashing algorithms.
As you might assume, this can severely weaken the overall security of a protocol.
The developer behind the WireGuard protocol has done away with cryptographic agility in favor of a much tighter cryptographic approach. The protocol has practically zero potential for custom user configuration, much smaller cryptographic keys, and relies only on the newest, most secure cryptographic primitives. Let’s break this down.
As we mentioned, WireGuard avoids creating security vulnerabilities by taking away tinkering ability, preventing users from wrongly configuring or mismanaging cryptographic options. Instead, the protocol utilizes modern cryptographic primitives that you can’t change or customize when using a WireGuard client.
According to WireGuard’s cryptography page, these are:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
If these words mean nothing to you, and chances are they don’t, just rest assured that this translates into cutting-edge encryption. In addition to solely using these cryptographic primitives, the cryptographic keys produced by WireGuard are significantly smaller than OpenVPN’s, for example.
WireGuard produces 256-bit encryption keys, as opposed to OpenVPN’s whopping 4,096-bit ones. Conventional wisdom and the “bigger is better” approach would make you believe that OpenVPN’s encryption is significantly stronger.
While it’s true that a brute-force attack on a 4,096-bit key would take longer to succeed, the time needed to brute-force an AES 256-bit is around 2,117.8 trillion years. This is 1,800 times longer than the universe’s entire existence, meaning we’re pretty much safe with 256-bit keys for the foreseeable (and conceivable) future.
Most attacks on VPN cryptography don’t even rely on brute-force tactics for this very reason. In a WireGuard VPN vs. OpenVPN matchup, WireGuard clearly takes the win when it comes to cryptography.
All the technobabble about encryption, cryptography, keys, and brute-force attacks possibly won’t interest regular users. Of course, people want to know that the VPN protocol they use will maintain their privacy and anonymity, but one aspect of VPN connections is of interest to pretty much anyone - speed.
WireGuard operates exclusively in the kernel space. On the other hand, OpenVPN works in the userspace, utilizing a virtual network interface driver to switch in and out of the kernel when needed. As a result, WireGuard is significantly speedier than OpenVPN or other older protocols.
According to benchmark tests showcased on WireGuard’s site, the younger protocol is up to 4 times faster than OpenVPN.
Of course, this WireGuard performance test was done in very specific circumstances and measured the maximum throughput on extremely fast internet speeds. Still, even in other tests performed on slower network hardware, WireGuard outperforms OpenVPN by 15-20% on average.
The protocol was initially developed for the Linux kernel. Consequently, the substantial performance advantages it has over other protocols mainly apply when WireGuard is used in Linux. When used in other operating systems, WireGuard doesn’t run exclusively in kernel space but acts similarly to other protocols. However, it still manages to outperform them.
The first stable version of the protocol, 1.0.0, came out in 2020 when WireGuard was also implemented directly into the Linux kernel. The WireGuard Windows client is currently at its 0.5.2 version, and developers keep boosting the Windows version’s performance and stability.
In August 2021, WireGuard released a native port to Windows kernel, meaning it can operate wholly in-kernel and perform faster, just like in the Linux WireGuard version. Developers also added implementation for Android 12’s Linux Kernel 5.4 tree.
Users on Mac or BSD unfortunately still have to stick to using userspace implementation versions, which rely on the Go language to operate. All WireGuard versions are available for download on the protocol’s main website but can also be obtained through the App/Play store or corresponding storefront.
WireGuard VPN Setup
There are two main ways you can use WireGuard. One is through one of the many VPN providers that include it in their offering. Alternatively, you can download the WireGuard client yourself and install it directly. The second option is usually favored by businesses, where IT administrators take care of the company’s network and VPN connections.
As we mentioned, you can download the installer straight from WireGuard’s website. You’ll also find installation instructions there, which usually encompasses copying over commands or connection details. If you’re using a mobile app, there’s also the option to scan a QR code that automates the whole process.
As you have seen so far, WireGuard comes with many advantages compared to other widely used protocols. Let’s quickly list them:
- Simpler code results in a smaller attack surface
- Great connection speeds
- Usage of the latest cryptographic primitives
- Operates in-kernel in WireGuard for Windows and WireGuard Linux kernel versions
- Stable connections
Drawbacks of WireGuard
Of course, WireGuard isn’t without its weaknesses. We touched upon some of them already - the somewhat weaker performance on non-Windows or Linux systems, as well as the fact that it usually needs additional software to work on some operating systems.
WireGuard also has disadvantages in the area of security. The most significant one is the protocol’s inability to assign dynamic IP addresses.
That means that every time you connect with WireGuard VPN to a server, you’ll be assigned the same IP address. While this isn’t your actual IP address, being assigned the same IP address in every session can put your privacy at risk, as your online activity can be tracked more easily.
On top of that, WireGuard won’t delete the IP address you were assigned after your session ends. Instead, it keeps it in memory, practically making WireGuard impossible to use inside a “no logging” VPN without some fiddling by the providers themselves.
Additionally, WireGuard doesn’t really focus on obfuscation - using stealth technology to hide the fact that you’re using a VPN when connecting somewhere. This is a big deal for accessing sites that implement anti-VPN measures, blocking your connection if they detect you’re using a VPN.
Most sites or firewalls (like the Great Firewall of China) want to prevent VPN connections using deep packet inspection to do so. Unfortunately, WireGuard has no countermeasures against this, but stealth can potentially be tacked on through various plugins.
While WireGuard excels in cryptography, it has some significant drawbacks in security and privacy departments. Still, the answer to the question “is WireGuard secure?” largely depends on what you plan on using the VPN for.
We should also add that several VPN providers that use the WireGuard protocol offer their own add-ons and solutions that tackle all or at least some of the protocol’s issues.
Top 3 VPNs with WireGuard Protocol
If you’re looking to use WireGuard, and don’t want to deal with the hassle of setting it up through its installer yourself, you should check out some VPN providers that allow you to use this protocol.
There’s plenty of them around, but we singled out the three best WireGuard VPN providers we tested out. We recommend checking them out and seeing which one suits your needs the most.
Numbering over 3,200 servers in 65 countries, Surfshark is consistently included among the top VPN providers in the market. While expensive, this VPN solution supports the WireGuard, OpenVPN, and IKEv2 protocols and boasts advanced security features like split-tunneling and multi-hop. This no-logs VPN does not have a free plan, but its otherwise pricy monthly sub can be reduced significantly by subscribing for longer periods of time.
If you might recall, Mullvad is one of the earliest supporters and adopters of WireGuard. This privacy-focused VPN might not be ideal for streaming and gaming, but you can rest assured that your anonymity will be preserved. Besides WireGuard, Mullvad offers the OpenVPN protocol, and its services can be used safely in China. As for additional features, you’ll find the always-useful internet kill switch and multi-hopping capabilities here too.
NordVPN is potentially the most popular VPN provider out there, rocking a 5,000-strong server network. The provider offers its proprietary NordLynx protocol, built around WireGuard, retaining its performance benefits while improving its privacy. NordVPN can handle pretty much everything - from streaming and gaming to safe browsing and Tor browser connections.
This up-and-coming VPN protocol has a lot of advantages over its older siblings. It’s quicker, more stable, with air-tight cryptography and simple-yet-effective encryption. As such, it’s pretty much ideal for regular, everyday users. However, it does come with some potentially serious security issues and isn’t really good at hiding the user’s VPN connection.
Still, most of its drawbacks can be remedied by picking the right VPN provider that patches up these holes with its own plugins and addons.
Yes, thanks to a much smaller code base and its rejection of cryptographic agility, WireGuard is a very safe protocol. However, it does have weaknesses, too. The protocol does not provide you with a different IP whenever you connect, nor does it come with VPN stealth features.
Yes, mainly in the domains of speed, stability, and security. It has a significantly smaller attack surface, is less prone to crashes, operates entirely in-kernel, and uses the best cryptography techniques available.
WireGuard can be great for all bandwidth-intensive activities due to its incredible speeds. It excels at things like streaming, torrent, and gaming.
Yes, due to its 15-20% performance advantage over protocols like OpenVPN, WireGuard offers a smooth streaming experience.
Your email address will not be published.*