WireGuard is a VPN protocol that has the potential to bring major change to the VPN industry. In comparison to existing VPN protocols, such as OpenVPN and IPSec, WireGuard may offer faster speeds and better reliability with new and improved encryption standards.
While it does offer some promising features in terms of simplicity, speed, and cryptography, WireGuard also has some noteworthy drawbacks, which we will discuss at length below.
In this WireGuard VPN guide we will cover:
- What is WireGuard
- WireGuard Pros
- WireGuard Cons (why it is not yet recommended)
- The future of WireGuard
What is WireGuard?
WireGuard is a new, experimental VPN protocol that aims to offer an updated, simpler, faster, and more secure solution for VPN tunneling over existing protocols. WireGuard has some major differences when compared to the OpenVPN and IPSec, such as the code size being under 4,000 lines!, speed, and encryption standards.
The developer behind WireGuard is Jason Donenfeld, the founder of Edge Security. (The term “WireGuard” is also a registered trademark of Donenfeld.)
Why is there so much buzz surrounding WireGuard?
The answer is simple: it offers many advantages over existing VPN protocols, as we’ll show you below. It has even caught the attention of Linus Torvalds, the developer behind Linux, who had this to say in the Linux Kernel Mailing List:
Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
Let’s first examine the advantages of WireGuard.
Here are some of the ‘pros’ that WireGuard offers:
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on their website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
A Simple and minimal code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. Remember we talked about this here.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure.
- Better performance, which we’ll discuss in detail below.
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the way of:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should really be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Cross-platform ease of use
Although not yet ready for prime time, WireGuard should work very well across different platforms. WireGuard supports Mac OS, Android, iOS, and Linux, with Windows support still in development.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
While WireGuard offers many exciting advantages, it currently comes with some noteworthy drawbacks.
They mention on their site that they are still under “heavy” development, not ready, not audited. Despite the fact that WireGuard remains under “heavy development” and not yet ready for general use, there are many people looking to use it right away as their primary VPN protocol. You can find lots of WireGuard promotion on Reddit and various forums – i.e. chasing the latest VPN trend.
It must be pointed out that WireGuard is not complete, it has not passed a security audit, and the developers explicitly warn about trusting the current code:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come.
Privacy concerns and logs
The concern is about WireGuard’s ability to be used without logs, and how this may affect user privacy. That's because WireGuard has no dynamic address management, the client addresses are fixed. That means tweaks would need to be made to the protocol to register every active device of customers and assign the static IP addresses on each of the VPN servers. In addition, they would have to store the last login timestamp for each device in order to reclaim unused IP addresses. Users would then not be able to connect their devices after a few weeks because the addresses would have been reassigned.
- Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic;
- Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental software); the impact on security caused by this flaw is very high;
- TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that’s a horrible regression when compared to OpenVPN);
- there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.
New and untested
Sure, OpenVPN has its issues, but it also has a long track record and is a proven VPN protocol with extensive auditing. While Donenfeld may refer to OpenVPN as “outdated” in various interviews, others may see it as proven and trustworthy – qualities that WireGuard currently lacks.
Initially released in 2001, OpenVPN has a very long history. OpenVPN also benefits from a large user base and active development with regular updates. In May 2017 it underwent a major audit by OSTIF, the Open Source Technology Improvement Fund.
At this point, WireGuard appears to be more of a niche project – but one with big potential for the industry. It is very new and is not yet out of the “heavy development” phase, although it has undergone a formal verification. Even after WireGuard is officially released, however, users would be wise to proceed with caution.
Considering the current state of WireGuard, the privacy implications, and the fact that it has not been audited, WireGuard is not recommended for regular use. This may likely change in the future when WireGuard progresses more, but for now, it would be wise to stay with OpenVPN.
The future of WireGuard VPN
So what does the future hold for WireGuard VPN?
Once WireGuard is fully released, gets audited, and is cleared for regular use, it will likely continue to gain popularity – assuming that it is well-received by the VPN user base. With increasing popularity and demand, you can be sure that more VPN services will incorporate WireGuard into their infrastructure – even if that comes with some growing pains.
WireGuard may very well become the go-to VPN protocol in the years ahead, especially for mobile users who are sick of connection problems and speed bottlenecks with existing protocols.
If you would like to try this new VPN protocol, you can install it and play around with settings. Be sure to consider the privacy and security implications given the current state of the project. Until WireGuard is fully released and audited, however, it would be best to stick with OpenVPN regular use.