WireGuard Guide

Wireguard GuideIf you haven’t heard about WireGuard, don’t worry. This is a VPN protocol that has been recently introduced in the industry. It is already getting a lot of attention due to the innovation and impressive features that it offers. WireGuard is faster and more reliable than other protocols including OpenVPN, and it uses advanced encryption standards. Although WireGuard has to potential to become the favorite protocol for many people due to its simplicity, speed and strong security, there are some downsides that should be noted. In this guide, we will go through the main aspects of WireGuard.

What is WireGuard

WireGuard was created by Edge Security’s founder, Jason Donenfeld. This new VPN protocol is designed to offer a solution that is faster, more secure and easier to use than other options that are currently available. In terms of speed and encryption standards, it is significantly different than options like IPSec and OpenVPN. WireGuard’s popularity is increasing due to the advantages that it offers over other protocols like OpenVPN and IPSec, which are the current main names in the industry.

Advantages of WireGuard

WireGuard stands out thanks to the fact that it offers updated encryption. When Jason Donenfeld developed it, his focus was to improve over protocols like OpenVPN and IPSec. WireGuard uses ChaCha20 to provide symmetric encryption. It is authenticated with Poly1305, using RFC7539’s AEAD construction. Curve25519 is used for ECDH and BLAKE2s is used for hashing, while keyed hashing uses RFC7693. For hashtable keys, WireGuard uses SipHash24. For key derivation, HKDF is used. The complete information about WireGuard’s cryptography is available on the official website: https://www.wireguard.com/

WireGuard also stands out thanks to its simplified code base, which has under 4,000 lines, which is significantly less than what OpenVPN, OpenSSL and IPSec have. The benefit of a smaller code base is that it is easier to audit. A team of experts could audit WireGuard in a few hours, meaning that it is possible to find weaknesses faster. Since the code is smaller, the attack surface decreases and the protocol can offer better performance. Although the smaller code base provides multiple advantages, it also comes with some limitations.

Improving performance

The strong encryption that VPNs offer, has an impact on speed. WireGuard is set to bring better, faster performance. Combining extremely high-speed cryptographic primitives and being inside the Linux kernel, allow WireGuard to support high speed in secure networking. In theory, WireGuard can offer faster speeds, improved battery life with phones/tablets, improved roaming support and increased reliability. It is capable of establishing connections/reconnections via faster handshake. It could be a really good option for those who want to use a VPN on their mobile devices. WireGuard will ensure that if your mobile device switches network interfaces (for instance if it moves from WiFi to mobile data), the connection will be maintained, unless the VPN client stops sending authenticated data to the VPN server.

While WireGuard needs some polishing before it can really be considered as a strong competitor for OpenVPN, it is meant to be compatible with a variety of platforms including Linux, macOs, iOS, Androids and in a near future, Windows. It is also worth mentioning that WireGuard uses public keys for identification and encryption, unlike OpenVPN, which uses certificates. The problem with this is that it can lead to some issues for using WireGuard in a VPN client, when generating and managing keys.

Downsides of WireGuard

The main reason why WireGuard is not fully recommended at this point is that it is still being developed. It has not been audited yet and it is not fully ready, although some people are already using it, in spite of developers warnings about the fact that the protocol hasn’t been completed and tested for security and stability. There are VPN services that are supporting this protocol at the moment, but at the moment, it is only recommended that you test WireGuard, but not that you use it as your primary protocol.

Some VPN providers and privacy experts have questioned WireGuard’s credentials when it comes to privacy. It is unclear is the protocol can be used without keeping logs. Due to the way in which the protocol was designed (by default, it has endpoint and it allows ip visibility in the server interface), there were concerns about its compatibility with VPN providers’ privacy commitment. Although the developer has addressed this issue through some updates, VPN providers like Perfect Privacy and AzireVPN have expressed their reasons to doubt WireGuard’s ability to support their no logs policies. Some have decided to avoid supporting this protocol, at least until it is confirmed that it can be used without logs and that it meets all the security standards. Although some providers are open to the idea of testing WireGuard and some have even implemented it already, others refuse to take the risk.

Since WireGuard is a new solution, that is not complete and that hasn’t been thoroughly tested and subjected to audits, it doesn’t have the level of reliability that OpenVPN has. This protocol is still considered by many as the most secure protocol currently available. OpenVPN is a well-established option that is widely used and regularly updated. It has also been audited by security experts, unlike WireGuard, which is still a new option that is under heavy development. While it has been formally verified, it hasn’t been officially released and thee are still some doubts about it. It hasn’t been widely adopted due to its limited compatibility, the fact that it uses key management and distribution, instead of certificated and more. WireGuard requires its own infrastructure and since many providers have based their service on OpenVPN, it is unlikely that they move to WireGuard, at least in the near future. For many providers, it will take time to adapt their features to this protocol, which is why at the moment, many have simply decided to avoid WireGuard.

In spite of the enthusiasm that WireGuard has ignited and its promising features, the fact is that it cannot be recommended, at least at this time. It is not complete, it hasn’t been audited and there are privacy concerns regarding it. Once WireGuard leaves the heavy development stage and it evolved, it is likely that its popularity will soar and it will become an option worth considering, but in the meantime, the best thing is to stick to known solutions like OpenVPN and IPSec.

VPNs that support WireGuard

At the moment, there are a few VPN services that support or that are testing WireGuard before offering as part of their plans. Here are some of them:

AzireVPN

Although AzireVPN expressed some initial concerns about WireGuard, after the developer made some adjustments to suit the provider’s infrastructure. AzireVPN is based in Sweden and it has a strong commitment to security and privacy. It was one of the first providers to offer support for WireGuard. Users can connect to WireGuard servers and while currently WireGuard doesn’t have official support, AzireVPN offers TunSafe, a third party solution. However, WireGuard recommends customers not to use third party solutions.

Mullvad

Mullvad is a provider based in Sweden that is ideal for experienced customers and it has a strong commitment with privacy. Although its interface can be a bit complicated for VPN beginners, it comes with the necessary features to protect your information. At the moment, Mullvad offers support for Linux, Android, macOs and some routers. You can connect to nearly 50 WireGuard servers. Mullvad is also known for the flexibility of its subscription plans.

IVPN

Based in Gibraltar, IVPN is another VPN provider that currently supports WireGuard. It has implemented this new protocol into its VPN apps so you can run WireGuard on iOS, Android and macOs. It is also possible to connect using Linux distros, but since at the moment there is no official Windows support from WireGuard, IVPN doesn’t offer this option. There are over 10 WireGuard servers available at this time.

VPN.ac

Romanian VPN provider VPN.ac is a solid solution to protect your data and it has started testing WireGuard, although it is not offering it to its customers yet. VPN.ac plans to support it in beta at first, but since WireGuard’s design is not compatible with VPN.ac’s infrastructure at the moment. It eventually plans to implement it on its clients, but to ensure that everything runs smoothly and securely, VPN.ac is paying a lot of attention to the testing phase.

Other providers that have expressed interest on WireGuard are Private Internet Access and NordVPN, although they haven’t taken steps towards its implementation. While PIA has made its support for WireGuard public, it is not offering it to its customers yet, due to the fact that the protocol has not been audited yet. Since WireGuard is still under development, PIA wants to wait until the protocol is ready and safe to be used. NordVPN has started testing it, but it hasn’t announced plans to offer it as part of its service yet.

What is next for WireGuard

We are yet to see what the future holds for WireGuard, but it is likely that once it is ready, audited and released for general use, it will become a popular option adopted by many providers. This may take some time since providers have to prepare their infrastructure to support WireGuard. Some VPNs have already jumped in the WireGuard wagon, taking advantage of the interest that this protocol has generated. It is worth mentioning again that WireGuard is not a reliable solution at the moment and it is important to be careful. If you decide to give it a try, it may be better not to use it for handling sensitive data. WireGuard may become a highly secure, fast a reliable option, once it passes all the necessary tests. In the meantime, if you are looking to keep your information protected, we advise you to stick to OpenVPN.