Innovations are often met with great hype by cybersecurity stakeholders. And for a good reason too. Archaic solutions often cause as many problems as they fix. So with the launch of newer and better solutions, the industry revels.
If you’ve ever done just a little research on VPNs over the past few years, it’s almost inevitable that you have seen the term “WireGuard”. Chances are, you have already seen it excessively promoted as a feature.
So, what is WireGuard? And why so much attention? Perhaps best we take a deeper look into this ever more popular communication protocol.
What Is WireGuard
WireGuard is a VPN protocol that is relatively new to the scene. Launched in 2017, this protocol is considered lighter, faster, and easier to set up than other VPN protocols. At the same time, it does not sacrifice security, offering state-of-the-art cryptography.
Designed originally for Linux, WireGuard is now deployable on most popular operating systems.
Some background details may be necessary here.
A virtual private network, or VPN, is a tool that helps protect your privacy and internet connection. It does this by creating a secure, encrypted tunnel between your device and the internet via a remote server.
What makes the tunnel secure?
Tunneling protocols, that’s what. VPN protocols are instructions and rules that determine how your data gets routed from your device to the server and then to the internet. In essence, they are primarily responsible for your VPN connection’s security, stability, and speed.
Most VPN services offer a variety of protocols to choose from. Each protocol provides a solution that combines speed and security.
The common ones include PPTP, IPSec/IKEv2, L2TP/IPSec, SSTP, and OpenVPN. The latter has been regarded as the gold standard for several years now. On the other hand, PPTP is so outdated that it’s considered obsolete.
In 2016, security researcher Jason A. Donenfeld was unimpressed by the complexity of VPN protocols like IPSec. As such, he set out to create a solution that would be significantly simpler and offers faster speeds and top-notch security.
The result – WireGuard!
How Does WireGuard Work?
Donenfeld designed WireGuard to be as lean as possible. Unlike other protocols, it does not send out packets without data. Essentially, WireGuard ensures VPN client and server have reduced chatter, reducing the chances of data exposure.
WireGuard doesn’t allow encryption, key exchange, and cryptographic hash algorithms choices to reduce security loopholes. Instead, it uses a set of tested permanent cryptographic primitives.
- ChaCha20 – symmetric encryption.
- Poly1305 – message authentication
- Curve25519 – elliptic-curve Diffie-Hellman (ECDH) key agreement
- SipHash24 – hashtable keys
- BLAKE2s – hashing and keyed hashing. This is faster than SHA-3
- HKDF – key derivation, as described in RFC5869
As with all protocols, an initial handshake establishes the symmetric keys used in data transfer.
But here is where Wireguard gets interesting.
This handshake takes place every few minutes when using this protocol, providing rotating keys for perfect forward secrecy. As such, it is time-based as opposed to being based on prior packet content.
What this means is that the latest keys and handshakes are always current. Separate packet queues per host minimize packet loss during handshakes.
What does this mean for you?
Selecting the WireGuard protocol in your VPN usually means:
- A shorter server connection time
- A stable VPN connection
- A significantly faster connection
Now let’s look at why WireGuard is such a highly regarded protocol.
The apparent advantage of using WireGuard instead of other protocols is the faster obtainable speeds.
By default, VPNs reduce internet connection speeds due to data encryption and transmission processes. However, if a VPN service uses WireGuard, you will likely not notice any speed losses upon connection.
In addition to the tests conducted by the WireGuard team, other parties have also tested this tunneling protocol against others, including IPSec and OpenVPN.
Invariably, test results show that WireGuard performs better with quicker throughput and response times. In fact, it has performed up to four times faster than regular protocols.
Initially, Donenfield designed WireGuard for Linux. This, along with its fast cryptographic primitives and low CPU resource requirements, makes it an excellent option for speed-intensive tasks. As such, you can expect great streaming and gaming results.
Blazing fast speeds are great. But security is a more pressing concern for most users.
Regarding security, WireGuard has undergone cryptography, protocol, and implementation verifications.
The protocol uses modern cryptography with secure defaults. If Wireguard identifies primitive vulnerabilities, it releases new updates. Additionally, it goes big on stealth – WireGuard will not respond to peer packets it does not recognize.
Unlike its rival protocols with their outdated security features, WireGuard boasts modernity with features like its cryptographic key routing.
I will compare WireGuard vs. OpenVPN shortly, but here’s one benefit WireGuard has over all other protocols – its codebase size.
OpenVPN has at least 70,000 lines of code. This can rise up to 600,000 for OpenVPN + OpenSSL. IPSec, on its own, has a codebase of around 400,000 lines.
In stark contrast, WireGuard weighs in at less than 4000.
It’s harder to overlook vulnerabilities with such a small surface area, making security audits significantly easier. It also means that there are likely fewer bugs. For devices with diminished computing power like your router, WireGuard is the top pick.
Like OpenVPN, WireGuard is an open-source project. As such, just about anyone with the technical know-how can check its code for vulnerabilities.
And they have.
WireGuard has undergone security audits, with experts looking through its code for loopholes or potential breaches. So far, there hasn’t been any cause for alarm.
While initially designed for Linux, WireGuard is now compatible with all major platforms. There are WireGuard apps for Windows, macOS, iOS, Android, and BSD operating systems.
Considering these pros, you can see why WireGuard is rated so highly. However, it is not perfect.
Even though WireGuard is mostly reliable security-wise, there’s still a nagging privacy issue. It cannot allocate dynamic IP addresses to users but instead stores them on a server.
How can this affect you?
Wireguard potentially provides its users static IP addresses multiple times when going online.
This makes 3rd party tracking of your online activity much easier. Furthermore, websites or other online services could block your IP address, resulting in loss of access.
Fortunately, this issue is addressable by VPN providers for their clients.
Ineffective for Obfuscation
WireGuard’s website clarifies that it is not the best protocol for obfuscation. This is because it does not counter deep packet inspection.
So if traveling to countries with strict internet censorship regulations like China, you will need a VPN that uses other protocols like OpenVPN, to mitigate such.
However, if a VPN service using Wireguard plugs into server-based solutions, obfuscation is still possible.
WireGuard vs. OpenVPN
You now know what WireGuard is, but what about the other VPN protocol that held sway before it was released? Who wins in a WireGuard vs. OpenVPN showdown?
In the two decades since its release, OpenVPN became the most popular and highly-rated VPN protocol available. This is primarily due to its privacy and security capabilities, flexibility, and reliability.
Let’s look at how they stand in a side-by-side comparison.
OpenVPN may be the established king of protocols, but it does not hold a candle to WireGuard regarding speed.
WireGuard thoroughly beats OpenVPN in terms of throughput or bandwidth. This metric accounts for the amount of data (in bits, bytes, MB, or GB) transferable in a period of time (usually measured in seconds).
WireGuard performs up to four times faster than OpenVPN here. Plus, it does so without maxing out the CPU, like OpenVPN does.
And that’s not all.
WireGuard also sprints past OpenVPN in ping time. Test results show that WireGuard has a ping time that is significantly less than OpenVPN’s.
This does not mean OpenVPN is a slow VPN protocol. Its strengths, though, lie in other areas.
Verdict: WireGuard wins here
OpenVPN is cryptographically agile, meaning it can readily switch between cipher and protocol methods. When run via OpenSSL, there are several options for encryption and authentication, hashing, key derivation, and agreement.
As a result, OpenVPN is a very flexible protocol, and together with OpenSSL, it is mostly secure. It also supports key lengths up to 4096 bits with AES and RSA encryption.
On the other hand, WireGuard is not crypto agile. But that is not a bad thing. For security, WireGuard uses a single set of ciphers and protocols – ChaCha20 for encryption, Poly1305 for authentication, BLAKE2s and SipHash24 for hashing and hashtable keys respectively, and Curve25519 for ECDH key agreement.
WireGuard’s choice of encryption technology is not standard but is more modern than older AES. And that is nothing to scoff about.
Additionally, less complex defaults result in fewer systematic vulnerabilities.
Verdict: A draw between both protocols.
Sometimes they are used interchangeably, but privacy and security are not quite the same concepts, as you’ll shortly understand.
VPN protocols are security-focused solutions, but WireGuard has a privacy issue to consider.
Wireguard maps IP addresses and public keys by default to simplify specific processes resulting in data kept on the VPN server. This significant WireGuard problem is a non-issue for true no-log VPNs.
For example, NordVPN has a feature called NordLynx, a dynamic NAT system built around the protocol. This system allows the service to establish a secure VPN connection with WireGuard without compromising the privacy of its users.
What about OpenVPN?
Well, you can expect no issues regarding privacy. It does not store any IP addresses on its servers. If used together with a VPN that has a no-log policy, you can rest easy.
Verdict: It’s an easy win for OpenVPN
OpenVPN is open-source, so it is readily available for audits by security experts with the ability and willingness.
That second point is especially relevant because of its hundreds of thousands of lines of code. This means auditing is far from being an easy task.
However, because OpenVPN is now a few decades old, it has been audited several times by teams of cryptographers and security experts.
On the flip side, WireGuard’s codebase is a tiny fraction of OpenVPN’s. Because it is less complex, it is easier to audit.
Still, WireGuard is much younger, so there may not have been many audits till now.
Verdict: WireGuard is comfortably ahead here.
Since its development a few years ago, WireGuard has taken the industry by storm. This article has you covered if you ever wondered what WireGuard is, how it works, and the pros and cons associated with this tunneling protocol.
WireGuard does better than others in terms of performance. Security-wise, this lightweight protocol is no slouch either.
Yes, WireGuard is secure. The protocol uses state-of-the-art cryptographic ciphers and algorithms for your VPN connection. In addition, it comes with a lean codebase (less than 4000 lines) making it easier for security audits while offering a smaller attack surface than other protocols.
WireGuard comes with many modern security measures, but privacy was not in mind when designed. It also doesn’t assign new IP addresses when you go online as OpenVPN does. As such, you could end up using the same IP address – a potentially unsafe practice.
WireGuard is an open-source VPN protocol that implements secure encrypted tunnels for internet traffic on VPNs.