WireGuard is an open-source VPN that uses high-tech cryptography, while at the same time being easy to configure, fast, and secure.
During the last 10 years, OpenVPN has been the de-facto standard in the VPN industry. Now, a new VPN protocol is on everyone’s lips: WireGuard. Let’s take a look at its features and let’s find out how to get started with it.
This article explains what is WireGuard, how does it work, how to get it on your devices, and lists several VPN services that allow WireGuard connections.
WireGuard – The new VPN on the block
It was a sunny day in Castlevania, when a wandering bat arrived at the TomBat‘s cave. In a matter of minutes, he improvised a stage and started to sing. He was good, really, really good. All bats but one (can you guess who?) were overjoyed to dance and sing along with the newcomer.
WireBat and TomBat immediately felt a special connection and WireBat was invited to stay with their pack for a while. WireBat gladly accepted.
In a corner, not far away, AnonymousBat (the bat that was not able to enjoy the concert) had a dilemma: should he accept NVOTB (the New VPN On The Block) or not?
On the positive side, he could learn new tricks, he could better help TomBat to securely deliver messages, and learn how to fly faster.
But, what if WireBat would prove himself untrustworthy and betrayed them to the Megabats? A tough dilemma indeed.
After some deep thinking, AnonymousBat decided to give WireBat a chance but to keep an eye on him for a while.
This is exactly what we should all do regarding WireGuard: give it a try, but be vigilant and keep in mind that the new VPN protocol still needs to pass the test of time.
Now, it’s time to talk tech!
What is WireGuard?
The creator of WireGuard, Jason Donenfeld, succeeded to write less than 4,000 lines of code, keeping the project easily auditable and enjoyable to read.
WireGuard aims to provide a general-purpose VPN technology that is more secure, simpler, and faster, and can be deployed easily on anything from high-end servers to low-end devices (such as Raspberry PI).
WireGuard was officially released publicly on March 30th, 2020, being included in the version 5.6 of the Linux kernel.
Although WireGuard was originally developed for Linux, it is now available for macOS, Windows, BSD, Android and iOS.
How does WireGuard works?
A VPN (Virtual Private Network) works as an intermediate between your device(s) and the Internet. The data transfer is encrypted and carried from the device to a VPN server and from there to the destination network. The way your data routes between your computer or device and the VPN server is determined by the VPN protocol.
WireGuard is a VPN protocol that has some interesting functioning principles.
It was designed to be as “stealth” as possible. WireGuard does not send any packets that do not contain data, reducing the “chatter” between the server and the VPN client, and cutting down the information available for packet sniffers or eavesdroppers.
The WireGuard encryption is based on Cryptokey Routing and it works by associating public keys with a list of VPN tunnel IPs that are accepted to use the tunnel.
Additionally, a unique private key and a list of peers is associated with each network interface. Every VPN client can send packets to the network interface having a source IP address matching its corresponding list of allowed IP addresses. When the network interface wants to transmit a packet to a peer (VPN client), it looks at the destination IP address of the data packet, and compares it to each peer’s list of allowed IP addresses, to determine which peer to send it to.
Why do you need WireGuard?
You probably already know what the advantages of using a VPN are. They include enhanced security and anonymity, access to blocked Internet resources, safe file sharing, secure remote access, hiding your IP address.
All these are true with WireGuard. Furthermore, WireGuard is (at least it looks to be at this point in time) more secure, faster, and easier to configure than other VPN protocols. Thus, it should be the logical choice for those looking to improve their experience with VPNs.
Advantages and disadvantages of WireGuard
Before setting up a WireGuard VPN you should be aware of the pros and cons of this VPN protocol.
Advantages of using WireGuard
WireGuard offers a number of important advantages.
WireGuard uses the latest and most robust encryption algorithms. According to the WireGuard website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction;
- Curve25519 for ECDH;
- BLAKE2s for hashing and keyed hashing, described in RFC7693;
- SipHash24 for hashtable keys;
- HKDF for key derivation, as described in RFC5869.
Simple and minimal code base
WireGuard really stands out in that its codebase currently only contains about 4,000 lines. This is in stark contrast to other solutions which typically consist of between 400,000 and 600,000 lines.
Although the smaller code base is a massive advantage, it does however also introduce some limitations, as discussed below.
VPNs often suffer speed limitations for various reasons. WireGuard has been designed to offer significant improvements in VPN speed.
As WireGuard was primarily designed for Linux and it uses a combination of high-speed cryptographic primitives, it ensures that secure networking can be done at very high speeds. It is suitable for fully loaded backbone routers and small embedded devices like smartphones.
Ease of use across platforms
Although WireGuard works extremely well across various platforms. WireGuard currently supports Android, macOS, Linux, and iOS, while Windows support is still under development.
WireGuard has another interesting feature in that it uses public keys for identification and encryption, as opposed to OpenVPN which uses certificates. This does, however, create some challenges for utilizing WireGuard in a VPN client, including key generation and management.
Disadvantages of using WireGuard
Although WireGuard includes many exciting advantages, it does currently have some noteworthy drawbacks.
Still under development
WireGuard has released public versions for Linux and Android, but it is still under substantial development for Windows, macOS, iOS. However, many users are already looking at using it right away as their primary VPN protocol.
It should, however, be noted that WireGuard is not complete, and has not passed any security audits. Despite this, there are a handful of VPNs already offering, or getting ready to offer, WireGuard support.
Although WireGuard offers advantages in terms of security and performance, its design still raises some questions regarding privacy.
A number of VPN providers have expressed concerns about the ability of WireGuard to be used without logs, and the effect this may have on user privacy.
Several VPN services are already rolling out full WireGuard support despite these concerns. Other VPNs are monitoring the project and are planning on implementing WireGuard once it has been thoroughly improved and audited.
New and untested
Although OpenVPN has issues, it does have a long track record and has been proven as a VPN protocol with extensive auditing. Although Jason Donenfeld, the author of WireGuard, may refer to OpenVPN as “outdated”, others view it as trustworthy and proven, and WireGuard currently lacks these qualities.
Although WireGuard has undergone a formal verification, it is still brand new and is still in the development phases. Even once WireGuard has officially been released, users would do well to proceed with caution.
What is the developement status of WireGuard?
Many security experts and WireGuard’s own team consider it stable. This was already the case before March 2020, when it was initially implemented into the Linux 5.6 kernel.
It is generally believed that WireGuard’s security as a protocol, as well as its implementation in the Linux kernel, are superior to other alternatives. Project age and code audits serve as signals for decision-makers, but as you delve deeper, there are other, often stronger signals.
The cryptographic primitives used, the fact that it can be implemented without dynamic memory allocation and the simplicity of the protocol state machine are all arguably equally or even more useful.
How to set up WireGuard
The first step in establishing a WireGuard connection is to get access to a VPN server that runs WireGuard.
The simplest way is to use a VPN client from a VPN provider that offers access to WireGuard.
Alternatively, you use the WireGuard VPN client applications or the command line.
In this care, you need to know the server address (name or IP address), the public key of the server, the communication port, and the authentication credentials (the private key). Or, you may use a WireGuard configuration file.
Use VPN client apps
For non-techies, the simplest approach is to subscribe to a VPN service that offers WireGuard from its applications. There are several VPN providers that already offer access to the WireGuard protocol like NordVPN, CyberGhost VPN, Private Internet Access, VPN.ac, Mullvad, AzireVPN.
The advantage is that you don’t need to know anything about how WireGuard works, you may just benefit from its security and speed.
Most of the time WireGuard is not the default protocol, thus you need to change the app settings and activate WireGuard.
Use the WireGuard VPN clients
Thus, if you have access to a WireGuard config file or you know the server connection details you may set a WireGuard connection in a matter of minutes:
- Download the WireGuard client app.
- Install the app.
- Import the config file or add a new tunnel.
- Initiate the VPN connection by clicking the Activate button.
Use WireGuard from the command line
If you like to have a little more control, you may use the command line to configure a WireGuard VPN connection. Here is a tutorial that explains how to install a WireGuard server, how to generate the public and private keys, how to connect to the server, how to enable IP forwarding, how to configure the firewall and DNS.
Test your WireGuard VPN connection
Of course, after you connect, you need to test the VPN connection! The simplest test is to load an IP locator website and check your public IP address. It should show the IP and location of the WireGuard server.
The best VPN services with WireGuard
We have tested several services that offer access to the WireGuard servers. As WireGuard is still on its way to widespread adoption there are various approaches to the WireGuard implementation.
Some VPN providers offer access to WireGuard config generators, others have included WireGuard in their applications. Others, like NordVPN, have further developed WireGuard into their own protocols.
NordVPN is one of our favorite VPN providers due to its nice-looking apps, speed, number of servers, security options, and reliability.
NordLynx is the name chosen by NordVPN for its WireGuard implementation. Thus, you should look for NordLynx in the NordVPN applications in order to activate WireGuard. NordLynx is available for Windows, Linux, macOS, Android, and iOS.
There is not much to say about NordLynx. It works smoothly and the speed is fantastic!
Private Internet Access
PrivateInternetAccess is another great VPN provider that offers WireGuard on its large server network (more than 3,000 servers in 60+ countries).
Private Internet Access has supplemented the WireGuard standard implementation with supplementary protections to ensure that the server-client connection remains private and no IP addresses are leaked.
WireGuard is available on the Windows, Linux, macOS, Android, and iOS PIA apps.
Mullvad is a privacy-oriented VPN provider and WireGuard could not be absent from the list of available protocols.
The nice thing about Mullvad regarding WireGuard is that you may either use the Mullvad apps or the WireGuard configuration file generator. Moreover, some advanced settings are available: IPv4/IPv6 selection, multihop, kill switch (only for Linux), custom port selection.
If you decide you use the WireGuard config files you will need to install the WireGuard client apps and import the configurations.
Tips to get the most from WireGuard
Most probably, if you try WireGuard you will not get back to other VPN protocols. But, how to make sure you get access to all benefits exposed by WireGuard? Here are several tips:
- If you are already subscribed to a VPN service that offers WireGuard make sure you read the details regarding the way they implement WireGuard.
- If the VPN provider exposes a config generator, give the WireGuard VPN clients a try. They are slim, easy to use, and they may be exactly what you need in order to get the maximum VPN speed and security.
- If your VPN provider does not offer WireGuard, my advice is to create a one month account for one of the VPN services recommended above. Use WireGuard for a while and see how you feel about it.
Is WireGuard faster than OpenVPN?
As WireGuard is now part of the Linux kernel, it is able to initiate connections faster than OpenVPN. This also means faster re-connections.
Regarding the throughput, WireGuard provides great speed, but, at this time, there are no compelling comparison studies to show it is faster than OpenVPN.
Is WireGuard TCP or UDP?
Unlike OpenVPN, Wireguard only supports UDP. It is a choice made to keep the side of the code to a minimum and to provide the best possible performance.
What is NordLynx?
NordLynx is the NordVPN’s WireGuard implementation. It combines the WireGuard basic features with a custom double NAT (Network Address Translation) system that increases users’ privacy.
Additionally, user authentication is done from an external database, while dynamic local IP addresses are assigned only for the time interval while the session remains active.
Although WireGuard is not yet at the stage that it is ready for mainstream implementation and adaptation, this open-source VPN holds plenty of promise for becoming the de-facto standard for security and privacy in the future.
Several VPN providers already adopted WireGuard and some, like NordVPN, have further developed it. All this is for the benefit of the VPN users as WireGuard is fast and secure.
We believe that WireGuard is part of the VPN future and we are glad to cover it on our tech blog.
Finally, please subscribe to our newsletter (below) and we promise to keep you updated with news and tutorials on how to use WireGuard. Plus, you will make a Transylvanian baby-bat very happy. 😃