WireGuard is an open-source VPN that uses state of the art cryptography while at the same time being easy to configure, fast, and secure.
During the last 10 years, OpenVPN has been the de-facto standard in the VPN industry. Now, a new VPN protocol is on everyone’s lips: WireGuard. Let’s take a look at its features, and let’s find out how to get started with it.
This article explains what WireGuard is, how it works, how to get it on your devices, and lists several VPN services that allow WireGuard connections.
WireGuard – The new VPN on the block
It was a sunny day in Castlevania, when a wandering bat arrived at the TomBat‘s cave. In a matter of minutes, he improvised a stage and started to sing. He was good, really, really good. All bats but one (can you guess who?) were overjoyed to dance and sing along with the newcomer.
WireBat and TomBat immediately felt a special connection, and WireBat was invited to stay with their pack for a while. WireBat gladly accepted.
In a corner, not far away, AnonymousBat (the bat that was not able to enjoy the concert) had a dilemma: should he accept NVOTB (the New VPN On The Block) or not?
On the positive side, he could learn new tricks, he could better help TomBat to deliver messages securely, and learn how to fly faster.
But, what if WireBat would prove himself untrustworthy and betrayed them to the Megabats? A tough dilemma indeed.
After some deep thinking, AnonymousBat decided to give WireBat a chance, but to keep an eye on him for a while.
This is exactly what we should all do regarding WireGuard: give it a try, but be vigilant and keep in mind that the new VPN protocol still needs to pass the test of time.
Now, it’s time to talk tech!
What is WireGuard?
The creator of WireGuard, Jason Donenfeld, succeeded in writing less than 4,000 lines of code, keeping the project easily auditable and enjoyable to read.
WireGuard aims to provide a general-purpose VPN technology that is more secure, simpler, and faster. It can be deployed easily on anything from high-end servers to low-end devices (such as Raspberry PI).
WireGuard was officially released publicly on March 30th, 2020, being included in version 5.6 of the Linux kernel.
How does WireGuard work?
A VPN (Virtual Private Network) works as an intermediate between your device(s) and the Internet. The data transfer is encrypted and carried from the device to a VPN server and from there to the destination network. The way your data routes between your computer or device and the VPN server is determined by the VPN protocol.
WireGuard is a VPN protocol that has some interesting functioning principles.
It was designed to be as “stealth” as possible. WireGuard does not send any packets that do not contain data, reducing the “chatter” between the server and the VPN client and cutting down the information available for packet sniffers or eavesdroppers.
The WireGuard encryption is based on Cryptokey Routing, and it works by associating public keys with a list of VPN tunnel IPs that are accepted to use the tunnel.
Additionally, a unique private key and a list of peers is associated with each network interface. Every VPN client can send packets to the network interface having a source IP address matching its corresponding list of allowed IP addresses. When the network interface wants to transmit a packet to a peer (VPN client), it looks at the destination IP address of the data packet and compares it to each peer’s list of allowed IP addresses to determine which peer to send it to.
Why do you need WireGuard?
You probably already know what the advantages of using a VPN are. They include enhanced security and anonymity, access to blocked Internet resources, safe file sharing, secure remote access, hiding your IP address.
All these are true with WireGuard. Furthermore, WireGuard is (at least it looks to be at this point) more secure, faster, and easier to configure than other VPN protocols. Thus, it should be the logical choice for those looking to improve their experience with VPNs.
Advantages and disadvantages of WireGuard
Before setting up a WireGuard VPN, you should be aware of the pros and cons of this VPN protocol.
Advantages of using WireGuard
WireGuard offers a number of important advantages.
WireGuard uses the latest and most robust encryption algorithms. According to the WireGuard website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction;
- Curve25519 for ECDH;
- BLAKE2s for hashing and keyed hashing, described in RFC7693;
- SipHash24 for hashtable keys;
- HKDF for key derivation, as described in RFC5869.
Simple and minimal code base
WireGuard really stands out in that its codebase currently only contains about 4,000 lines. This is in stark contrast to other solutions, which typically consist of between 400,000 and 600,000 lines.
Although the smaller codebase is a massive advantage (as the attack surface is very small), it also introduces some limitations, as discussed below.
VPNs often suffer speed limitations for various reasons. WireGuard has been designed to offer significant improvements in VPN speed.
As WireGuard was primarily designed for Linux and uses a combination of high-speed cryptographic primitives, it ensures that secure tunneling can be done at very high speeds. It is suitable for fully loaded backbone routers and small embedded devices like smartphones. It uses low CPU resources compared to other VPN protocols (e.g., OpenVPN).
WireGuard offers great roaming support, and it accommodates hassle-free switch from Wi-Fi to mobile data.
Ease of use across platforms
Although WireGuard works extremely well across various platforms. WireGuard currently supports Android, macOS, Linux, and iOS, while Windows support is still under development.
WireGuard has another interesting feature in that it uses public keys for identification and encryption, as opposed to OpenVPN, which uses certificates. However, this does create some challenges for utilizing WireGuard within a VPN client, including key generation and management.
Disadvantages of using WireGuard
Although WireGuard includes many exciting advantages, it does currently have some noteworthy drawbacks.
Still under development
WireGuard has released public versions for Linux and Android, but it is still under substantial development for Windows, macOS, iOS. However, many users are already looking at using it right away as their primary VPN protocol.
However, it should be noted that WireGuard is not complete and has not passed any security audits. Despite this, there are a handful of VPNs already offering, or getting ready to offer, WireGuard support.
Although WireGuard offers advantages in terms of security and performance, its design still raises some privacy questions.
Several VPN providers have expressed concerns about the ability of WireGuard to be used without logs and the effect this may have on user privacy.
Other VPN services are already rolling out full WireGuard support despite these concerns. And a few VPNs monitor the project and plan to implement WireGuard once it has been thoroughly improved and audited.
New and untested
Although OpenVPN has issues, it does have a long track record and has been proven as a VPN protocol with extensive auditing. Although Jason Donenfeld, the author of WireGuard, may refer to OpenVPN as “outdated,” others view it as trustworthy and proven, and WireGuard currently lacks these qualities.
Although WireGuard has undergone a formal verification, it is still brand new and is still in the development phases. Even once WireGuard has officially been released, users would do well to proceed with caution.
What is the developement status of WireGuard?
Many security experts and WireGuard’s own team consider it stable. This was already the case before March 2020, when it was initially implemented into the Linux 5.6 kernel.
It is generally believed that WireGuard’s security as a protocol and its implementation in the Linux kernel is superior to other alternatives. Project age and code audits serve as signals for decision-makers, but there are other, often stronger signals as you delve deeper.
The cryptographic primitives used, the fact that it can be implemented without dynamic memory allocation, and the protocol state machine’s simplicity are all arguably equally or even more useful.
How to set up WireGuard
The first step in establishing a WireGuard connection is to get access to a VPN server that runs WireGuard.
The simplest way is to use a VPN client from a VPN provider that offers access to WireGuard.
Alternatively, you use the WireGuard VPN client applications or the command line.
In this care, you need to know the server address (name or IP address), the public key of the server, the communication port, and the authentication credentials (the private key). Or, you may use a WireGuard configuration file.
Use VPN client apps
For non-techies, the simplest approach is to subscribe to a VPN service that offers WireGuard from its applications. Several VPN providers already offer access to the WireGuard protocol like NordVPN, SurfShark, CyberGhost VPN, Private Internet Access, VPN.ac, Mullvad, AzireVPN.
The advantage is that you don’t need to know anything about how WireGuard works, you may just benefit from its security and speed.
Most of the time WireGuard is not the default protocol, thus you need to change the app settings and activate WireGuard.
Use the WireGuard VPN clients
The WireGuard project also consists of easy-to-use VPN clients for several platforms: Linux, Windows, macOS, iOS (here is how to set up WireGuard on iOS), Android (check our tutorial on how to use WireGuard on Android), OpenWRT.
Thus, if you have access to a WireGuard config file or you know the server connection details you may set a WireGuard connection in a matter of minutes:
- Download the WireGuard client app.
- Install the app.
- Import the config file or add a new tunnel.
- Initiate the VPN connection by clicking the Activate button.
Use WireGuard from the command line
If you like to have a little more control, you may use the command line to configure a WireGuard VPN connection. Here is a tutorial that explains how to install a WireGuard server, how to generate the public and private keys, how to connect to the server, how to enable IP forwarding, how to configure the firewall and DNS.
Test your WireGuard VPN connection
Of course, after you connect, you need to test the VPN connection! The simplest test is to load an IP locator website and check your public IP address. It should show the IP and location of the WireGuard server.
The best VPN services with WireGuard
We have tested several services that offer access to the WireGuard servers. As WireGuard is still on its way to widespread adoption there are various approaches to the WireGuard implementation.
Some VPN providers offer access to WireGuard config generators, others have included WireGuard in their applications. Others, like NordVPN, have further developed WireGuard into their own protocols.
We consider the following VPN services the best that offer access to the new VPN protocol, but there are other WireGuard VPN providers as well.
NordLynx is the name chosen by NordVPN for its WireGuard implementation. Thus, you should look for NordLynx in the NordVPN applications in order to activate WireGuard. NordLynx is available for Windows, Linux, macOS, Android, and iOS.
There is not much to say about NordLynx. It works smoothly and the speed is fantastic!
Private Internet Access
PrivateInternetAccess is another great VPN provider that offers WireGuard on its large server network (more than 3,000 servers in 60+ countries).
Private Internet Access has supplemented the WireGuard standard implementation with supplementary protections to ensure that the server-client connection remains private and no IP addresses are leaked.
WireGuard is available on the Windows, Linux, macOS, Android, and iOS PIA apps.
Mullvad is a privacy-oriented VPN provider and WireGuard could not be absent from the list of available protocols.
The nice thing about Mullvad regarding WireGuard is that you may either use the Mullvad apps or the WireGuard configuration file generator. Moreover, some advanced settings are available: IPv4/IPv6 selection, multihop, kill switch (only for Linux), custom port selection.
If you decide you use the WireGuard config files you will need to install the WireGuard client apps and import the configurations.
Tips to get the most from WireGuard
Most probably, if you try WireGuard you will not get back to other VPN protocols. But, how to make sure you get access to all benefits exposed by WireGuard? Here are several tips:
- If you are already subscribed to a VPN service that offers WireGuard make sure you read the details regarding the way they implement WireGuard.
- If the VPN provider exposes a config generator, give the WireGuard VPN clients a try. They are slim, easy to use, and they may be exactly what you need to get the maximum VPN speed and security.
- If your VPN provider does not offer WireGuard, my advice is to create a one month account for one of the VPN services recommended above. Use WireGuard for a while and see how you feel about it.
Is WireGuard faster than OpenVPN?
As WireGuard is now part of the Linux kernel, it can initiate connections faster than OpenVPN. This also means faster re-connections.
It provides great speed regarding the throughput, and, according to our tests, WireGuard is faster than OpenVPN.
Is WireGuard TCP or UDP?
Unlike OpenVPN, Wireguard only supports UDP. It is a choice made to keep the side of the code to a minimum and to provide the best possible performance.
What is NordLynx?
NordLynx is NordVPN’s WireGuard implementation. It combines the WireGuard basic features with a custom double NAT (Network Address Translation) system that increases users’ privacy.
Additionally, user authentication is done from an external database, while dynamic local IP addresses are assigned only for the time interval while the session remains active.
Can I set up a WireGuard connection manually?
Yes, you may, but only on Linux, from the command line. Other operating systems (Windows, macOS) do not have built-in support for WireGuard.
Although WireGuard is not yet at the stage that it is ready for mainstream implementation and adaptation, this open-source VPN holds plenty of promise for becoming the de-facto standard for security and privacy in the future.
Several VPN providers already adopted WireGuard, and some, like NordVPN, have further developed it. All this is for the benefit of the VPN users as WireGuard is fast and secure.
We believe that WireGuard is part of the VPN future, and we are glad to cover it on our tech blog.
Finally, please subscribe to our newsletter (below) and we promise to keep you updated with news and tutorials on how to use WireGuard. Plus, you will make a Transylvanian baby-bat very happy. 😃