Wireguard VPN Protocol: Everything you need to know

Wireguard is the newest VPN protocol to gain widespread adoption, and it’s becoming increasingly popular with consumer VPN services.

But what is Wireguard, how does it work, how save is it, and how does it compare to legacy protocols like OpenVPN?

This guide will teach you everything you need to know about the Wireguard protocol.

Article Topics:

What is Wireguard?
Wireguard vs other protocols
Which VPNs support Wireguard
Compatible Operating Systems

What is WireGuard?

Wireguard is an Open Source VPN protocol that uses a combination of elliptic curve encryption and symetric key cryptopgraphy. It is designed to be more performant (faster) than legacy protocols while remaining highly secure and attack-resistant.

Perhaps the most notable feature of Wireguard is how lightweight it is. The entire codebase weighs in around 4,000 lines of code. That’s puny compared to OpenVPN which has grown to over 100,000 lines of code at last count.

Wireguard is able to remain lean because it is less flexible than other protocols. It uses a specific combination of encryption ciphers. It can’t be customized by the end-user to support other encryption schemes like AES-256.

Pros & Cons of WireGuard

Wireguard has some key advantages compared to older protocols, but there are tradeoffs as well. These are the most significant things to be aware of:

Performance – In most scenarios, WireGuard outperforms both OpenVPN and IPSec protocols when tested on the same hardware. This performance advantage is even greater on low-spec CPUs like those found on Wireless Routers and older smartphones.
Security – Wireguard has never had a published CVE security vulnerability, even though it’s codebase is open-source and has been audited by dozens of cryptographers. OpenVPN by comparison has multiple CVE’s.
Easy to Deploy – Because Wireguard has fewer configuration options than OpenVPN it’s easier to deploy securely with less risk of a serious configuration error.
Fast Adoption – Wireguard has been embraced by the consumer VPN industry (though not enterprise yet). Wireguard protocol is avaiable on most (if not all) of the 10 most popular VPN services. It is even supported on modern routers running DD-WRT, OpenWRT and ASUSWRT.
Hot-Swapping – Wireguard can actually renegotiate IP addresses with the client without ever disconnecting. This means some VPNs will support on-the-fly server switching with no disconnect/reconnect.

Flexibility – Wireguard uses a specific set of encryption Ciphers and doesn’t support industry-standard encryption algorithms like SHA-2 and AES-256.
Longevity – Wireguard is relatively new and hasn’t stood the test of time like OpenVPN, which has survived more than a decade as a (near) bulletproof protocol
Obfuscation – Because Wireguard uses UDP transport, it’s not as useful for stealth applications where you need to disguise traffic source as non-vpn data.

Cyptography & Encryption

Wireguard includes all the security features necessary to create a secure VPN tunnel, it just implements them differently than less-performance protocols.

From the Wireguard White Paper, here are the ciphers Wireguard uses compared to the most common cipher used for OpenVPN.

	Wireguard	OpenVPN
Tunnel Encryption	ChaCha20	AES256
Data Authentication	Poly1305	SHA-2
Key Exchange / handshake	Curve25519	TLS
Forward Secrecy	Yes	Yes

As you can see, Wireguard’s implementation is completely different than what you’d get with OpenVPN, but it still offers strong 256-bit encryption and perfect forward secrecy for added security.

How secure is WireGuard?

WireGuard is extremely secure. The lean codebase has been audited by reputable cryptographers and there are no known security vulnerabilities in the core code base. There have been several CVE’s from vendor-specific implementations, however (all patched).

Wireguard was deemed secure enough by Linus Torvalds that it is now part of the Linux kernel and the default VPN protocol.

There is one thing Wireguard is missing though, NIST certification. But Wireguard is new and governments are notoriously slow, especially when it comes to technological adoption. But things are changing. NIST adoption was actually endorsed by U.S. senator Ron Wyden who sits on the Select Committee on Intelligence.

Best Uses for WireGuard

Wireguard is acceptable for most VPN uses, but it is best suited to use-cases that prioritize speed and performance over security.

Example uses for WireGuard VPN:

Streaming – WireGuard is perfect for streaming video over VPN, especially on far away servers when unblocking geo-restricted sites like Voot or Netflix. It’s especially impressive for low-spec mobile devices that might do poorly with OpenVPN.
Torrenting – Fast speeds and on-the-fly server switching makes Wireguard perfect for torrenting. It is kill-switch compatible and works on all major OS’s.
General Security – Protect your data and privacy on open-wifi networks, hotels, planes, cafes and so on.

Where Wireguard falls short:

Obfuscation & Firewall bypass – Because Wireguard has a specific encryption signature and doesn’t use the OpenSSL library, it can’t easily be obfuscated or disguised as non-VPN traffic. This makes it inferior to OpenVPN for bypassing restrictive firewalls or usage in countries where VPNs are illegal.

How WireGuard compares to other VPN protocols

In head-to-head tests, the Wireguard vpn protocol outperforms other mainstream protocols for both performance and stability in most scenarios. This, combined with its ease of deployment is why WireGuard has gained quick adoption among consumer VPN brands like NordVPN.

WireGuard vs. OpenVPN

OpenVPN is the industry standard and enjoys near universal support among top Virtual Private Network brands. Like WireGuard, OpenVPN is open-source. However unlike Wireguard, OpenVPN is highly-configurable with a large code-base.

OpenVPN prioritizes security and flexibility over raw performance.

Is WireGuard faster than OpenVPN?

An independent test on 114 different servers found that, on average, WireGuard is 14.6% faster than OpenVPN.

This performance advantage varies greatly by client hardware and multi-threading capabilities. Wireguard was also not universally the fastest. It was the fastest protocol in 58.8% of tests.

Wireguard’s own website also has some benchmarking data that shows a much larger speed advantage for Wireguard, though the footnotes admit the test is outdated and not conducted to scientific standards.

Wireguard vs IKEv2 / IPSec

The closest protocol to Wireguard’s performance is IKEv2/IPSec, which sits in between OpenVPN and Wireguard on the speed vs. security matrix.

IPSec has made significant performance strides recently and actually outperforms Wireguard in certain situations (though less than 50% of the time).

However IPSec is not as widely available as OpenVPN, and is often found only in desktop clients and iOS. It is less-often (though sometimes) available for Android OS, or router firmware.

Which VPNs Support WireGuard?

NordVPN was the first mainstream VPN to adopt WireGuard with their NordLynx protocol. After this proof of concept, their was a surge of adoption as other top brands added WireGuard in order to remain competitive.

Speed is an important deciding factor when choosing a VPN service, and Wireguard’s significant performance advantages remain a big selling point.

Currently, there are more than a dozen VPN brands that offer WireGuard connections.

NordVPN – The first to release WireGuard in their official app. NordVPN offers a customized version of WireGuard known as NordLynx.
Private Internet Access – PIA released WireGuard from beta in 2020 and now offers it on Windows, Mac, Linux, iOS and Android
Surfshark – One of the first VPNs to offer Wireguard for manual connections (like your router). It’s also available in-app on Windows, Mac & Android.
Cyberghost – Wireguard is offered on all OS’s except iOS. It’s a perfect combo for Cyberghosts dedicated streaming servers which support 10+ Netflix regions.
IPVanish – They were a bit late to the Wireguard party, but now offer it on most apps alongside IPSec and OpenVPN.

Notable Exceptions

ExpressVPN is the most prominent VPN service to defer Wireguard adoption. Instead, they developed their own Lightway protocol from the ground up to be a more performant alternative to OpenVPN. However maintaining and security a custom protocol is a challenge most VPN brands would never attempt when there are good alternatives like Wireguard.

What Operating Systems work with WireGuard?

Wireguard is platform agnostic, though the only OS with built-in Wireguard integration is Linux (along with router brands like ASUS).

However, WireGuard can be ported to nearly any platform or OS through either the official WireGuard client, or a 3rd-party VPN app.

Currently WireGuard is supported by most top VPN brands on:

Android
iOS
Windows
MacOS
FireTV/FireOS
Some router models (running specific firmware versions)

Conclusion: Should you use Wireguard?

Yes. If your VPN offers the Wireguard protocol, you should choose it for most use cases (as long as you notice performance benefits).

Wireguard is superior to OpenVPN for both streaming and torrenting, though it’s less useful if you need to traverse a firewall or avoid detection altogether.

But for everyday use, Wireguard is the best protocol available right now, with IPSec/IKEv2 a good backup option if you’re prioritizing performance.

Sources

http://cr.yp.to/ecdh.html
https://wireguard.com
https://vladtalks.tech/vpn/is-wireguard-faster-than-openvpn
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/