- What Is a VPN?
- WireGuard explained
- VPNs that support WireGuard
- WireGuard pros and cons
Every Linux user was thrilled when WireGuard was finally incorporated into the Linux 5.6 last March. Although it was originally developed for the Linux Kernel, you can now deploy WireGuard on any major operating system. That includes Android, macOS, Windows, iOS, and BSD.
The virtual private network (VPN) tunnel focuses on security, earning quite a reputation for its simplicity, functionality, and efficiency. It differs from the other known VPN protocols, like OpenVPN and IPsec. Jason Donenfeld, a security researcher and kernel developer, developed WireGuard in late 2016.
The Linux version of the software is in stable production and reached the 1.0.0. version. Windows, meanwhile, is still in beta version but is still very usable. Furthermore, WireGuard is available on both Google Play and the App Store, while Mac and BSD can run the Go language implementation.
So what makes WireGuard so special? How does it work? And how is it different from other VPN technologies?
What Is a VPN?
Before we dive into the world of WireGuard and Linux, let us first explain what a virtual private network is, and it works. VPNs are cybersecurity tools that protect your online privacy and security by concealing your IP address and encrypting your data and traffic. They rechannel your traffic through one of their private servers, then give you another IP address from another region, making you appear elsewhere.
And when you use a VPN, your traffic will travel through an encrypted tunnel that prevents third parties from monitoring your online activities. That includes your Internet service provider, government agencies, and hackers. And to ensure total privacy, reputable VPN services will delete sensitive data like your IP address and browsing history from their servers.
Moreover, VPNs are vital tools in the workplace, as they allow remote company branches to connect to the main corporate network. They also enable off-premise employees who work from home, for example, to use company applications.
And that’s not all. You can use a virtual private network whenever you go online. They allow you to:
- Bypass regional restrictions: By connecting to foreign VPN servers, you’ll be able to unblock geo-restricted content, like streaming platforms.
- Avoid censorship: A lot of countries have strict Internet regulations and ban several websites and apps. But you’ll have more online freedom when you connect to a VPN server from a different region.
- Encrypt your data: Top VPNs use AES with 256-bit keys, a military-grade encryption that’s basically impossible to break.
WireGuard – What Is It, How Does It Work?
The majority of VPN services use popular VPN protocols IPsec and OpenVPN, which were developed long ago. These may be the norm in the VPN industry, but they do come with their share of issues. IPsec can be a bit slow and difficult to use, for example, while OpenVPN doesn’t always perform well.
When Jason Donenfeld was looking for a tunneling technology to engulf his traffic, he wasn’t too happy with the above protocols. Therefore, he began developing an easy-to-use, simple, and fast protocol that you can deploy on any device. Furthermore, WireGuard’s code is significantly smaller than OpenVPN, making it easier to audit and debug.
According to a 2018 Ars Technica review, WireGuard’s code comprises around 4,000 lines. That’s much less than OpenVPN + OpenSSL’s total of 600,000 lines, or IPsec’s 400,000 total lines. It also means that WireGuard has a smaller attack surface, making it less susceptible to threats.
“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”Linus Torvalds, Linux creator
Since most VPNs use OpenVPN and IPsec protocols, that means they rely on cryptographic agility. The latter offers several choices, allowing you to change ciphers, key exchange, and hashing algorithms. And while having more options is a great benefit, it also results in slower speeds and less security. That’s because there will be a lot of elements between client and server.
Instead, WireGuard uses cryptographic versioning, relying on reduced, state-of-the-art techniques that users cannot change. If there’s an attack or vulnerability in these secure crypto primitives, WireGuard will release a new protocol update, while keeping communication between peers simple.
Take a look at the latest crypto primitives that WireGuard uses:
- ChaCha20 for symmetric encryption, with Poly1305 authentication, using RFC7539’s AEAD construction.
- SipHash24 for hashtable keys.
- Curve25519 for ECDH.
- HKDF for key derivation, as described in RFC5869.
- BLAKE2s for hashing and keyed hashing, described in RFC7693.
Furthermore, WireGuard uses short public keys to help peers identify each other, which is pretty similar to how OpenSSH works. Public keys are also used in cryptokey routing – a new concept to determine which IP address should be assigned to each user inside the tunnel.
The WireGuard protocol is always in stealth mode, ignoring any packets that it does not recognize. That means network scans won’t reveal that WireGuard is running on a device. Furthermore, when peers aren’t exchanging data, the connection goes silent.
Which VPNs Support WireGuard?
WireGuard has been dubbed as the “future industry standard” by several VPN providers and field experts. After all, it brings far better speed and performance than OpenVPN, IPsec, and the other standard VPN protocols, especially if you’re using the Linux operating system.
Therefore, a lot of VPN services prompted to quickly adopt WireGuard so that users can make use of all its benefits. These VPNs include:
- NordVPN: The Panama-based provider offers a new technology called NordLynx, which pretty much revolves around WireGuard. According to the company’s speed tests, NordLynx registered better scores than the other VPN protocols.
- Private Internet Access: PIA recently started supporting WireGuard in its systems in March. Israeli company Kape Technologies owns the US-based VPN, as well as CyberGhost, another VPN service,
- Mullvad: A Swedish VPN and one of the first providers to adopt WireGuard, which is the default protocol on its iOS and Android apps.
- OVPN: Another VPN based in Sweden, OVPN recently started supporting the WireGuard protocol. However, you’ll need to download the WireGuard client and import the configuration files.
- AzireVPN: It seems Swedish VPN services are really into WireGuard. AzireVPN joined the WireGuard bandwagon early in 2017. But just like with OVPN, you’ll have to download the client on your OS, then import the configuration files.
- IVPN: This VPN service managed to integrate WireGuard into its clients and apps successfully.
- TorGuard: Just like PIA, this VPN is headquartered in the US, inside privacy-intrusive Five-Eyes jurisdiction. It supports WireGuard, albeit via the VPN protocol’s clients.
- VPN.ac: A lot of users recommend VPN.ac for bypassing geo-blocks and avoiding censorship. The Romanian provider supports WireGuard through clients.
- StrongVPN: The VPN offers WireGuard in the beta version, but users can still benefit from its perks. Keep in mind that StrongVPN headquarters are in the United States.
Is There a Downside to WireGuard?
As I mentioned earlier, WireGuard is touted to be the future of the VPN industry. Those who use WireGuard on Linux OS will benefit from better performance and connection speeds up to four times higher than with OpenVPN. The protocol is also faster than IPsec. Furthermore, WireGuard will enhance your security.
However, the VPN protocol hasn’t reached stable productions across other operating systems. On Android, iOS, Windows, Mac, and BSD, WireGuard is in the Go programming language. Therefore, if your device runs on anything other than Linux, you won’t benefit from the same performance, speed, and security. Still, WireGuard can mostly match OpenVPN and IPsec.
But WireGuard’s main drawback is in the privacy department. By design, it collects some identifiable data like your IP address. Therefore, a lot of commercial VPN providers voiced their concern over the VPN protocol. After all, several of them have a zero-logging policy, and keeping records such as IP addresses goes against it.
Another privacy issue is how WireGuard assigns IP addresses. Most VPN protocols follow a dynamic approach, while WireGuard keeps a static IP for each device. That means that if there’s a WebRTC leak, the static IP address can leak to third parties, like your Internet service provider, for instance.
Despite WireGuard’s privacy disadvantages, several providers who adopted this VPN protocol introduced solutions so that users can benefit from WireGuard’s perks, all while preserving their online anonymity.
NordVPN, for example, uses a double NAT system with NordLynx, which comprises two interfaces. The first one dedicates a local IP address to each user, instead of giving everyone the same IP as in the original WireGuard protocol. The second interface provides each tunnel with a unique IP address after the VPN tunnel is created so that Internet packets don’t mix up while traveling.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.NordVPN
Other VPN brands, like Mullvad and OVPN, simply erase IP address logs after each session. Both VPNs also found ways to avoid WebRTC leaks by allowing you to regenerate keys and rotate IP addresses. You can also do yourself a favor by choosing a privacy-friendly web browser that limits data exposure.
WireGuard Pros and Cons
As you can see, even the future standard of the VPN industry has its highs and lows. Although WireGuard delivers faster speeds, better performance, and higher security, it has a few privacy flaws that make it a bit risky. However, some of the commercial VPN services that support this protocol created solutions to ensure users get the best possible experience when using a VPN.
- Easy to set up.
- Open source.
- Compatible with several operating system.
- Short code base.
- uses the latest cryptography algorithms.
- Some form data-logging.
- Static IP address assignment.
Keep in mind, though, that WireGuard is still in development and a work in progress. But from we’ve seen so far, it certainly can match, and sometimes outperform, other popular VPN protocols. What do you think?