WireGuard VPN Protocol: What you should know about it

WireGuard is an interesting new VPN protocol that can fundamentally change the VPN industry. Compared to existing VPN protocols such as OpenVPN and IPSec, WireGuard can boast faster speeds and higher reliability with new and improved encryption standards.

Is WireGuard VPN the new Standard?

Although WireGuard® offers some promising features in terms of simplicity, speed and cryptography, it also has some notable drawbacks, which will be discussed in detail below. Undoubtedly, however, Wireguard will very soon turn the entire VPN industry on its head and will also be supported in many devices not previously usable with VPN.

Compared to other VPN protocols (such as OpenVPN, IEKv2, PPTP, etc.), Wireguard is actually an encrypted transmission method that acts similar to an SSL proxy connection. In this respect, the lack of local IP address assignment in Wireguard is one of the most criticized drawbacks so far, which only needs to be supplemented by individual adjustments;

 
VPN PopUp BG 4

Echtes "Wireguard" mit Highspeed

OVPN hat Wireguard "echt" im Standard integriert und erreicht damit die besten Geschwindigkeiten im vergleich zu allen anderen Anbietern.

00days
:
00hours
:
00minutes
:
00seconds

What is a VPN-protocol?

A VPN protocol consists of a set of rules used to negotiate a connection between the VPN client and the VPN server. At the moment, the VPN protocols most commonly used by VPN providers are: PPTP, SSTP, L2TP/IPSec, IEKv2 and OpenVPN. It is, so to speak, the common and regulated language, of an encrypted connection used between two devices (VPN client and the VPN server).

What is WireGuard?

WireGuard VPN Logo
WireGuard VPN Logo

WireGuard is a new, experimental VPN protocol that aims to provide a simpler, faster, and more secure solution for VPN tunnelling than existing VPN protocols. WireGuard has some key differences compared to OpenVPN and IPSec, such as code size (under 4,000 lines of code!).

It simplifies the application on devices, offers better speed and uses the latest encryption standards.

Jason A. Donenfeld (Image by LWN.net)
Jason A. Donenfeld (Image by LWN.net)

Jason A. Donenfeld – the developer

The developer behind WireGuard is Jason A. Donenfeld, founder of Edge Security. (The term “WireGuard” is also a registered trademark of Donenfeld.) In an interview I watched, Donenfeld said that the idea for WireGuard came when he was living abroad and needed a VPN for Netflix. Jason Donenfeld has already realized several projects that also became known in the scene

Info: Wireguard project page

 

Why is WireGuard already that popular?

Well, it offers some potential advantages over existing VPN protocols, as we will discuss below. It has even attracted the attention of Linus Torvalds, the developer of Linux, who had the following to say on the Linux kernel mailing list:

Can I once again express my love for [WireGuard] and hope it merges soon? Maybe the code is not perfect, but I skimmed it and compared to the horrors that are OpenVPN and IPSec, it is a work of art.

The rapid spread poses new dangers.

Many see the fact that Wireguard has developed so quickly into a new standard as a problem. As a result, missing parts were supplemented by individual solutions. This in turn leads to a disorderly versioning and thus again to possible security problems. However, there are still many advantages over the previously used protocols, which is why many other developers and services will also dedicate themselves to this protocol in the long term.

Pros

  • Faster speeds
  • Fast connection establishment
  • Better battery life with cell phones / tablets
  • Better roaming support (mobile devices)
  • More reliability through the publicly visible code base
  • Usable on devices with limited hardware/resources
  • Faster connection / reconnection (faster handshake)
  • WireGuard requires few resources and power, so longer battery runtimes
  • Secure site networking becomes much simpler and more cost-effective to implement

Cons

  • No dynamic IP address assignment for clients included
  • No check of connection quality or corruption
  • Commercial VPN services often have to make adjustments and this prevents compatibility
  • Still quite new protocol, therefore little experience in operation or about security vulnerabilities
  • Rapid dissemination also prevented further development, as standards became established too quickly in the scene
  • Many variations have been customized and therefore may also contain renewed security vulnerabilities in use.

Which VPN support WireGuard?

Here are the VPNs that currently already support WireGuard. There are also some others that are currently implementing this new protocol.

Wireguard VPN Services:

Many VPNs rely on the new standard

Of course, we will look at other VPNs that use WireGuard in the future. The risks posed by an implementation due to the untested standard have already been eliminated by now through massive use worldwide (estimated more than 300 million Wireguard applications in use).

OVPN – fastest Wireguard VPN 

 

Wireguard client limitations with some VPNs

Not every VPN service also uses Wireguard in the standard version and is therefore also compatible with the published Wireguard clients. This has a disadvantage in practice, for example, if you want to use a Wireguard standard client in a router or on other devices.

  • OVPN uses a modified login procedure with Wireguard and therefore has the protocol under its own name “Nordlynx” in use. This is not usable with Wireguard standard clients.
  • VyprVPN also uses Wireguard and names it so but has due to a self-customized login procedure here also the restriction that only the own Wireguard clients can be used with it. Is therefore also not usable with the client standards of Wireguard.

Therefore, look out for “native Wireguard VPN providers” that follow the developer’s standards and can therefore also connect to the official Wireguard clients.

VPN provider with “native Wireguard support”

The following VPN services support Wireguard clients natively, i.e. by default. This means that they are compatible with all available Wireguard clients, for example, also on corresponding VPN routers.

VPNs with Wireguard “standard”

ProviderEvaluationDownloadUploadPriceLinks

OVPN

879900 kbps898222 kbps

from 4.22 EUR
per month
7 simultaneous
Connections possible

Mullvad VPN

178455 kbps112977 kbps

from 5 EUR
per month
5 simultaneous
Connections possible

Private Internet Access

160100 kbps157632 kbps

from 1.79 EUR
per month
10 simultaneous
Connections possible

Let’s first examine the advantages of WireGuard.

WireGuard advantages

Here are some of the benefits WireGuard offers:

1. Updated encryption

As explained in various interviews, Jason Donenfeld wanted to update what he considered “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and basic elements as described on its website:

  • ChaCha20 for symmetric encryption authenticated with Poly1305 , using the AEAD construction of RFC7539.
  • Curve 25519 for ECDH
  • BLAKE2s for Hashing and Keyed-Hashing, described in RFC7693
  • SipHash24 for Hashtable keys
  • HKDF for key derivation, as described in RFC5869.

For more information about WireGuard’s advanced cryptography, see the official website oder in the technical whitepaper.

2. Simple and minimalistic Codebasis

WireGuard is characterized by a code base of currently around 3,800 lines.

  • This is in stark contrast to OpenVPN and OpenSSL, which together have around 600,000 lines of code.
  • IPSec is with XFRM and StrongSwan altogether about 400,000 code lines relatively seen also extensive.

What are the advantages of a smaller code base?

It is much easier to check!

OpenVPN would take many days for a large team to review. However, a single person can read through WireGuard’s codebase in a few hours.

  • Easier testing = easier search for vulnerabilities, keeping WireGuard more secure.
  • Much smaller attack surface compared to OpenVPN and IPSec
  • Better performance

The smaller code base is indeed an advantage, but also reflects some limitations, as we will discuss below.

3. Performance improvements

Speeds can be a limiting factor in VPNs – for many different reasons. WireGuard is designed to provide significant performance improvements:

A combination of extremely fast cryptographic applications and the fact that WireGuard resides in the Linux kernel means that a secure network can be very fast. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.

4. Cross-platform usability

Although WireGuard is not yet ready for prime time, it should work very well on a variety of platforms. WireGuard supports Mac OS, Android, iOS and Linux. Windows support is still under development.

Another interesting feature is that public keys are used for identification and encryption, while OpenVPN uses certificates. However, this causes problems when using WireGuard in a VPN client, e.g. key generation and management.


WireGuard offers the following advantages over previous VPN protocols

  1. Faster speeds
  2. Fast connection establishment
  3. Better battery life with cell phones/tablets
  4. Better roaming support (mobile devices)
  5. More reliability
  6. Usable on devices with limited hardware/resources
  7. Faster connection / reconnection (faster handshake)
  8. WireGuard should be beneficial for mobile VPN users. 
  9. Secure site networking becomes much simpler and more cost-effective to implement

WireGuard disadvantages

While WireGuard offers many exciting benefits, it currently has some notable drawbacks.

1. Still in “extensive” development, not finished, not accepted. (Update)

Wireguard has not yet been approved by security experts or sufficiently tested?

For a long time after the introduction of Wireguard in 2017, there were concerns that the protocol had not been “approved” by anyone and could therefore also contain sources of error during implementation. This approach, that new procedures can only be classified in practice, is understandable, but Wireguard has now been sufficiently tested with more than 300 million active connections worldwide at the beginning of 2021. It can therefore be said that the standard offers the security it promises and that connections with Wireguard are not inferior to other known protocols like OpenVPN.

2. WireGuard Privacy Concerns and Protocols (Update)

While WireGuard offers performance and security benefits, by design it is not good for privacy?

A number of VPN providers expressed concerns about the ability to be used without protocols and the potential impact on user privacy. This issue is due to the fact that Wireguard connections must use a static client on the servers that is associated with a single user.

What VPN providers are currently saying about Wireguard:

AzireVPN, one of the first VPNs to implement WireGuard, had this to say last year:

” At AzireVPN we take care of our no-logging policy. For this reason, all of our servers run on diskless hardware and all log files are forwarded to dev/null.

However, when it comes to WireGuard, by default the endpoint and allowed IP address is displayed in the server interface, which is not really compatible with our privacy policy. We should not know your source IP and cannot accept that it is displayed on our servers.”

AzireVPN has attempted to work around these issues by tasking Jason Donenfeld to write “a rootkit-like module that would allow an ordinary system administrator to not query endpoint or IP admission information to WireGuard peers and disable the execution of tcpdump.”

Perfect Privacy argued, in an interesting blog post, that WireGuard is “not usable without protocols” :

” WireGuard has no dynamic address management, the client addresses are fixed. This means we would have to register each of our clients’ active devices and assign the static IP addresses on each of our VPN servers. We would also need to store the last login timestamp for each device to recover unused IP addresses. Our users would then not be able to connect their devices after a few weeks, as the addresses would have been reassigned.

It is particularly important to us that we do not create or store any connection logs at all. For this reason, we cannot store the above registration and login data that is currently required for WireGuard to operate.”

Also, VPN.ac expressed similar concerns about WireGuard’s security vulnerabilities:

“Privacy considerations: WireGuard is not suitable for unrestricted logging policies due to its design. In particular, the user’s last public IP address is stored on the server to which the connection was made, and cannot be removed within a day according to our current privacy policy. At a later date, we will likely make some changes to the source code to clean up or remove the last public IP used.”

ExpressVPN is another VPN service that has raised concerns about WireGuard’s design in terms of its privacy implications:

” One of the challenges for WireGuard is to ensure the anonymity of VPNs. No individual user should be statically assigned a single IP address, either in a public or virtual network. A user’s internal IP address may be discovered by an attacker (e.g., via WebRTC), who may then be able to match it with records acquired from a VPN provider (through theft, sale, or legal seizure). A good VPN does not need to be able to assign such an identifier to a single user. Currently, this setup is not easy to implement with WireGuard.

ExpressVPN will support efforts to review and test the WireGuard code, as we have done in the past with OpenVPN. We will contribute code and report bugs whenever we can, and discuss security and privacy concerns directly with the development team.”

AirVPN has also made the case for WireGuard’s impact on anonymity, as explained in their forum:

” Wireguard in its current state is not only dangerous because it lacks basic features and is experimental software, but it also dangerously weakens the anonymity layer. Our service aims to provide a certain level of anonymity, so we cannot consider something that weakens it so much.

We will happily consider Wireguard if it achieves a stable release AND offers at least the most basic options OpenVPN has been able to offer for 15 years. The infrastructure can be adapted, our mission cannot.”

In their forums AirVPN goes on to explain why WireGuard simply does not meet their requirements:

    • Wireguard does not have dynamic IP address management.
      The client must be assigned a predefined VPN IP address in advance, which is uniquely associated with its key on each VPN server. The effects on the anonymity level are catastrophic.
    • The Wireguard client does not check server identity (a feature so important that it will surely be implemented when Wireguard is no longer experimental software). The security impact caused by this bug is very high.
    • TCP support is missing (using TCP as a tunnelling protocol requires, you guessed it, some additional third-party code, and that’s a terrible regression compared to OpenVPN)..li>
    • There is no support for connecting Wireguard to a VPN server via a proxy with a variety of authentication methods.

Despite these concerns, many VPN services are already implementing full WireGuard support. Other VPNs are following the project and are interested in implementing WireGuard after it has been thoroughly tested and improved.

Meanwhile, AirVPN for example stated in their forum:

“We will not use our customers as testers.”

3. New and untested

Sure, OpenVPN has its issues, but it also has a long track record and is a proven VPN protocol with extensive audits. While “Dönfeld” refers to OpenVPN as “outdated” in various interviews, others may consider it proven and trustworthy – qualities that the protocol does not currently offer.

OpenVPN was originally released in 2001 and has a very long history. OpenVPN also benefits from a large user base and active development with regular updates. In May 2017, it underwent a comprehensive review by OSTIF, the Open Source Technology Improvement Fund.

At this point, WireGuard seems to be more of a niche project – but one with potential for the industry. It is very new and not yet in the “heavy development” phase, although it has undergone a formal review. However, even after the official release users should proceed with caution.

4. Restricted adoption (for now)

As we described above, there are some major hurdles to industry-wide adoption of WireGuard:

The problem with key management and distribution (rather than using certificates).
WireGuard requires its own infrastructure, separate from existing OpenVPN servers.
Compatibility with existing operations. For vendors building their services and features on top of OpenVPN may not be available soon.
Perfect Privacy also stated that WireGuard is not compatible with existing server-side features such as multi-hop VPN cascades, TrackStop and NeuroRouting. Nevertheless, I reached out to Perfect Privacy and they confirmed that they can support WireGuard as a standalone option at a later date.

Similarly, AirVPN also stated that the VPN protocol with its infrastructure was “completely unusable”:

” Currently, it is completely unusable in our infrastructure because there is no TCP support, there is no dynamic VPN IP assignment, and (at least in the build we saw) there is no strictly required security feature (verification of the CA certificate provided by the server) The client cannot be sure that a hostile entity is not impersonating a VPN server.”

Surfshark Wireguard Integration

Surfshark Wireguard
Surfshark Wireguard

Conclusion: Most of the concerns have now been resolved!

The reasons that many gave against Wireguard were absolutely justified at that time. In the meantime, however, Wirrguard has become one of the leading VPN protocols in use and has long since proven that this protocol is also capable of being used in highly critical environments.

Thanks to the adaptations that are also possible, the problems with the user administrations could already be adapted. Allerdings geht dies dann immer auf Kosten der Kompatibilität. Aber auch Anbieter die auf die Standars setzen haben Lösungen gefunden die Zertifikatsausstellung dynamisch zu erreichen und damit auch die Bedenken wegen möglich fehlender Privatsphäre konnten damit ausgeräumt werden. The servers issue the certificates only for one-time use.
There are still “pros and cons” to this protocol. But it is clear that in a broad environment or in any conceivable application scenario, the protocol is absolutely perfect for it.

Wireguard will therefore certainly continue to be used by an increasing number of users, providers and companies. The advantages clearly outweigh the disadvantages in most cases. Even if by no means all conceivable applications can be easily used with it. 

The future of WireGuard

Many of the problems that currently still exist with the protocol can probably be eliminated. However, the development has also shown that the simplicity of the programming code is not necessarily compatible with the diversity of applications.

Since the protocol was actually only intended to connect a single PC via a VPN server, it turns out in practice that the requirements for VPN services do not match. These try not to obtain any data about the users, but this was basically never taken into account during development. Own developments of the VPN providers will not exist, however, for various reasons. Since the administration and also control of properitären VPN protocols is an enormous challenge and there are currently also enough usable alternatives.

It, therefore, remains exciting whether the protocol will nevertheless make a breakthrough and can also find general application in VPN services from the test phase.

(Source: We have taken this article from the page “Restoreprivacy” and added it to the German-language way.)</.em>


Wireguard Router

Since Wireguard is also ideal for use on simple operating systems and requires hardly any significant resources there, the standard is also constantly being integrated into various devices. VPN routers with integrated Wireguard client and server applications are of interest to users here, for example.

Locations can be networked quickly and securely via a Wireguard router. 

Gl-iNet Router with OpenWRT

While many router manufacturers are already working on the integration of Wireguard servers and clients, OpenWRT routers such as those from Gl-iNet have already integrated this technology and even go so far as to make cloud services available to users based on it in order to make accessibility and key exchange between routers as simple as possible. Using Gl-iNet’s Goodcloud.xyz, site networking can be solved very transparently and securely. The advantage that the protocol uses few resources on the device leads to speeds between the devices that were previously reserved for professional solutions costing many thousands of euros. 

OpenWRT Router mit Wireguard

Fritzbox with Wireguard expected soon

Also the popular manufacturer AVM is already working on a Wireguard integration on the Fritzbox routers. We were able to test the first version of it but came to the conclusion that there is still a lot to do, especially in the area of speed.

VPN Router Reviews with Wireguard

We are constantly testing and evaluating new VPN routers. The share of Wireguard routers has increased continuously.  Meanwhile, the share is already almost 50% and will continue to grow in the future. 


FAQ regarding Wireguard

What is Wireguard?

Wireguard is a VPN protocol that was developed in 2017 as a reaction to complicated VPN protocols to make the use of secure connections easier, faster and more resource-efficient. Wireguard contains less than 4000 lines of code, setting it apart from other protocols such as OpenVPN (more than 400,000 lines of code) in terms of simplicity and comprehensibility, also in terms of “security”.

How much does Wireguard cost?

Wireguard is free of charge for everyone. However, the brand name of Wireguard should not be used commercially without permission.

Is Wireguard safe?

The protocol uses modern encryption methods that are considered secure and are also considered safe in the industry.

Which VPN providers use Wireguard?

There are continuously more commercial VPN providers that also use Wireguard. Currently these are:

  • OVPN (fastest VPN in our tests)
  • AzireVPN
  • VPN.ac
  • TorGuard
  • Mullvad VPN
  • NordVPN
  • Private Internet Access
Gibt es Router mit Wireguard?

Are there routers with Wireguard?

Wireguard providers (list)

Currently, there are already a large number of VPN providers that use Wireguard.

  • OVPN (fastest VPN in our tests)
  • NordVPN (Nordlynx)
  • AzireVPN
  • VPN.ac
  • TorGuard
  • Mullvad VPN
  • Private Internet Access (still being tested)

Wireguard is also supported by OpenWRT and other router operating systems. Other devices like SmartTV will follow soon.


Erstellt am: 11. July 2022

Leave a Comment