When it comes to VPN security and performance, there's a new sheriff in town: WireGuard. The open-source protocol promises to surpass the current industry standards (OpenVPN and IPSec) in terms of speed and data encryption. Since it also claims to be easier to configure, many have started referring to it as the new gold standard among VPN protocols.
This opens the door to a variety of different potential applications for the protocol, such as allowing employees to remotely and quickly connect to their company's intranet. With WireGuard, backbone routers can also be configured to establish connections anywhere, without the need for special infrastructure or certificates.
This guide provides a detailed look into how WireGuard operates and highlights what you should pay attention to when installing and configuring it for use. Additionally, we'll sum up the open-source protocol's most important advantages and disadvantages.
What Is WireGuard?
WireGuard is based on a technology developed by Jason A. Donenfeld for establishing secure VPN networks and offers an alternative to well-known solutions like IPSec, SSTP, or OpenVPN. It's best imagined as a mix between a VPN protocol and VPN software, which is not only easy to configure but also capable of establishing fast connections and stable VPN tunnels (even on mobile clients).
WireGuard performs well on Layer 3 (network) of the open systems interconnection (OSI) model, supporting IPv4 and IPv6. Although the software is based on peer-to-peer architecture, it can also simulate client-server architecture. It establishes VPN connections similarly to the secure shell protocol (SSH) by exchanging publicly-available keys.
Although originally developed for Linux, WireGuard is available on Windows, Android, Mac, and iOS.
Which Features Does WireGuard Offer?
WireGuard fulfills the system role of a network adapter, adding one or more network interfaces that can be configured analog to wlan0 or eth0 (i.e. with ipconfig or route). To keep it as simple as possible, the application is limited to providing only the most necessary features. This can be seen in the program's code, which contains a mere 4,000 lines and is both easy to read and understand.
To compare: IPSec or OpenVPN entail several hundred thousand lines of code.
As a result, WireGuard offers fewer configuration possibilities, but can also be checked more easily, an important feature for security-critical applications.
WireGuard's VPN solution uses three basic cipher functions to encrypt connections:
Curve25519 with the Elliptic Curve Diffie-Hellman (ECDHE) protocol for handshake encryption (key exchange)
BLAKE2s for universal hashing (for example, to generate HMAC codes or key derivations with HKDF)
ChaCha20 and Poly1305 for symmetric encryption and data exchange
The underlying principle is both simple and effective: Each participant receives a public VPN key that uniquely identifies them. Ed25519 is used as the protocol for public key authentication.
WireGuard's high security and encryption standards are rooted in modern crypto algorithms. Thanks to "cryptokey routing", servers and clients each receive static IP addresses which are stored in the server's configuration data. When establishing a connection, this is compared to the public key, and the process only continues if they match.
More information about WireGuard, including details about its protocols and encryption mechanisms, can be found in this white paper.
An Overview of WireGuard's Pros and Cons
WireGuard's main advantage is how straightforward it is to use. Apart from that, it also offers a number of other benefits:
High-performing and stable VPN tunneling
Solid security owing to integration of current cryptographic processes
Manageable code with few weaknesses
Well thought-out concept
If you are planning to use WireGuard, you should be aware that it's still a work in progress, particularly in terms of functionality. Alongside its numerous advantages, WireGuard also has some significant disadvantages:
Software is still experimental
Does not support dynamic IP address management (client needs to be coupled with a previously-defined VPN address)
No server verification
Not possible to connect or authenticate via proxy
Does not support TCP (at the moment)
VPN Providers That Support WireGuard
Most VPN providers continue to debate whether or not to integrate WireGuard into their clients. However, some services do offer the new protocol, including:
