VPN with WireGuard – Integrating the Cutting Edge in Open-Source Technology

WireGuard, an open-source VPN tool, is enjoying a great deal of hype at present. According to its developer, the idea behind the software is to make connecting to virtual private networks (VPNs) as simple as possible. This means that it will not only be faster and more useful than IPSec and others, but also easier to configure.

This opens the door to a variety of different applications for the program. For example, WireGuard can allow employees to remotely and quickly connect to their company's intranet. Backbone Router also allows for connections to be established anywhere, without special infrastructure or certificates.

This article provides a detailed look into how WireGuard operates, and highlights what you should pay attention to when installing and configuring it for use. Additionally, we also summarize the most important advantages and disadvantages of the open-source software.

What is WireGuard?

WireGuard is based on a relatively new technology developed by Jason A. Donenfeld that enables the establishment of secure VPN networks, and is an alternative to well-known solutions like IPSec, SSTP, or OpenVPN. This can be seen as a mix between a VPN protocol and VPN software, which is not only easy-to-configure, but also capable of establishing fast connections and stable VPN tunneling (even on mobile clients).

WireGuard performs well on the network level (Layer 3) of the open systems interconnection (OSI) model, supporting IPv4 and IPv6. Although the software is based on peer-to-peer architecture, it can also simulate client-server architecture. The VPN connection (similarly to the secure shell protocol, or SSH) is implemented by exchanging publicly-available keys.

Since it is open-source, WireGuard remains, at least in part, in a developmental stage, however, it is available for a variety of platforms (such as Linux distributions, Android, and iOS). On Linux systems, the code is executed as a module in the kernel.

Good to know:

VPN networks on OSI Layer 3 operate in kernel, rather than user space, meaning that WireGuard is not available for Windows. In the interim, a Windows client called TunSafe has appeared. This is a proprietary cloud-sourced client based on OpenVPN's TUN/TAP drivers, however, Donenfeld, WireGuard's developer, emphatically warns against its usage owing to security concerns.

Which Functions Does WireGuard Provide?

WireGuard fulfills the role of a network adapter, adding one or multiple network interfaces that can be configured analogue to wlan0 or eth0 (i.e. with ipconfig or route). The application is limited to the most necessary features, in a conscious step by the developer to keep it as simple as possible. The program's code is comprised of a mere 4,000 lines of code, making it easy to read and understand.

To compare: IPSec or OpenVPN entail several hundred thousand lines of code.

As a result, WireGuard offers fewer configuration possibilities, but can also be checked more easily, an important feature for security-critical applications.  

WireGuard's VPN solution uses three basic cipher functions to encrypt connections:

  • Curve25519 with the Elliptic Curve Diffie-Hellman (ECDHE) protocol for handshake encryption (key exchange)
  • BLAKE2s for universal hashing (for example, to generate HMAC codes or key derivations with HKDF)
  • ChaCha20 and Poly1305 for symmetric encryption and data exchange

The underlying principle is both simple and effective: Each participant receives a public VPN key, through which they can be identified. Ed25519 is used as the protocol for public key authentication.

WireGuard's high security and encryption standards are based off of modern crypto-algorithms. Using "cryptokey routing", servers and clients each receive static IP addresses which are stored in the server's configuration data. When establishing a connection, this is compared to the public key, and only when they match, does the process continue.

Hint:

More information about WireGuard, including details relating to its protocols and encryption mechanisms can be found in the following white paper.

Pros and Cons

The main advantage of WireGuard is its easy usability. Apart from that, it also offers a number of other benefits:

High-performing and stable VPN tunneling

Solid security owing to integration of the newest cryptographic standards

Manageable code that ticks all of the boxes

Well thought-out concept

If you are planning to use WireGuard, you should be aware that it is an unfinished program, and somewhat under-developed, particularly in terms of functionality. Alongside with its numerous advantages, WireGuard also has some significant disadvantages:

Software remains in the developmental phase

Does not support dynamic IP address management (client needs to be coupled with a previously-defined VPN address)

No server verification

Proxy connection and authentication are not possible

Executed using kernels

Does not support TCP (at the moment)

VPN Providers With WireGuard Support

Most VPN providers are currently experimenting with the incorporation of WireGuard into their clients. Some have already made WireGuard available to their customers, a list of which can be found below:

Filtern
Sortieren
Best Value for Money
NordVPN
(318,174)
5000+ servers worldwide
60 countries
No logs
6 devices simultaneously
Inexpensive 2-year package
NordVPN combines speed, user-friendliness and functionality into a coherent overall package that is also fairly affordable.
Devices
6
Datenvolumen
unlimited
Protocols
5
Contract Period
1 - 24 months
+3 months
Black Friday Deal
NordVPN 2-year plan
$3.71
monthly price
Visit Website
Review Score
4.7 / 5
excellent
Surfshark VPN
(25,851)
1700+ servers in 63+ countries
Unlimited number of devices
Many apps (Linux, FireTV, ...)
Saves no logs
Very cheap on the 24-month plan
Surfshark is one of the cheapest providers on the market, but besides the price also impresses with strong protection, many features and a great support with 24/7 live chat.
Devices
unlimited
Datenvolumen
unlimited
Protocols
3
Contract Period
1 - 24 months
+3 months
Black Friday Deal
Surfshark 24 months
$2.49
monthly price
Visit Website
Review Score
4.6 / 5
excellent
hide.me VPN
(14,884)
1500+ servers
55+ locations in 34+ countries
Saves no logs
14-day money-back guarantee
with free plan
Devices
1 - 5
Datenvolumen
10 - ∞
Protocols
7
Contract Period
0 - 24 months
hide.me Free
$0.00
monthly price
Visit Website
Review Score
4.6 / 5
excellent
VyprVPN
(50,881)
700+ servers in 70 countries
Saves no logs (Audited)
Company location in Switzerland
Premium: own VPN protocol
Devices
5
Datenvolumen
unlimited
Protocols
6
Contract Period
12 months
33%
Black Friday Special
VyprVPN 24-month plan
$2.50
monthly price
Visit Website
Review Score
4.3 / 5
good
Windscribe VPN
(29,596)
500+ servers in 60 locations
Good free plan
Connect unlimited devices
Headquarters in Canada
Devices
unlimited
Datenvolumen
unlimited
Protocols
3
Contract Period
1 - 12 months
Windscribe Yearly
$4.08
monthly price
Visit Website
Review Score
4.1 / 5
good
Mullvad VPN
(28)
500+ servers in 35 countries
Anonymous registration / no logs
New WireGuard protocol
Very simple pricing
Devices
5
Datenvolumen
unlimited
Protocols
2
Contract Period
1 month
Mullvad Flatrate
$5.85
monthly price
Visit Website
Review Score
3.9 / 5
good
Author Manuela Lenz
Manuela Lenz is a trained IT specialist and worked for 20 years as a system administrator and project manager for large companies. Since 2017, the IT specialist has been a passionate IT-author. For EXPERTE.com she writes about project management, software and IT security.
Other languages:
Deutsch Italiano