A lot has changed since we first looked at the WireGuard VPN protocol. In this updated WireGuard VPN guide, we examine the strengths and weaknesses of this protocol, as well as the best WireGuard VPN services.
WireGuard is a relatively new VPN protocol that is already bringing big changes to the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – namely faster speeds and upgraded encryption – the drawbacks of WireGuard often go ignored. So is WireGuard ready for widespread adoption – or do the lingering privacy concerns outweigh the potential benefits?
We’ll answer all these questions and more in this updated WireGuard VPN guide.
WARNING: Right now, WireGuard has some inherent problems that can undermine user privacy if not adequately addressed. Before using the WireGuard VPN protocol, be sure to examine how your VPN provider ensures user privacy with their WireGuard implementation.
Some VPNs have effectively addressed all privacy concerns. For example, NordVPN supports WireGuard directly in their VPN clients using a Double NAT system. This ensures no identifiable user data (IP addresses) are ever stored on a VPN server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we will cover in this updated WireGuard VPN guide:
- Benefits of WireGuard
- WireGuard privacy problems (and solutions)
- Best WireGuard VPN services
- The future of WireGuard
- WireGuard VPN comparison table
OpenVPN vs WireGuard – OpenVPN is considered the gold standard of VPN protocols by many — but things are changing. To compare these two protocols, we put together a WireGuard vs OpenVPN guide, which examines speeds, security, encryption, privacy, and the background of each VPN protocol. We found WireGuard to be about 58% faster than OpenVPN on average, and even faster with nearby servers (450 Mbps).
Now let’s begin with the benefits of the WireGuard VPN protocol.
Benefits of WireGuard VPN
Here are some of the ‘pros’ that WireGuard offers:
1. Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
You can learn more about WireGuard’s modern cryptography on the official website or in the technical white paper [PDF].
2. Simple and minimal code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
3. Performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the following areas:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Fastest VPN protocol we’ve tested
We have now tested out WireGuard extensively with NordVPN and a few other VPN services that support it. We have found NordVPN’s implementation of the WireGuard VPN protocol, which they call NordLynx, offers the fastest speeds.
Here we are using NordVPN with the WireGuard VPN protocol (NordLynx) with a server in Seattle (USA). We hit speeds of 445 Mbps on a 500 Mbps connection:
This makes WireGuard the fastest VPN protocol we have tested (when used with NordVPN on a nearby server).
4. Cross-platform ease of use
Although full implementation was somewhat delayed, WireGuard now works well across all major platforms. WireGuard supports Windows, Mac OS, Android, iOS, and Linux.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
A few VPNs have already integrated full WireGuard support into their lineup of VPN clients. See for example with NordVPN, Surfshark, and also Mullvad.
5. Now merged into Linux kernel and released from beta
On March 29, 2020, it was announced that WireGuard will be officially included in the 5.6 Linux kernel. This is big news that many privacy enthusiasts have been waiting for.
Additionally, WireGuard is now out of beta with the release of version 1.0 for Linux. You can get more info on WireGuard for different operating systems here.
With these two developments, WireGuard is now considered stable and ready for widespread use. The previous warning on the official website about WireGuard being “not yet complete” has been removed.
WireGuard privacy problems (and solutions)
While WireGuard may offer advantages in terms of performance and security, by design it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers who offer privacy services in mind.” Similarly, NordVPN also voiced concerns with the inherent privacy issues of WireGuard:
By implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.
Fortunately, the dust has settled and today there are some good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and a few VPNs have found effective solutions for deploying it while still ensuring user privacy.
To understand the tradeoff between privacy and security with WireGuard, IVPN did a good job distinguishing the two as follows:
The security of the protocol is concerned with protecting the data in a tunnel from being accessed by adversaries: either by breaking the encryption, MITM attacks, or by any other means, no matter how complicated.
Privacy is concerned with whether an adversary can learn anything about you, your communication or any party you’ve communicated with. It has more to do with the metadata rather than the actual data.
Privacy can be violated, even when security is rock solid. For example, when the fact that two parties communication can be determined. Or when a certain piece of information about a party becomes known after the communication took place. However, it should be noted that, if security is weak, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some privacy problems with WireGuard.
Problem 1: WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard was not built for anonymity and privacy, but rather security and speed.
By default, WireGuard saves connected IP addresses on the server . These user IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
So how are VPN services deploying WireGuard while still ensuring user privacy?
Solutions
Based on our research, the solution to this privacy problem varies by the VPN provider. We’ll examine a few below.
NordVPN double NAT system with WireGuard
NordVPN takes a unique approach to the privacy issues with what they call a “double NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they are referring to it as NordLynx.
You can get more info on NordLynx and NordVPN on their website here.
Mullvad and OVPN erase IP address logs after the VPN session ends
Another way VPN providers have addressed the problem with logs is to configure their servers to erase data logs when the session ends.
Two examples of this are with Mullvad and OVPN, both of which are secure VPN services based in Sweden.
OVPN explains:
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past three minutes are removed, which means we have as little information as possible.
Mullvad takes a similar approach:
We added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
Now let’s look at another issue/drawback of WireGuard.
Problem 2: WireGuard does not assign dynamic IP addresses
VPN providers have also voiced concerns about how IP addresses are assigned with WireGuard.
Mullvad had this to say in a blog post:
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you’ve installed software that is malicious, it can also leak that information.
Similarly, OVPN also acknowledges these drawbacks:
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works without issues for smaller installations, but can quickly become complex when tens of thousands of customers need to connect. Development is underway for a model called wg-dynamic, but it is not yet finished.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Solutions
Both OVPN and Mullvad have come up with ways to securely generate keys and manage IP addresses. Each service allows you to regenerate keys and therefore rotate IP addresses, which helps to neutralize this problem. You can get specific details on each of the respective VPN websites.
Block or disable WebRTC – WireGuard relies on statically assigned IP addresses, and as we have covered before, a WebRTC leak can expose your internal and/or external IP address. This is not an issue with your VPN service, but rather a problem with your web browser. Here are some helpful guides to solve these issues:
- Disable or block WebRTC – Our guide has step-by-step information for all major browsers.
- Use the Firefox browser with WebRTC disabled. Firefox, unlike Chromium browsers, can simply disable WebRTC. See our Firefox privacy guide for instructions.
- Use a secure and private browser that limits data exposure.
Now that we’ve covered some different problems and solutions, let’s look at the best WireGuard VPN providers.
WireGuard VPN services
Ok, so you want to try out WireGuard and are wondering what are the best VPN services to do this. The list of VPN services supporting WireGuard continues to grow and we do our best to keep up with the latest developments and update this guide accordingly.
Here are the best VPNs for WireGuard:
1. NordVPN – Best all-around WireGuard VPN
| VPN | NordVPN |
| Based in | Panama |
| Logs | No logs (audited) |
| Price | $3.30/mo. |
| Support | 24/7 Live chat |
| Refund | 30 days |
| Website | NordVPN.com |
NordVPN is one of our favorite VPNs and it has now released full WireGuard support via NordLynx with a double NAT system for privacy. In our tests, NordVPN was blazing fast with speeds up to 445 Mbps on a 500 Mbps connection. While NordVPN also offers very fast OpenVPN speeds (consistently over 200 Mbps), we found the WireGuard protocol was still faster.
NordVPN is a Panama-based VPN service that excels in the areas of privacy and security. It had undergone two independent audits confirming it to be a no-logs VPN service. In cooperation with Versprite, NordVPN has also completed a full security audit and penetration testing. In 2020, NordVPN announced that all servers in the network are running in RAM-disk mode, which makes it impossible to store any data on the VPN server (no hard drives). Lastly, they are now deploying self-owned (co-located) servers throughout their network, which puts all hardware completely under their control.
To use WireGuard with NordVPN, all you need to do is select the NordLynx protocol in the app, and then connect to a VPN server. Secure key generation and IP address management are all handled in the background by the app to ensure user privacy.
Full WireGuard support in the VPN apps is a seamless and easy option. This is available with the NordVPN apps for Windows, Mac OS, iOS, Android, and Linux.
In addition to WireGuard support, NordVPN also offers many other privacy and security features:
- Double-VPN servers – Encrypt traffic across two different VPN servers for an added layer of security and encryption.
- Tor-over-VPN servers – These are VPN servers that exit onto the Tor network for additional anonymity.
- CyberSec – This feature blocks ads, trackers, and malware domains.
- Obfuscated servers – These servers will help you to get around VPN blocks, such as when using a VPN in China, at school, or with work networks.
NordVPN Cyber Deal is Now Live:
Get 72% off your NordVPN subscription (reduces the price to $3.30 per month) plus 3 months FREE.
(Coupon is applied automatically.)
Our NordVPN review has more information and test results.
2. Surfshark – A low-cost VPN with full WireGuard support
| VPN | Surfshark |
| Based in | British Virgin Islands |
| Logs | No logs |
| Price | $2.49/mo. |
| Support | 24/7 Live chat |
| Refund | 30 days |
| Website | Surfshark.com |
Surfshark is another privacy-focused VPN service that announced full support for WireGuard in late 2020. It is incorporated in the British Virgin Islands (an excellent privacy-friendly jurisdiction) and keeps no data logs.
You can easily enable the WireGuard protocol in the Surfshark VPN clients, without having to deal with any keys or certificates. Surfshark currently supports WireGuard with: Windows, Mac OS, Android, and iOS apps (Linux support is still in development). Simply enable WireGuard in the Settings area and you will be off and running:
Surfshark has followed NordVPN’s lead in solving the privacy issues with WireGuard by implementing a double NAT system. This ensures user IP addresses are never stored on a VPN server.
In our tests for the Surfshark review, we found WireGuard to offer huge speed improvements. On a 500 Mbps connection, we were able to hit speeds of 397 Mbps, which is excellent:
In our comparison tests for the Surfshark vs ExpressVPN report, we can see that WireGuard gives Surfshark a major speed advantage over VPN services that are not incorporating this protocol.
We’ve already covered how Surfshark utilized the WireGuard VPN protocol. Now let’s examine some of the other privacy and security features offers by Surfshark:
- Double VPN servers to encrypt traffic over two locations
- NoBorders feature to get around VPN blocks
- Camouflage mode to conceal VPN traffic as regular HTTPS encryption
- CleanWeb feature to block ads and trackers
Surfshark has also made a name for itself in the streaming realm, offering access to a huge variety of streaming services. It is one of the best VPNs for Netflix with support for over 10 different regional libraries.
Check out Surfshark at their website below, or check out our Surfshark review for more test results and analysis.
https://surfshark.com
3. Mullvad – Swedish VPN with full WireGuard support
| VPN | Mullvad |
| Based in | Sweden |
| Logs | No logs |
| Price | $5.50/mo. |
| Support | |
| Refund | 30 days |
| Website | Mullvad.net |
Mullvad is a secure VPN in Sweden that was an early adopter of WireGuard. Like NordVPN, Mullvad offers full WireGuard support with all of their VPN apps. It is a no-logs VPN service focused on privacy.
Unlike NordVPN, however, Mullvad keeps temporary logs of user IP addresses, but as they explained above, these logs are automatically erased when the VPN session ends. Mullvad also replaces WireGuard keys once a week automatically in the VPN apps. You also have the option to manually regenerate WireGuard keys in the user settings area.
You can easily use WireGuard within the Mullvad apps by selecting WireGuard from the available VPN protocols. WireGuard is now the default protocol on iOS and Android. Key management is also available directly in the Mullvad VPN clients.
https://mullvad.net/
4. OVPN with WireGuard
| VPN | OVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | $4.99/mo. |
| Support | Email and chat |
| Refund | 10 days |
| Website | OVPN.com |
OVPN is a secure, no-logs VPN service based in Sweden. In late 2020, OVPN incorporated WireGuard support into their VPN server network. While OVPN officially supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into all of the VPN clients. To use WireGuard with OVPN, you’ll need to download the official WireGuard client, and then download and import the configuration files.
Right now, the only VPN app that uses WireGuard automatically is the OVPN Android app. However, the goal is to have full WireGuard support in all apps later in 2021.
https://www.ovpn.com/
See our OVPN review for more info.
6. AzireVPN with WireGuard
| VPN | AzireVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | €3.25/mo. |
| Support | |
| Refund | 7 days |
| Website | AzireVPN.com |
Similar to Mullvad and OVPN, AzireVPN is another no-logs Swedish VPN service with a strong focus on privacy. It was one of the earliest adopters of the WireGuard VPN protocol, offering support all the way back in 2017. The AzireVPN server network is much smaller than other VPN services, but they also have very strict standards for server selection, with all locations running on premium hardware with high-capacity bandwidth channels.
Similar to OVPN above, AzireVPN supports WireGuard through the official WireGuard clients. Simply install the WireGuard client on your operating system, then download and import the configuration files.
https://www.azirevpn.com
Other VPN services that support WireGuard
This list is not exhaustive, but here are some other VPNs that support WireGuard. We have not tested these services yet with their WireGuard implementation, but they all offer a refund window allowing you to test it out risk-free.
- VPN.ac – Based in Romania, VPN.ac offers a secure VPN with full WireGuard support through the WireGuard clients.
- Trust.Zone – Trust.Zone is a privacy-focused VPN based in Seychelles. They offer basic VPN apps, but they do not directly support WireGuard. Instead, you can use WireGuard with third-party clients.
- TorGuard – TorGuard is a US VPN service (Five Eyes warning) that offers full support for the WireGuard protocol. You can use WireGuard with TorGuard through the WireGuard clients.
- IVPN – IVPN is a well-regarded VPN service in Gibraltar. Like NordVPN and Mullvad, IVPN has successfully integrated WireGuard into their own VPN clients. It is one of the most expensive WireGuard VPNs, but does well in the privacy category.
- Private Internet Access – PIA is a US VPN service that has rolled out support for WireGuard in their desktop and mobile clients. (PIA is owned by Kape Technologies, a company with a history of producing malware. Kape also owns CyberGhost VPN and Zenmate.) In our speed tests for the PIA vs NordVPN comparison, we found PIA’s implementation of WireGuard to be quite slow.
- VyprVPN – In late 2020, VyprVPN also announced that they had successfully integrated WireGuard into their service. We tested everything out for the updated VyprVPN review and got speeds of 300+ Mbps.
- CyberGhost – CyberGhost VPN has also now implimented WireGuard. Unfortunately, we found it to still be slow, especially compared to other WireGuard VPN services. You can see this in the Surfshark vs CyberGhost comparison.
The future of WireGuard
WireGuard’s future is looking bright.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been released under version 1.0 and incorporated into the Linux kernel, it is safe to say this VPN protocol is ready for mainstream use.
Last updated on June 11, 2021 with new information.
A few points. The “storing of ip addresses” by wireshark is configurable, and there are a number of ways to tell it to write that data only to RAM and never to nonvolitile media. So your first point is entirely moot, and nordvpn’s double-NAT solution is vast overkill for the situation. And there remains the hard fact that in VPN land, there must be some part of the system that knows where I’m connecting from, so that it knows where to send the packets meant for me. Even the lofty NordVPN can’t change physics there. They do what everyone else does, store that data in RAM instead of hard drives/ssds, so that shutting down a physical machine remotely has the implicit effect of permanently deleting every byte that was in RAM at the time. Thats how that works.
Secondly, your bandwidth tests seem strange. From my own testing, Nord and PIA were absolutely identical speed and latency wise, partially, I believe, because they were both terminating in (lol) the same colo in a city. They might even be in racks next to each other. And that speed is on average about 10% less bandwidth than on my raw fibre connection, and usually less than 5ms in latency.
Lastly, “mixed traffic” isn’t a problem. Just the opposite actually. It absolutely doesn’t matter how many other peoples’ traffic is coming along the same route through the same interfaces as me, if we’re all keyed users than my packets contain an encrypted header which explicitly, logically ties them all together as destined for the same place. If you want to know where that place is, you decrypt the header. If you want to decrypt that header, you need my private key. If you want my private key, you can go fuck yourself. All public/private key encryption works this way, and thus NAT isn’t necessary if you’re not writing IP addresses to nonvolitile media.
Which is to say… if you ARE using NAT this way, like NordVPN, it may be implied that you’re doing so because you ARE writing IP addresses to nonvolitile media, somewhere along the line.
If Wireguard was set up on a private personal network with a Raspberry Pi then the two privacy cons that you have listed wouldn’t be an issue anymore correct?
Sure, but you will have new problems because your traffic is not getting mixed with other users in this setup, which means all activity is still traceable back to you.
Good point, would it only be traceable if someone was able to break past the wire guards vpn security?
For context, I came across your article trying to decide between OpenVPN and Wireguard for my Raspberry Pi running PiHole. I’m looking for a secure, fast and private way for myself and my family to browse without ads and trackers.
I should have prefaced my comment before with “it all depends on your threat model and who you are trying to secure your data from.”
So with the setup you describe, traffic will be encrypted between your device and the Raspberry Pi, so everything downstream of the Raspberry Pi, will be on the regular unencrypted internet. So your ISP will see everything you are doing and every site you visit will have the unique IP address (and location) of your Raspberry Pi.
When connecting to a commercial VPN service, with a server in let’s say Germany, your ISP will not be able to see anything you are doing because all traffic will be encrypted between your device and the VPN server in Germany. Additionally, your traffic will be getting mixed with all the other people on that same server, sharing the same IP address, which is a further benefit to blending in with the crowd. And if it is a verified no logs VPN provider, you can be further assured your activities are not being monitored and tracked. But again, it all depends on your threat model and who you are securing your data from.
I can’t wrap my head around why another VPN needed, ie, Nord, Mullvad? Isn’t Wireguard already a VPN?
Hi Chris, no, WireGuard is a VPN protocol, like OpenVPN. And different VPN providers, such as NordVPN, Mullvad, and others, offer you (the user) the ability to use these different protocols with their VPN service. See our VPN protocols guide for more of a discussion.
Dengan hormat
Maaf tanya, Apabila saya berlangganan, apakah ada panduan untuk seting / konfigurasinya?. Sebab saya masih awam masalah vpn.
Terimakasih
Yes, each of our recommended VPNs has a setup guide, and they will also give you support if you need assistance.
Hi, I found that Fastssh.com and VPNHack.com both offer .conf files for WireGuard.
Is it safe to use either of them?
Or, is it best to go back to the brand names such as NordVPN, Surfshark and Mullvad?
Definitely go with brand names from reputable businesses.