A lot has changed since we looked at WireGuard last year. In this updated WireGuard VPN guide we examine the strengths and weaknesses of this protocol, as well as the best WireGuard VPN services.
WireGuard is a relatively new VPN protocol that is already bringing big changes to the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – namely faster speeds and upgraded encryption – the drawbacks of WireGuard often go ignored. So is WireGuard ready for widespread adoption – or do the lingering privacy concerns outweigh the potential benefits?
We’ll answer all these questions and more in this updated WireGuard VPN guide.
WARNING: Right now, WireGuard has some inherent problems that can undermine user privacy if not adequately addressed. Before using the WireGuard VPN protocol, be sure to examine how your VPN provider ensures user privacy with their WireGuard implementation.
Some VPNs have effectively addressed all privacy concerns. For example, NordVPN supports WireGuard directly in their VPN clients using a Double NAT system. This ensures no identifiable user data (IP addresses) are ever stored on a VPN server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we will cover in this updated WireGuard VPN guide:
- Benefits of WireGuard
- WireGuard privacy problems (and solutions)
- Best WireGuard VPN services
- The future of WireGuard
- WireGuard VPN comparison table
OpenVPN vs WireGuard – OpenVPN is considered the gold standard of VPN protocols by many — but things are changing. To compare these two protocols, we put together a WireGuard vs OpenVPN guide, which examines speeds, security, encryption, privacy, and the background of each VPN protocol. We found WireGuard to be about 58% faster than OpenVPN on average, and even faster with nearby servers (450 Mbps).
Now let’s begin with the benefits of the WireGuard VPN protocol.
Benefits of WireGuard VPN
Here are some of the ‘pros’ that WireGuard offers:
1. Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
You can learn more about WireGuard’s modern cryptography on the official website or in the technical white paper [PDF].
2. Simple and minimal code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
3. Performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the following areas:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Fastest VPN protocol we’ve tested
We have now tested out WireGuard extensively with NordVPN and a few other VPN services that support it. We have found NordVPN’s implementation of the WireGuard VPN protocol, which they call NordLynx, offers the fastest speeds.
Here we are using NordVPN with the WireGuard VPN protocol (NordLynx) with a server in Seattle (USA). We hit speeds of 445 Mbps on a 500 Mbps connection:
This makes WireGuard the fastest VPN protocol we have tested (when used with NordVPN on a nearby server).
4. Cross-platform ease of use
Although full implementation was somewhat delayed, WireGuard now works well across all major platforms. WireGuard supports Windows, Mac OS, Android, iOS, and Linux.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
A few VPNs have already integrated full WireGuard support into their lineup of VPN clients. See for example with NordVPN, Surfshark, and also Mullvad.
5. Now merged into Linux kernel and released from beta
On March 29, 2020, it was announced that WireGuard will be officially included in the 5.6 Linux kernel. This is big news that many privacy enthusiasts have been waiting for.
Additionally, WireGuard is now out of beta with the release of version 1.0 for Linux. You can get more info on WireGuard for different operating systems here.
With these two developments, WireGuard is now considered stable and ready for widespread use. The previous warning on the official website about WireGuard being “not yet complete” has been removed.
WireGuard privacy problems (and solutions)
While WireGuard may offer advantages in terms of performance and security, by design it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers who offer privacy services in mind.” Similarly, NordVPN also voiced concerns with the inherent privacy issues of WireGuard:
By implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.
Fortunately, the dust has settled and today there are some good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and a few VPNs have found effective solutions for deploying it while still ensuring user privacy.
To understand the tradeoff between privacy and security with WireGuard, IVPN did a good job distinguishing the two as follows:
The security of the protocol is concerned with protecting the data in a tunnel from being accessed by adversaries: either by breaking the encryption, MITM attacks, or by any other means, no matter how complicated.
Privacy is concerned with whether an adversary can learn anything about you, your communication or any party you’ve communicated with. It has more to do with the metadata rather than the actual data.
Privacy can be violated, even when security is rock solid. For example, when the fact that two parties communication can be determined. Or when a certain piece of information about a party becomes known after the communication took place. However, it should be noted that, if security is weak, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some privacy problems with WireGuard.
Problem 1: WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard was not built for anonymity and privacy, but rather security and speed.
By default, WireGuard saves connected IP addresses on the server . These user IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
So how are VPN services deploying WireGuard while still ensuring user privacy?
Solutions
Based on our research, the solution to this privacy problem varies by the VPN provider. We’ll examine a few below.
NordVPN double NAT system with WireGuard
NordVPN takes a unique approach to the privacy issues with what they call a “double NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they are referring to it as NordLynx.
You can get more info on NordLynx and NordVPN on their website here.
Mullvad and OVPN erase IP address logs after the VPN session ends
Another way VPN providers have addressed the problem with logs is to configure their servers to erase data logs when the session ends.
Two examples of this are with Mullvad and OVPN, both of which are secure VPN services based in Sweden.
OVPN explains:
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past three minutes are removed, which means we have as little information as possible.
Mullvad takes a similar approach:
We added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
Now let’s look at another issue/drawback of WireGuard.
Problem 2: WireGuard does not assign dynamic IP addresses
VPN providers have also voiced concerns about how IP addresses are assigned with WireGuard.
Mullvad had this to say in a blog post:
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you’ve installed software that is malicious, it can also leak that information.
Similarly, OVPN also acknowledges these drawbacks:
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works without issues for smaller installations, but can quickly become complex when tens of thousands of customers need to connect. Development is underway for a model called wg-dynamic, but it is not yet finished.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Solutions
Both OVPN and Mullvad have come up with ways to securely generate keys and manage IP addresses. Each service allows you to regenerate keys and therefore rotate IP addresses, which helps to neutralize this problem. You can get specific details on each of the respective VPN websites.
Block or disable WebRTC – WireGuard relies on statically assigned IP addresses, and as we have covered before, a WebRTC leak can expose your internal and/or external IP address. This is not an issue with your VPN service, but rather a problem with your web browser. Here are some helpful guides to solve these issues:
- Disable or block WebRTC – Our guide has step-by-step information for all major browsers.
- Use the Firefox browser with WebRTC disabled. Firefox, unlike Chromium browsers, can simply disable WebRTC. See our Firefox privacy guide for instructions.
- Use a secure and private browser that limits data exposure.
Now that we’ve covered some different problems and solutions, let’s look at the best WireGuard VPN providers.
WireGuard VPN services
Ok, so you want to try out WireGuard and are wondering what are the best VPN services to do this. The list of VPN services supporting WireGuard continues to grow and we do our best to keep up with the latest developments and update this guide accordingly.
Here are the best VPNs for WireGuard:
1. NordVPN – Best all-around WireGuard VPN
| VPN | NordVPN |
| Based in | Panama |
| Logs | No logs (audited) |
| Price | $3.71/mo. |
| Support | 24/7 Live chat |
| Refund | 30 days |
| Website | NordVPN.com |
NordVPN is one of our favorite VPNs and it has now released full WireGuard support via NordLynx with a double NAT system for privacy. In our tests, NordVPN was blazing fast with speeds up to 445 Mbps on a 500 Mbps connection. While NordVPN also offers very fast OpenVPN speeds (consistently over 200 Mbps), we found the WireGuard protocol was still faster.
NordVPN is a Panama-based VPN service that excels in the areas of privacy and security. It had undergone two independent audits confirming it to be a no-logs VPN service. In cooperation with Versprite, NordVPN has also completed a full security audit and penetration testing. In 2020, NordVPN announced that all servers in the network are running in RAM-disk mode, which makes it impossible to store any data on the VPN server (no hard drives). Lastly, they are now deploying self-owned (co-located) servers throughout their network, which puts all hardware completely under their control.
To use WireGuard with NordVPN, all you need to do is select the NordLynx protocol in the app, and then connect to a VPN server. Secure key generation and IP address management are all handled in the background by the app to ensure user privacy.
Full WireGuard support in the VPN apps is a seamless and easy option. This is available with the NordVPN apps for Windows, Mac OS, iOS, Android, and Linux.
In addition to WireGuard support, NordVPN also offers many other privacy and security features:
- Double-VPN servers – Encrypt traffic across two different VPN servers for an added layer of security and encryption.
- Tor-over-VPN servers – These are VPN servers that exit onto the Tor network for additional anonymity.
- CyberSec – This feature blocks ads, trackers, and malware domains and is activated directly in the VPN app.
- Obfuscated servers – These servers will help you to get around VPN blocks, such as when using a VPN in China, at school, or with work networks.
NordVPN Cyber Deal is Now LIVE:
Get 68% off NordVPN (drops the price down to $3.71 per month).
Get the 68% Off NordVPN Coupon >>
(Discount is applied automatically)
Our NordVPN review has more information and test results.
2. Surfshark – A low-cost VPN with full WireGuard support
| VPN | Surfshark |
| Based in | British Virgin Islands |
| Logs | No logs |
| Price | $2.49/mo. |
| Support | 24/7 Live chat |
| Refund | 30 days |
| Website | Surfshark.com |
Surfshark is another privacy-focused VPN service that announced full support for WireGuard in late 2020. It is incorporated in the British Virgin Islands (an excellent privacy-friendly jurisdiction) and keeps no data logs.
You can easily enable the WireGuard protocol in the Surfshark VPN clients, without having to deal with any keys or certificates. Surfshark currently supports WireGuard with: Windows, Mac OS, Android, and iOS apps (Linux support is still in development). Simply enable WireGuard in the Settings area and you will be off and running:
Surfshark has followed NordVPN’s lead in solving the privacy issues with WireGuard by implementing a double NAT system. This ensures user IP addresses are never stored on a VPN server.
In our tests for the Surfshark review, we found WireGuard to offer huge speed improvements. On a 500 Mbps connection, we were able to hit speeds of 397 Mbps, which is excellent:
In our comparison tests for the Surfshark vs ExpressVPN report, we can see that WireGuard gives Surfshark a major speed advantage over VPN services that are not incorporating this protocol.
We’ve already covered how Surfshark utilized the WireGuard VPN protocol. Now let’s examine some of the other privacy and security features offers by Surfshark:
- Double VPN servers to encrypt traffic over two locations
- NoBorders feature to get around VPN blocks
- Camouflage mode to conceal VPN traffic as regular HTTPS encryption
- CleanWeb feature to block ads and trackers
Surfshark has also made a name for itself in the streaming realm, offering access to a huge variety of streaming services. It is one of the best VPNs for Netflix with support for over 10 different regional libraries.
Check out Surfshark at their website below, or check out our Surfshark review for more test results and analysis.
https://surfshark.com
3. Mullvad – Swedish VPN with full WireGuard support
| VPN | Mullvad |
| Based in | Sweden |
| Logs | No logs |
| Price | $5.50/mo. |
| Support | |
| Refund | 30 days |
| Website | Mullvad.net |
Mullvad is a secure VPN in Sweden that was an early adopter of WireGuard. Like NordVPN, Mullvad offers full WireGuard support with all of their VPN apps. It is a no-logs VPN service focused on privacy.
Unlike NordVPN, however, Mullvad keeps temporary logs of user IP addresses, but as they explained above, these logs are automatically erased when the VPN session ends. Mullvad also replaces WireGuard keys once a week automatically in the VPN apps. You also have the option to manually regenerate WireGuard keys in the user settings area.
You can easily use WireGuard within the Mullvad apps by selecting WireGuard from the available VPN protocols. With iOS and Android devices, WireGuard is enabled by default, rather than OpenVPN. Key management is also available directly in the Mullvad VPN clients.
https://mullvad.net/
3. OVPN with WireGuard
| VPN | OVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | $4.99/mo. |
| Support | Email and chat |
| Refund | 10 days |
| Website | OVPN.com |
OVPN is a secure, no-logs VPN service based in Sweden. In late 2020, OVPN incorporated WireGuard support into their VPN server network. While OVPN officially supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into all of the VPN clients. To use WireGuard with OVPN, you’ll need to download the official WireGuard client, and then download and import the configuration files.
Right now, the only VPN app that uses WireGuard automatically is the OVPN Android app. However, the goal is to have full WireGuard support in all apps later in 2021.
https://www.ovpn.com/
See our OVPN review for more info.
4. AzireVPN with WireGuard
| VPN | AzireVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | €3.25/mo. |
| Support | |
| Refund | 7 days |
| Website | AzireVPN.com |
Similar to Mullvad and OVPN, AzireVPN is another no-logs Swedish VPN service with a strong focus on privacy. It was one of the earliest adopters of the WireGuard VPN protocol, offering support all the way back in 2017. The AzireVPN server network is much smaller than other VPN services, but they also have very strict standards for server selection, with all locations running on premium hardware with high-capacity bandwidth channels.
Similar to OVPN above, AzireVPN supports WireGuard through the official WireGuard clients. Simply install the WireGuard client on your operating system, then download and import the configuration files.
https://www.azirevpn.com
Other VPN services that support WireGuard
This list is not exhaustive, but here are some other VPNs that support WireGuard. We have not tested these services yet with their WireGuard implementation, but they all offer a refund window allowing you to test it out risk-free.
- VPN.ac – Based in Romania, VPN.ac offers a secure VPN with full WireGuard support through the WireGuard clients.
- TorGuard – TorGuard is a US VPN service (Five Eyes warning) that offers full support for the WireGuard protocol. You can use WireGuard with TorGuard through the WireGuard clients.
- IVPN – IVPN is a well-regarded VPN service in Gibraltar. Like NordVPN and Mullvad, IVPN has successfully integrated WireGuard into their own VPN clients. It is one of the most expensive WireGuard VPNs, but does well in the privacy category.
- Private Internet Access – PIA is a US VPN service that has rolled out support for WireGuard in their desktop and mobile clients. (Note that PIA is owned by Kape Technologies, an Israeli firm with a history of producing malware that now also owns CyberGhost VPN and Zenmate.)
- VyprVPN – In late 2020, VyprVPN also announced that they had successfully integrated WireGuard into their service. We tested everything out for the updated VyprVPN review and got speeds of 300+ Mbps.
The future of WireGuard
WireGuard’s future is looking bright.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been released under version 1.0 and incorporated into the Linux kernel, it is safe to say this VPN protocol is ready for mainstream use.
WireGuard VPN Comparison Table
$3.71
[68% discount]
(30 day refund)
Based in
Panama
$2.49
[81% discount]
(30 day refund)
Review
(Surfshark)
$5.50
(30 day refund)
Based in
Sweden
$4.99
(10 day refund)
Based in
Sweden
$3.57
(7 day refund)
Based in
Sweden
Last updated on November 23, 2020.
I’d like to point out tailscale [https://tailscale.com/].
They are special in that their VPN offering is exclusively built on top of WireGuard without any legacy VPN tech support that other more established VPN providers have to deal with.
Ps – I am not affiliated in any way to Tailscale. I was aware of Tailscale first and only when I tried to look at the larger segment of VPN providers that support Wireguard, I found this article.
Another VPN provider provide free wireguard protocol on port 443 is windscribe VPN. Members get free 10gb/month when they have confirmed their email on sign up. I just used this wireguard on windscribe and the speed is amazing although the server I another continent. The good thing using wireguard on smartphone and we use smartphone for hotspot tethering is the speed between smartphone and computer is very stable I use it now. I download using IDM on computer it takes more than 99% bandwith speed on my phone but still this wireguard protocol still response very stable to open website on phone browser and some other app (non streaming usage).
I’ll have to disagree with this, the Wireguard protocol is only available if you are a paid user of Windscribe. I’m not sure if this person has found a way around that but to get the configuration file the website says you have to have purchased pro… for anyone who thought this was too good to be true lol.
proof: https://windscribe.com/getconfig/wireguard
It isnt avail for manual download and setup using wireguard client. however if you use the windscribe android app or windows beta, you could actually select wireguard. Only a custom manual configuration using your own client requires PRO
@ finoderi
says on MAY 8, 2020
I think Wireguard is primarily made for enthusiasts, not for companies. Now almost anybody can use their own little server to easily create VPN tunnel. Or you can use virtual server instance on AWS or DigitalOcean. And you don’t have to worry about logging or storing private keys. Just set your firewall right and enjoy stupendously fast VPN connection.
It is exactly opposite, the WireGuard is designed to create a private connection from point A (You) to point B (Your Company) and not for internet surfing.
You are right, it is a peer to peer tunneling protocol. In the design there is no host or client, just peers. It is amazing for guaranteeing private communication between two servers in an otherwise unknown network. A wireguard host is basically a peer that has routing rules to the Internet.
The privacy concerns are legitimate but some of the core functionality of wireguard would not have been possible otherwise.
VyprVPN have implemented WireGuard but they have not mentioned how they handle this situation anywhere on their website which is unfortunately a poor management since they proudly advertise themselves as “Audited NoLog VPN”
It would be intresting to know how VyprVPN are handling this protocol and aftermath.
Could you reach out to them Sven Taylor to pull their users out of the dark?
P.S Love the website and all the informative articles. Thank You.
Good question. I asked them about this last week and I have not received any reply.
https://support.vyprvpn.com/hc/en-us/articles/360044677511-How-does-VyprVPN-prevent-my-IP-address-from-being-stored-while-using-WireGuard-
VyprVPN will add support to WireGuard soon (currently on Beta). Maybe you could ask them how they’ve implemented it and then update the article?
Yep, will do.
I think Wireguard is primarily made for enthusiasts, not for companies. Now almost anybody can use their own little server to easily create VPN tunnel. Or you can use virtual server instance on AWS or DigitalOcean. And you don’t have to worry about logging or storing private keys. Just set your firewall right and enjoy stupendously fast VPN connection.
WireGuard is CHINA! Don’t be fooled – Don’t be SHEEPLE! See for yourself. Oh, and nice choice on the Dragon!
Huh?
Now that Wireguard has been audited,
https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/
will you be updating this post or writing another article?
It is available in many Linux distros, Debian stable has it in backports for example.
Yep, I’ll be updating this article soon.
Hello, do you know if there is a way to implement wireguard VPN in the omental system ADM NAS ASUSTOR
thanks
regards
From what I understand, Wireguard only uses UDP. However, many ISPs/nation-states either throttle or block UDP. Without being able to send traffic through port TCP 443, how will Wireguard be able to circumvent censorship like OpenVPN?
Yes, this is another drawback.
but this means also a verify of an server identity isnt possible with wireguard or ?
After many years of OPenVPN use and the mass hype of “industry standard with 400000 lines of code in trying to do everything, , ITS GAME OVER FOR ME. I am using Wireguard and IKE2 for a serious serious reason. OpenVPN HAS A HUGE UNKNOWN Hole to many.
All the claims about the so called anonymity benefits are thin air after just one broken security chain. We are not talking about just spying on traffic, but taking over your entire PC , including the passwords and private keys to access vpn services. If you have my private key without my knowledge, you can decrypt all my traffic.
Unfortunately, I will not renew with airvpn at the moment, have already switched to NORD and looking for more descent wireguard implementations.
SERIOUS PRIVACY PEOPLE AND SECURITY PARANOIDS > DO NOT USE OPENVPN protocol, switch to IKE2 or Wireguard. Its not the protocol or encryption strength but the vulnerabilities of implementation the weak point that lead to remote code execution in case of advanced attacks.
For most people openvpn is ok (e.g download torrents). However, just to let you know : don’t expect to hide from NSA e.t.c eyes if you are targeted . It impossible to hide in such an easy and cheap way, even if you use dual vpn like “core” or DUAL from some providers. They are able to do rapid traffic correlated analysis, secretly co-operate with some of them , even fund them, so they can find your stream at the exit node ip of the vpn server.
There are ways to circumvent this or make it way harder for them, but those are advanced methods for average user. I can testify personally that many versions of open VPN have this issue and it makes it dangerous as hell. OPN sense firewall , based on hardened BSD has been hacked, PF sense as well, windows 10 , linux mint and opensuse.
THe most secure configurations and systems have little protection as stand alone solutions if you run dodgy software. (Verification of OPENVPN engine hacking and reverse shell, malware and spyware implanted from state sponsored hackers and hacking man-in-the middle servers has been done with various methods including VM honneypots , ping and trace-route DNS verification and comparison from external services, wire-shark packet capture etc. )
Do not trust any company 100% and just think of them as INCOMPETENT if not snake-oil, even if they are the best around.
Set up secure dns with randomized request id (slower) and different dns requests to any secure dns provider so no one will have the full report of requests ( dnscrypt for windows and linux comes to rescue, also acts as local dns cache). Do not use your VPN DNS, but send cryptoDNS requests to different servers through VPN channel. This way even a compromised or worse vpn provider will not be able to monitor or report). Use VPN providers just as an extra tool to your privacy procedures with a non 100% trust attitude. Even better treat them as potential threats.Do not buy the mass hype, they are not an easy solution for full privacy.
Claims about audits of providers have no real value and are over-hyped,. A different version might run on the server after audit. Its just a marketing aid. e.g( Look to the surf-shark new vpn provider with a deal too good to be true.) Audits would have real value in case permanent, unrestricted audit at random times with binaries and configurations crypto-signed or as a minimum hashed from audit company with tools like tripwire or aide by comparing future repeated random audits with a previous initial database of the auditor. Hence audit for trust is not a one shot process.
A follow up: Every serious reader knows about the shortcomings of tor network and the DE-anonymizing abilities of state actors, the funding of developers etc. After researching especially the wireguard offerings, I ended up with the best company for building your custom TOR like network. Its the Swedish company Mullvad, a trully anonymous case by design, able to withstand many of the attacks with custom multi-hops ( https://mullvad.net/en/help/wireguard-and-mullvad-vpn/ ).
By registering for an account, I was impressed by the anonymity measures and payment options. They don’t even ask for email, they give you just an account number and you load it with time for a flat rate of 5 euros for up to 5 connections.
In their advanced configurations , (not yet fully implemented or tested by me) , one can build his own TOR like network. Unfortunately, there is not a dead easy way yet for average user through an app and few clicks and selections from drop down boxes.
They support 105 wire-guard advanced servers around the globe and more locations than NordVPN , which is restricted to 5 eyes – 14 eyes and without multi-hop ability.
Sweedish company is way more advanced (wireguard – wise) than the rest at the moment, as their configuration allows you not to only enter vpn and chose the exit from another server anyware around the globe, but to run an extra proxy multihop configuration through socks5 on your browser , adding another layer of encryption and hop redirection. I haven’t yet tested by implementing it , but info is here and needs serious consideration:
https://mullvad.net/en/help/wireguard-and-mullvad-vpn/
Those guys have built a trully mini private internet over internet, as all their servers are interconnected between with wireguard. This makes correlation attacks way more difficult and with proper fake traffic in the mix , can give a hard time to many advanced hacker operators. Directed individual traffic with or without socks, while intentionally leaving some traffic from another browser without proxy, plus system network calls (eg. network time, updates e.tc) from a different exit, is almost mission impossible for the big curious eye. As an example, it is possible to enter all the vpn traffic from my room to France and choose US as my first exit hop and some of my traffic will indeed get out there but my super hidden traffic will use extra hops through socks5 proxy from browser and exit in Canada or any combination of all countries. I am not aware of any other provider offering this kind of protection and customization. I disclose that I don’t hold any interest in association with this specific provider and I was not aware about this hop customizing when wrote my first message. My only one interest is a genuine call for more support and customers to them for their advanced effort. More customers mean a bigger network and future sustainability and more traffic at their exit nodes, a win – win for anyone for anonymity.
As a simpler and less secure alternative, a current or a secondary trustworthy provider can be chosen , with support of socks5 proxy and an addon on browser (eg. tunnel bear or other with a PAID option one (Avoid all unrestricted free). Also a service pay as you go on simple proxys at luminati.io to be used after the exit of your single vpn is helpfull (eg . you can choose a couple of proxys for a low price with no minimum commitment and use an add on like “smart proxy” on your browser , so your traffic exits the single exit ip of your provider and then hops through another proxy (which can be changed easily after a while) before reach the final destination of webpage. Another good solution , both free and paid is kproxy from Spain. They have an addon also, so it adds another layer of anonymity as it first goes through a vpn channel. Combine those with protections from browser fingerprinting and dnscrypt and you have split the traces to different participants, improving anonymity in comparison to a single vpn node where limited exit ip(s) are well known and OBSERVED..
Thanks for this very informative comment.
I’ve been with AirVPN for more than 3 years. Despite the said issues, I will likely continue with it when the current subscription expires next January. That’s because my usage of VPN is mostly to stay out of trouble with my internet provider. Things like torrent sessions via Pirate Bay, specifically to avoid certain parties from lodging complaints with my internet provider, and resulting in the latter issuing a warning to me. Or worse. Then in not having websites I visit and sometimes comment at know my real IP address.
But have to say that I’ve also become interested in trying out WireGuard. Especially after receiving an email from Firefox on the Mozilla VPN which runs on servers powered by Mullvad using the WireGuard protocol. I’ll make the decision towards the end of the year.
Hi Sven,
One thing I noticed you did not include was that wireguard is built without Perfect Forward Secrecy in the initial packet flow. This means that an attacker, who captures the flows to/from the endpoint can later, if they coerce the long-term secret keys out of the server, can then decrypt the initial messages of each flow, revealing the identity of the client keys. That means that between traffic analysis and public key records, the attacker can associate particular users with particular traffic flows. This can reveal the users, associate them with their flows and be extremely dangerous.
It was deliberately designed this way to ‘simplify’ things, but this is extremely dangerous and people need to know about it.
I really enjoyed the article and thought it was well written. Understanding that it is not meant for a technical audience this is not a big problem, but I think it is worth mentioning that framing it as WireGuard vs OpenVPN and allowing too much say to VPN service providers just makes it too much PR, too little facts for my taste.
The scope of WireGuard is not to be a VPN client or a protocol. It is just a way of making encrypted connections easy and at a much lower level, therefore gaining in performance and simplicity. I assume one could use WireGuard as a starting point for replacing OpenVPN, but the latter going beyond my understanding will not state anything being certain. It would make sense to build a VPN client using WireGuard, but I’ve certainly seen no projects doing that.
I like Mullvad because they have no idea who I am. They don’t have my email, my name, my credit card number. Nothing.
They issue you an account number, and you can send them cash. Simple.
I am very happy with Mullvad.
Um, if you connect from your ISP to a Mullavad VPN server, they technically know who you are.
Hey Sven! Do you have any information or experience about NordLynx? According to NordVPN they’ve managed to make WireGuard safe to use. Would you recommend using that?
https://nordvpn.com/blog/nordlynx-protocol-wireguard/
Cool, I’ll check that out, thanks.
Each product has its pro and cons; doesnt necessarily make it a poor product; but when the article is keen to promote a single different provider/product (like OpenVPN) and leaving away any other options, then you should really wonder by yourself what the true story is.
Even the creators of WireGuard aren’t recommending it right now…
Comments seem to me as if VPN’s only use is connecting privately to a public VPN provider to hide my traffic.
What about all the interconnections between companies, sites, home-offices, employee’s mobile devices and so on?
Privacy as it concerns logs and anonymity is of NO interest in all those cases, there’s simply no need for such amongst already well-known participants!
So why all the whining at missing “features” essential mainly for users acting near darknet? WireGuard it not too bad using it for company interconnections!
If you need anonymity, go and get OpenVPN – and stop spoiling WireGuard for something it isn’t (yet) designed for!
Most people use VPNs – at least partly – for the privacy and anonymity benefits, so I wouldn’t consider these valid criticisms to be “whining”.
Agreed…
WireGuard is not ‘by design’ ready for near-Darknet usage and I guess it will never be
That’s the point.
All thoses companies wishing to be the first one to provide ‘WireGuard-based’ services will have it for the money.
They will have to develop around, but the design of WireGuard is not for it.
There will be pain for them, and frustration, as for the writter of this article …
Sometimes I feel like I’m the only person in the whole world who uses VPN to provide me with a virtual private network, rather than just as an anonymizer or geo-spoofer. I use VPN to connect my systems and for that, WireGuard is a godsend. If I really wanted to be anonymous on the internet, I don’t think I would register with a service provider.
Theories on WireGuard:
(Honestly WireGuard could be a clandesine move against VPNs since many VPNs will spend money to implement it).
(or it was intentionally realeased incomplete: the code is shorter and simpler but it has all the flaws mentioned in this post). It could turn out to have good security but the privacy risks arent worth it. The NSA probably developed it for business infastructure, etc. since the notion that people nor companies need individual privacy. That the logging is security. And the erosion of privacy using psychological tactics to sway the public to believe that security is more important than privacy and therefore isnt needed.
I feel it was intentionally released with its flaws.
I feel this is an effort to destroy privacy by controlling the newest encryption methods developed and released to the market.
Also the govt using wireguard with stronger encryption is entirely plausible. To the govt, the fact that each agent is assigned an uniquely indentifiable IP is a measure of security.
Just like to them Tor is mainly a tool and security technology, so could this be.
Who is mainly developing Wireguard? What is their track record? Do they have ties to the govt?
I feel there is a possibility that WireGuard is a serious threat to our privacy and that until its put in its full state and audited to be secure, VPN providers should not adopt it.
It could be threatening our privacy more than ever before.
Hi Tony,
Your certainly entitled to your opinions.
But, I would urge you to revisit the article again and read a few of the possibilities with WireGuard left in comments. Most of those questions you’ve raised/left – I see can have answered above.
Privacy is not really about anonymity though surfing anonymously surely helps. Securing is not about privacy but in doing so privacy is a side benefit… Note all the breaches of the 2000 teens where security has failed because mostly of the human factor.
–
Government/NSA developing WireGuard in the first place would not release it to the masses (come on) – so that’s a groundless innuendo about WireGuard without merit of facts.
VPN’s adoption is optional but, those that will work WireGuard into their platforms see it as offering more stealth and improved encryption, maybe even less bandwidth needed to be supplied.
Then the bad actors have yet another way for surreptitious interactions.
All things are good it’s people that use things for bad purposes.
– The current protocols mentioned in this article are trying to be addressed by WireGuard advancements, which is new and needs proper vetting to rid it of any flaws. More people messing with WireGuard means more eye’s and brains that have hands on.
– Be sceptical that’s healthy for your own security in this digital age where technologies advancement of it’s increased rapid pace things can get overlooked or found all to late.
I like people that think and want to learn Greetings : )
Thank you for a critical look at Wireguard (WG). I personally have an interest in the project’s success as I am starting (yet another VPN service provider). I am certain that WG will be a game changer when stable releases are available. WG does have built-in authentication with optional shared-keys. It is a very likely candidate for inclusion in the Linux kernel (sooner rather than later according to Linus Torvalds).
One fact that everyone is overlooking is that WG is very disposable. I can delete a VPS running WG and create another one in a matter of minutes, leaving any person tracking me to wonder, “was it all just a dream or was this guy a ghost?” This is the functionality I wish to implement as the newest VPN provider.
Hi Keith,
Please keep us updated on your progress.
It would be interesting to see what path you’ve taken and end up offering.
Could you see it’s cryptography methods used elsewhere in different areas as well?
Dont forget BlackHoleCloud.com has been using wireguard for over two years. Its a tiny hardware firewall with wireguard and you get your own private server(s). Cool.
One thing I feel is this post assumes the only way to test Wireguard is through a provider for the case of hiding traffic.
One use case that I’m playing around with is to connect to a Digital Ocean droplet VPS (virtual private server). Normally I would need to login to DO to open an ssh port and ssh via authentication key (no password). With Wireguard, I can set a higher UDP port that isn’t scannable (my only incoming rule). The other peer is my mobile with the Wireguard app and Termux. Even if wireguard could be crackable, I’m still going through an ssh tunnel via an auth key.
So another way that people can test Wireguard is to set up on a VPS or another off-site machine that you control. Even within your own network! Just some ideas to play around with.
Great point, thanks for the information.
Inspired by some articles in TechCrunch, I set up on a Digital Ocean droplet and made my own server with Algo VPN and the Wireguard protocol. I use the Wireguard app on my android phone.
WireGuard’s Blind Operator mode: http://archive.is/ixN9A
“Do not use this code unless you fully understand what it is not designed to do; this is the first sentence of the README for a good reason. In fact, just don’t use it. It’s mostly snake-oil. There are a million ways to subvert this. It’s a fun little toy, but it’s not really much beyond a toy…”
“However, if you simply want to be able to claim to people, “we don’t have the ability to view internal or external IP addresses of any peers,” and you really do lack the know-how to subvert this, then I suppose it might be somewhat useful. It’s a strange property: this module only has utility in contexts where you don’t know how to subvert it. This means that as you become smarter, this module will need to grow. This implies that either the guy writing it should be more knowledgeable than you are at the moment, or you yourself should be the author, exhausting all the current methods of subversion you can currently think of.”
BUGS
“Probably there are a lot of them, by design. This module makes no attempt at plugging all holes and leaks, and the current methods used are prone to be buggy at best. Also, this won’t work with paravirtualization, since it works primarily by twiddling with cr0; hence this code is also x86/amd64 only. On old kernels, this disables SELinux/AppArmor and does voodoo magic that might murder kittens to discover non-exported symbols…”
Thank you. I did not see that link before. That really changes my opinion about the module author 🙂 Azire VPN must have pestered him until he caved in and gave them what they wanted. That page is hilarious taken in the context of how cheerful it is linked to here: https://www.azirevpn.com/blog/2017-11-15/wireguard-privacy-enhancements
The Wireguard author accepts payment to place a root-kit into the kernel module, giving some nefarious futile reasons? Blocking the pcap API within the wg module cannot prevent any operator from matching up tunneled and endpoint addresses.
So this is just more complex bloat in the kernel, providing no useful feature while obscuring potential backdoor activity from the operator. I am not impressed. Why is Wireguard getting pushed so aggressively, I wonder.
Hello Nobby Nobbs,
“Why is Wireguard getting pushed so aggressively, I wonder.”
Or is it-
Why is there so much buzz surrounding WireGuard?
(From above)
The answer is simple, it the new kid on the block and offers many advantages over the (OpenVPN and IPSec) existing VPN protocols, even caught the attention of Linus Torvalds, the developer behind Linux.
In terms of WireGuard’s code base being relatively small to about 3,800 lines. (That should bring it’s adoption and progress faster across all the industries sectors of these early experimenters who have the experience to contribute to it).
–
There are advantages of a smaller code base – as for one a smaller attack surface but, with some limitations for utilizing WireGuard in a VPN client.
WireGuard is under “heavy development” and not for general use today, has not passed a security audit, the developer explicitly warns about trusting it’s current code.
(When the Con’s diminish and the limitations get worked out by people advancing the cause we all benefit).
–
So with Wireguard’s promotion today having a big potential for the VPN industry, and as more people get involved to contribute, improve, test and audits of it towards the completion of the protocol adoption working across different platforms – the news must get out.
It brings us all closer to when WireGuard is officially released and is proven to be trustworthy from all facets of the VPN industry.
That would be impressive especially if this happens sometime in 2019.
These are my feelings with the facts known thus far.
Thanks.
Hi Sven,
Great information as you’ve pulled in probable everything on the net, more so than I have found as far, and into one informative topic. Cheers’
It’s very understandable from your perspective and breakdowns.
But I have thoughts and questions I can’t draw a conclusion too.
If Wireguard’s basic feature is speed by updated encryption protocols and primitives helping aid the handling of connection problems and speed bottlenecks of existing protocols – what would Wireguard being coupled with 5G bring to the VPN industry…
1) With Wireguard’s use of public keys for identification is that somewhat similar to (PGP)/OpenPGP keypair standards used in encrypted email?
So as in the Thunderbird’s client with Enigmail, WireGuard in a VPN client would need to use a similar means – at it’s present release?
2) In what scenario’s could you speculate for your readers to safely testing out Wireguard – if their VPN service is an early adopter?
Thank you, Sir
1) See the WireGuard technical white paper.
2) I just meant any situation where privacy and security is not critical. You could test inside a virtual machine, for example.
Hello Sven,
Wireguard’s technical whitepaper possibly has the info for my #1 but it’s to techy for me.
I did find the Abstract: and Additional Documents: Slides Video, by Jason A. Donenfeld helpful to understanding #1.
https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/wireguard-next-generation-kernel-network-tunnel/
The ‘Slides’ download gave more helpful info and the video link was just a video of the still’s of the slides taken.
Conclusion – NOT similar to (PGP)/OpenPGP keypair standards.