A lot has changed since we first looked at the WireGuard VPN protocol. In this new and updated WireGuard VPN guide, we examine the strengths and weaknesses of this protocol, as well as the best VPNs that support WireGuard.
WireGuard is a relatively new VPN protocol that is already bringing big changes to the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – namely faster speeds and upgraded encryption – the drawbacks of WireGuard often go ignored. So is WireGuard ready for widespread adoption – or do the lingering privacy concerns outweigh the potential benefits?
We’ll answer all these questions and more in this updated WireGuard VPN guide.
WARNING: Right now, WireGuard has some inherent problems that can undermine user privacy if not adequately addressed. Before using the WireGuard VPN protocol, be sure to examine how your VPN provider ensures user privacy with their WireGuard implementation.
Some VPNs have effectively addressed all privacy concerns. For example, NordVPN supports WireGuard directly in their VPN apps using a Double NAT system. This ensures no identifiable user data (IP addresses) are ever stored on a VPN server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we will cover in this updated WireGuard VPN guide:
- Benefits of WireGuard
- WireGuard privacy problems (and solutions)
- Best WireGuard VPN services
- The future of WireGuard
- WireGuard VPN comparison table
OpenVPN vs WireGuard – OpenVPN is considered the gold standard of VPN protocols by many — but things are changing. To compare these two protocols, we put together a WireGuard vs OpenVPN guide, which examines speeds, security, encryption, privacy, and the background of each VPN protocol. We found WireGuard to be about 58% faster than OpenVPN on average, and even faster with nearby servers (450 Mbps).
Now let’s begin with the benefits of the WireGuard VPN protocol.
Benefits of WireGuard VPN
Here are some of the ‘pros’ that WireGuard offers:
Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
You can learn more about WireGuard’s modern cryptography on the official website or in the technical white paper [PDF].
Minimal WireGuard code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
Big performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the following areas:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Fastest VPN protocol we’ve tested in 2022
We have now tested out WireGuard extensively with NordVPN and a few other VPN services that support it. We have found NordVPN’s implementation of the WireGuard VPN protocol, which they call NordLynx, offers the fastest speeds.
Here we are using NordVPN with the WireGuard VPN protocol (NordLynx) with a server in Seattle (USA). We hit speeds of 445 Mbps on a 500 Mbps connection:
This makes WireGuard the fastest VPN protocol we have tested (when used it with NordVPN on a nearby server).
Cross-platform ease of use
Although full implementation was somewhat delayed, WireGuard now works well across all major platforms. WireGuard supports Windows, Mac OS, Android, iOS, and Linux.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
A few VPNs have already integrated full WireGuard support into their lineup of VPN clients. See for example with NordVPN, Surfshark, and also Mullvad.
Merged into Linux and Windows kernels; fully released from beta
On March 29, 2020, it was announced that WireGuard will be officially included in the 5.6 Linux kernel. This is big news that many privacy enthusiasts have been waiting for. In August 2021, WireGuard made it into the Windows kernel.
Additionally, WireGuard is now out of beta with the release of version 1.0+ for nearly every major operating system. You can get more info on WireGuard for different operating systems here.
With these two developments, WireGuard is now considered stable and ready for widespread use. The old warning on the official website about WireGuard being “not yet complete” has been removed.
WireGuard privacy problems (and solutions)
While WireGuard may offer advantages in terms of performance and security, by design it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers who offer privacy services in mind.” Similarly, NordVPN also voiced concerns with the inherent privacy issues of WireGuard:
By implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.
Fortunately, the dust has settled and today there are some good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and a few VPNs have found effective solutions for deploying it while still ensuring user privacy.
To understand the tradeoff between privacy and security with WireGuard, IVPN did a good job distinguishing the two as follows:
The security of the protocol is concerned with protecting the data in a tunnel from being accessed by adversaries: either by breaking the encryption, MITM attacks, or by any other means, no matter how complicated.
Privacy is concerned with whether an adversary can learn anything about you, your communication or any party you’ve communicated with. It has more to do with the metadata rather than the actual data.
Privacy can be violated, even when security is rock solid. For example, when the fact that two parties communication can be determined. Or when a certain piece of information about a party becomes known after the communication took place. However, it should be noted that, if security is weak, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some privacy problems with WireGuard.
By default, WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard was not built for anonymity and privacy, but rather security and speed.
By default, WireGuard saves connected IP addresses on the server . These user IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
So how are VPN services deploying WireGuard while still ensuring user privacy?
Solutions
Based on our research, the solution to this privacy problem varies by the VPN provider. We’ll examine a few below.
NordVPN double NAT system with WireGuard
NordVPN takes a unique approach to the privacy issues with what they call a “double NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they are referring to it as NordLynx.
You can get more info on NordLynx and NordVPN on their website here.
Mullvad and OVPN erase IP address logs after the VPN session ends
Another way VPN providers have addressed the problem with logs is to configure their servers to erase data logs when the session ends.
Two examples of this are with Mullvad and OVPN, both of which are secure VPN services based in Sweden.
OVPN explains:
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past three minutes are removed, which means we have as little information as possible.
Mullvad takes a similar approach:
We added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
Now let’s look at another issue/drawback of WireGuard.
WireGuard does not assign dynamic IP addresses
VPN providers have also voiced concerns about how IP addresses are assigned with WireGuard.
Mullvad had this to say in a blog post:
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you’ve installed software that is malicious, it can also leak that information.
Similarly, OVPN also acknowledges these drawbacks:
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works without issues for smaller installations, but can quickly become complex when tens of thousands of customers need to connect. Development is underway for a model called wg-dynamic, but it is not yet finished.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Solutions
Both OVPN and Mullvad have come up with ways to securely generate keys and manage IP addresses. Each service allows you to regenerate keys and therefore rotate IP addresses, which helps to neutralize this problem. You can get specific details on each of the respective VPN websites.
Block or disable WebRTC – WireGuard relies on statically assigned IP addresses, and as we have covered before, a WebRTC leak can expose your internal and/or external IP address. This is not an issue with your VPN service, but rather a problem with your web browser. Here are some helpful guides to solve these issues:
- Disable or block WebRTC – Our guide has step-by-step information for all major browsers.
- Use the Firefox browser with WebRTC disabled. Firefox, unlike Chromium browsers, can simply disable WebRTC. See our Firefox privacy guide for instructions.
- Use a secure and private browser that limits data exposure.
Now that we’ve covered some different problems and solutions, let’s look at the best WireGuard VPN providers.
WireGuard VPN services
Ok, so you want to try out WireGuard and are wondering what are the best VPN services to do this. The list of VPN services supporting WireGuard continues to grow and we do our best to keep up with the latest developments and update this guide accordingly.
Here are the best VPNs for WireGuard:
NordVPN – Best all-around WireGuard VPN in 2022
| VPN | NordVPN |
| Based in | Panama |
| Logs | No logs (audited) |
| Price | $3.29/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | NordVPN.com |
NordVPN is one of our favorite VPNs and it has now released full WireGuard support via NordLynx with a double NAT system for privacy. In our tests, NordVPN was blazing fast with speeds up to 445 Mbps on a 500 Mbps connection. While NordVPN also offers very fast OpenVPN speeds (consistently over 200 Mbps), we found the WireGuard protocol was still faster. Here’s one example of that:
Note: I have seen recent videos in 2022 of other people getting over 800 Mbps with NordVPN using the WireGuard protocol.
NordVPN is a Panama-based VPN service that excels in the areas of privacy and security. It had undergone two independent audits confirming it to be a no-logs VPN service. In cooperation with Versprite, NordVPN has also completed a full security audit and penetration testing. In 2020, NordVPN announced that all servers in the network are running in RAM-disk mode, which makes it impossible to store any data on the VPN server (no hard drives). Lastly, they are now deploying self-owned (co-located) servers throughout their network, which puts all hardware completely under their control.
To use WireGuard with NordVPN, all you need to do is select the NordLynx protocol in the app, and then connect to a VPN server. Secure key generation and IP address management are all handled in the background by the app to ensure user privacy.
Full WireGuard support in the VPN apps is a seamless and easy option. This is available with the NordVPN apps for Windows, Mac OS, iOS, Android, and Linux.
In addition to WireGuard support, NordVPN also offers many other privacy and security features:
- Double-VPN servers – Encrypt traffic across two different VPN servers for an added layer of security and encryption.
- Tor-over-VPN servers – These are VPN servers that exit onto the Tor network for additional anonymity.
- CyberSec – This feature blocks ads, trackers, and malware domains.
- Obfuscated servers – These servers will help you to get around VPN blocks, such as when using a VPN in China, at school, or with work networks.
NordVPN Coupon
Get 68% Off NordVPN plus FREE anti-malware protection for all your devices:
(Coupon is applied automatically.)
Our NordVPN review has more information and test results.
Surfshark – A low-cost VPN with WireGuard
| VPN | Surfshark |
| Based in | The Netherlands |
| Logs | No logs |
| Price | $2.30/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | Surfshark.com |
Surfshark is another privacy-focused VPN service that announced support for WireGuard in late 2020. It is incorporated in the British Virgin Islands (an excellent privacy-friendly jurisdiction) and keeps no data logs.
You can easily enable the WireGuard protocol in the Surfshark VPN clients, without having to deal with any keys or certificates. Surfshark currently supports WireGuard with: Windows, Mac OS, Android, and iOS apps (Linux support is still in development). Simply enable WireGuard in the Settings area and you will be off and running:
Surfshark has followed NordVPN’s lead in solving the privacy issues with WireGuard by implementing a double NAT system. This ensures user IP addresses are never stored on a VPN server.
In our tests for the Surfshark review, we found WireGuard to offer huge speed improvements. On a 500 Mbps connection, we were able to hit speeds of 397 Mbps, which is excellent:
In our comparison tests for the Surfshark vs ExpressVPN report, we can see that WireGuard gives Surfshark a major speed advantage over VPN services that are not incorporating this protocol.
We’ve already covered how Surfshark utilized the WireGuard VPN protocol. Now let’s examine some of the other privacy and security features offers by Surfshark:
- Double VPN servers to encrypt traffic over two locations
- NoBorders feature to get around VPN blocks
- Camouflage mode to conceal VPN traffic as regular HTTPS encryption
- CleanWeb feature to block ads and trackers
Surfshark has also made a name for itself in the streaming realm, offering access to a huge variety of streaming services. It is one of the best VPNs for Netflix with support for over 10 different regional libraries.
Check out Surfshark at their website below or read our Surfshark review for more test results and analysis.
VyprVPN – Fast WireGuard VPN speeds, based in Switzerland
| VPN | VyprVPN |
| Based in | Switzerland |
| Logs | No logs (audited) |
| Price | $8.33/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | VyprVPN.com |
Next up on our list of VPN services that support WireGuard is VyprVPN. This VPN is based in Switzerland and is an audited no-logs VPN provider. They have officially supported WireGuard in all of their VPN apps since 2020 and tests for our VyprVPN review were impressive. Not only does everything work seamlessly, the speeds are also blazing fast at over 300 Mbps in some cases, as you can see below.
Another unique aspect of VyprVPN is that they own every server in their network, without relying on any third-party rental servers. This gives VyprVPN 100% control over all hardware in their network. A few years back, VyprVPN also underwent a third-party audit from Leviathan Security that confirmed their no-logs policy.
VyprVPN currently supports WireGuard in the Windows, Mac OS, iOS, and Android apps. Unfortunately, like with Surfshark VPN, there is no WireGuard support for Linux at this time. However, enabling WireGuard on other operating systems is quick and easy.
Like the other top WireGuard VPNs, VyprVPN also explains how they modified the default version of WireGuard to make it compatible with its no-logs policy. VyprVPN stated the following on their website,
The VyprVPN implementation provisions a WireGuard configuration on-demand for every connection and nothing is left behind on the server after you disconnect. There is simply no static configuration left behind.
Lastly, for those who enjoy streaming, VyprVPN is also a good option. They support a handful of different Netflix regions and also other streaming services like Disney Plus, Hulu, Amazon Prime, and more.
Note: VyprVPN has (unexpectedly) decided to massively increase prices for 2022. It is now $8.33 per month with the cheapest plan.
See our VyprVPN review for more details and test results.
OVPN with WireGuard
| VPN | OVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | $4.99/mo. |
| Support | Email & Chat |
| Refund | 10 days |
| Website | OVPN.com |
OVPN is a secure, no-logs VPN service based in Sweden. In late 2020, OVPN incorporated WireGuard support into their VPN server network. While OVPN officially supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into all of the VPN clients. To use WireGuard with OVPN, you’ll need to download the official WireGuard client, and then download and import the configuration files.
Right now, the only VPN apps that uses WireGuard automatically are the OVPN Android and iOS apps. However, the goal is to have full WireGuard support in all apps in the coming months.
Website: https://www.ovpn.com/
See our OVPN review for more info.
Mullvad – Swedish VPN with full WireGuard support
| VPN | Mullvad |
| Based in | Sweden |
| Logs | No logs |
| Price | $5.50/mo. |
| Support | |
| Refund | 30 days |
| Website | Mullvad.net |
Mullvad is a secure VPN in Sweden that was an early adopter of WireGuard. Like NordVPN, Mullvad offers full WireGuard support with all of their VPN apps. It is a no-logs VPN service focused on privacy.
Unlike NordVPN, however, Mullvad keeps temporary logs of user IP addresses, but as they explained above, these logs are automatically erased when the VPN session ends. Mullvad also replaces WireGuard keys once a week automatically in the VPN apps. You also have the option to manually regenerate WireGuard keys in the user settings area.
You can easily use WireGuard within the Mullvad apps by selecting WireGuard from the available VPN protocols. WireGuard is now the default protocol on iOS and Android. Key management is also available directly in the Mullvad VPN clients.
Website: https://mullvad.net/
AzireVPN with WireGuard
| VPN | AzireVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | €3.25/mo. |
| Support | |
| Refund | 7 days |
| Website | AzireVPN.com |
Similar to Mullvad and OVPN, AzireVPN is another no-logs Swedish VPN service with a strong focus on privacy. It was one of the earliest adopters of the WireGuard VPN protocol, offering support all the way back in 2017. The AzireVPN server network is much smaller than other VPN services, but they also have very strict standards for server selection, with all locations running on premium hardware with high-capacity bandwidth channels.
Similar to OVPN above, AzireVPN supports WireGuard through the official WireGuard clients. Simply install the WireGuard client on your operating system, then download and import the configuration files.
Website: https://www.azirevpn.com
Other VPN services that support WireGuard
This list is not exhaustive, but here are some other VPNs that support WireGuard. We have not tested these services yet with their WireGuard implementation, but they all offer a refund window allowing you to test it out risk-free.
- VPN.ac – Based in Romania, VPN.ac offers a secure VPN with full WireGuard support through the WireGuard clients.
- Trust.Zone – Trust.Zone is a privacy-focused VPN based in Seychelles. They offer basic VPN apps, but they do not directly support WireGuard. Instead, you can use WireGuard with third-party clients.
- TorGuard – TorGuard is a US VPN service (Five Eyes warning) that offers full support for the WireGuard protocol. You can use WireGuard with TorGuard through the WireGuard clients.
- IVPN – IVPN is a well-regarded VPN service in Gibraltar. Like NordVPN and Mullvad, IVPN has successfully integrated WireGuard into their own VPN clients. It is one of the most expensive WireGuard VPNs, but does well in the privacy category.
- Private Internet Access – PIA is a US VPN service that has rolled out support for WireGuard in their desktop and mobile clients. In our speed tests for the PIA vs NordVPN comparison, we found PIA’s implementation of WireGuard to be quite slow.
- CyberGhost – CyberGhost VPN has also now implemented WireGuard. Unfortunately, we found it to still be slow, especially compared to other WireGuard VPN services. You can see this in the Surfshark vs CyberGhost comparison.
- IPVanish – IPVanish now supports WireGuard. But let us not forget about the IPVanish logging scandal, where they logged users for the FBI. This VPN comes with both pros and cons.
- ProtonVPN – ProtonVPN is another new addition that has added WireGuard support. While we like and recommend this VPN service, it does come with drawbacks. These include an above-average price and limited features. It also had some performance issues, as you can see in the ProtonVPN vs NordVPN report.
One major VPN provider that you will not see, however, is ExpressVPN. As we pointed out in our ExpressVPN review, this provider has resisted implementing WireGuard and has instead opted for a self-developed protocol called Lightway. In terms of speed and security, Lightway has a lot in common with WireGuard. However, unlike WireGuard, there are very few other VPNs using Lightway. And in case you are wondering, we found Lightway to be slower than WireGuard in our NordVPN vs ExpressVPN comparison.
Looking at the future of WireGuard VPN
WireGuard’s future is looking bright. Even though it has some drawbacks, the improved speeds and upgraded security make WireGuard an appealing VPN protocol to consider. And with ransomware and cybersecurity incidents in the news every week, using a secure and updated VPN protocol has its benefits.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been fully released and incorporated into the Linux and Windows kernels, it is safe to say this VPN protocol is ready for mainstream use and the future is looking good.
This WireGuard VPN guide was last updated on June 14, 2022 with new information.
I’ve been using Mullvad for my VPN provider because it allows me to use a wireguard client running on an OpenBSD machine (and which is in fact built in to the OpenBSD kernel). I’d like to try out other providers, but (not surprisingly) none of them provide clients for OpenBSD, and I haven’t found any indication on their web-sites whether it’s possible to use a third-party wireguard client. Are there any other providers whose solutions for mitigating wireguard’s security issues don’t require that their own specialized clients be used?
By way of a partial answer to my question, I’ve just received responses from NordVPN and ProtonVPN: both say that they are working on manual connection methods, but that at present it’s necessary to use their client applications.
I use OVPN with Wireguard, they now have wireguard app for IOS, Windows and Linux (with full GUI on Linux!) , and I guess MacOS too. Although in beta2 for Linux and Windows, but they work nicely. In Linux especially, very stable. Now we are only waiting for Wireguard in their Vilfo router too.
I get around 475Mbit out of my 500Mbit cable with their VPN. I am satisfied with the way OVPN secures Wireguard (as explained on their site)
So looking at mullvad/ovpn, they force your connection to reconnect automatically to their server after 3 minutes to recycle ip address log? I’m bit confused about how that works. How would it work if setup on a VPN router? Thanks friend.
Sven, could you look into ProtonVPN and how they are implementing WireGuard? If you are not familiar, ProtonVPN offers tiered subscription model, including the best free option I have found anywhere. You do need a Protonmail email account last I checked, but they are also the most secure free email provider I have found. I’ve been happy with both so far, but they are pushing WireGuard hard and I’m wondering if it is really private anymore.
Also, what do you think about the comments that WireGuard does not work with firewalls?
Yep, we’ll be checking it out with a new ProtonVPN update in the coming months, and then updating content accordingly.
Can you check ig wireguard use wireguard the right way ? Does they log the real ip adress ?
https://protonvpn.com/blog/openvpn-vs-wireguard/
No, Proton email is NOT needed to use Proton VPN.
Sven, could you give us some inside into tailscale and compare it with NordVPN?
Hi Victor we have not looked into tailscale.
Have you checked out Tailscale? [www.tailscale.com]
your article is misleading… surfshark does not offer ‘full wireguard support’
no linux… + app only
wasted an hour yesterday signing up and cancelling based on an article similar to yours…
definitely not ‘fulll support’
It says right in the article under the Surfshark section:
“Linux support is still in development”
I guess I’ll make that section bold to help avoid further confusion.
A few points. The “storing of ip addresses” by wireshark is configurable, and there are a number of ways to tell it to write that data only to RAM and never to nonvolitile media. So your first point is entirely moot, and nordvpn’s double-NAT solution is vast overkill for the situation. And there remains the hard fact that in VPN land, there must be some part of the system that knows where I’m connecting from, so that it knows where to send the packets meant for me. Even the lofty NordVPN can’t change physics there. They do what everyone else does, store that data in RAM instead of hard drives/ssds, so that shutting down a physical machine remotely has the implicit effect of permanently deleting every byte that was in RAM at the time. Thats how that works.
Secondly, your bandwidth tests seem strange. From my own testing, Nord and PIA were absolutely identical speed and latency wise, partially, I believe, because they were both terminating in (lol) the same colo in a city. They might even be in racks next to each other. And that speed is on average about 10% less bandwidth than on my raw fibre connection, and usually less than 5ms in latency.
Lastly, “mixed traffic” isn’t a problem. Just the opposite actually. It absolutely doesn’t matter how many other peoples’ traffic is coming along the same route through the same interfaces as me, if we’re all keyed users than my packets contain an encrypted header which explicitly, logically ties them all together as destined for the same place. If you want to know where that place is, you decrypt the header. If you want to decrypt that header, you need my private key. If you want my private key, you can go fuck yourself. All public/private key encryption works this way, and thus NAT isn’t necessary if you’re not writing IP addresses to nonvolitile media.
Which is to say… if you ARE using NAT this way, like NordVPN, it may be implied that you’re doing so because you ARE writing IP addresses to nonvolitile media, somewhere along the line.
If Wireguard was set up on a private personal network with a Raspberry Pi then the two privacy cons that you have listed wouldn’t be an issue anymore correct?
Sure, but you will have new problems because your traffic is not getting mixed with other users in this setup, which means all activity is still traceable back to you.
Good point, would it only be traceable if someone was able to break past the wire guards vpn security?
For context, I came across your article trying to decide between OpenVPN and Wireguard for my Raspberry Pi running PiHole. I’m looking for a secure, fast and private way for myself and my family to browse without ads and trackers.
I should have prefaced my comment before with “it all depends on your threat model and who you are trying to secure your data from.”
So with the setup you describe, traffic will be encrypted between your device and the Raspberry Pi, so everything downstream of the Raspberry Pi, will be on the regular unencrypted internet. So your ISP will see everything you are doing and every site you visit will have the unique IP address (and location) of your Raspberry Pi.
When connecting to a commercial VPN service, with a server in let’s say Germany, your ISP will not be able to see anything you are doing because all traffic will be encrypted between your device and the VPN server in Germany. Additionally, your traffic will be getting mixed with all the other people on that same server, sharing the same IP address, which is a further benefit to blending in with the crowd. And if it is a verified no logs VPN provider, you can be further assured your activities are not being monitored and tracked. But again, it all depends on your threat model and who you are securing your data from.
I can’t wrap my head around why another VPN needed, ie, Nord, Mullvad? Isn’t Wireguard already a VPN?
Hi Chris, no, WireGuard is a VPN protocol, like OpenVPN. And different VPN providers, such as NordVPN, Mullvad, and others, offer you (the user) the ability to use these different protocols with their VPN service. See our VPN protocols guide for more of a discussion.
Dengan hormat
Maaf tanya, Apabila saya berlangganan, apakah ada panduan untuk seting / konfigurasinya?. Sebab saya masih awam masalah vpn.
Terimakasih
Yes, each of our recommended VPNs has a setup guide, and they will also give you support if you need assistance.
Hi, I found that Fastssh.com and VPNHack.com both offer .conf files for WireGuard.
Is it safe to use either of them?
Or, is it best to go back to the brand names such as NordVPN, Surfshark and Mullvad?
Definitely go with brand names from reputable businesses.
You are aware that NordVPN moved to the US now right?
[https://www.techradar.com/news/nordvpn-teams-quietly-relocated-to-the-us]
For a site all about privacy, one would hope you would have up to date info.
You are aware that there is a difference between NordVPN Teams, which is a business solution, and NordVPN, which is a consumer solution, right? This article is obviously discussing NordVPN, not NordVPN Teams.
This site has never reviewed NordVPN Teams, or any business-focused VPN for that matter. Our focus remains on consumer privacy. NordVPN is still based in Panama, as always, and nothing has changed.
Just a quick heads up on a service that was one of the first to implement WireGuard and some of my experirnces from a totally internet ‘user’ viewpoint. The service/client is Malwarebytes Privacy. It’s very expensive (and hawked as an addition to their very good anti-malware application, which now makes me seriously question this fact), very slow and I belive there are 7-8 user-changeable settings total, none of which address anything super useful for privacy or security. Seriously, the one setting that would seem to address these topics – to do with being visible to all network based clients, ie: printers, nas, switches, etc. – would appear to do with lowering these two qualities. Also, and this wasn’t my reason for purchasing it, privacy was, it will not allow any connections to any streaming services, or simple internet https connections to many webpages, in different countries. The warning/reprimand messages that would be displayed when disallowance of connection would occur were, um, fairly indicative that your connection was anything but private! If I wanted to connect to my bank, EDD account, even my LastPass extension in my browser, I would have to either 1.) Disconnect from the VPN service and then login without my connection encrypted, or 2.) And this 2nd option was useful only with the 3rd party services/website that offered such, and this was to enable TFA or a gimmicky poser of TFA where in either case was the only option available and that was to have a txt message send you a 6-digit authentication ‘code’ (term use lightly) on your cell phone in plain english that you would then enter into your respective service (if offered) while maintaining the VPN connection to the respective service. One has to assume that the alternative verification method wasn’t sent through any secure services unless one had some other client texting app on their cell phone besides googles ‘mass data-collection’ enabled apps, and even then it’s questionable if these aren’t undone by Google’s on-phone proprietary we-could-care-less-about-your-privacy and hostage taking of your phone forcibly-accepted-or-don’t-use-your-phone practices as is my very strong suspicion. Oh, and if any of this is attempted over Wi-Fi the most basic of security apps erupts and screams bloody murder and terrifies you into contemplating what use is any of this security/privacy two-step that so many security/privacy software companies are becoming millionaires with and is sure to become the future of philosophy majors worldwide soon after the total collapse of western society! It’s these very things, the outright and blatant lies, of which you question them directly about and they hand you some malignant narcissistic gaslighted abortion of truth that make your very soul have to admit to yourself that affirms we are all already there! Where is ‘there’, you ask? I am fairly confidant it is Orwellian Central Administration. Just look out your window at the insurrectionist body count. Citizens, and other Non-Combatants = 100,000’s / Former and Present Leaders, Politicians and Government Officials & Authorities = 3. It’s no different than the slow trickle of available computer hardware that has plauged the HW industry and charged premiums for a 33Mhz CPU upgrade every three months since the inception of the clone IBM-PC. It’s already been instituted long ago which is evidenced ala ‘Snowden’ and others past and the fact that ‘THEY’ don’t even bother to hide it anymore (Yes, I’m fairly old and have watched the entire thing over the past four decades! Late 70’s to Present) They maintain the barest status quo (Read: Illusions) only to reap the profits and laugh whole-heartedly all the way to the Banksyia! I’m reminded of old bumper stickers I used to see quite often very long ago: ‘Kill your TV’ & ‘Question Authority’ & ‘Beam Me Up, Scotty. There’s No Signs Of Intelligent Life!’
Hello
I bought a GL-750M router with the specific reason that I wanted to install a VPN on it and then connect my MAG TV box to it because my ISP is blocking me from using my MAG box. The most highly recommended VPN to choose is NordVPN, so I bought it and installed it. Unfortunately the download speed that I get with NordVPN from the router is around 7Mbps compared to around 33Mbps when the VPN is switched off. My MAG box needs a minimum of 12Mbps to work and ideally around 25Mbps. I have tried both the UDP and TCP protocols and it doesn’t make much difference. I have been in touch with NordVPN and they suggested changing the DNS server which I did but it made little difference to the speed.
It seems that the best solution for me is to cancel my NordVPN account and get a WireGuard account.
Any comments?
Kevin, these GLI routers do NOT have the processing power necessary for fast VPN speeds, regardless of which VPN provider and which VPN protocol you are using. When they quote speeds on their website, such as “330 Mbps” in bold lettering at the top of their page for this model, this are NOT encrypted OpenVPN speeds, but rather unencrypted traffic, which will always be faster. However, buried further down on the bottom of that router model’s page we find, “With up to 15Mbps OpenVPN Speed.” So there you have it, this router is under-powered for fast OpenVPN speeds. We discuss the issues of speeds and processing power in our in-depth overview of VPN routers here.
NordVPN supports WireGuard. This is the NordLynx protocol. So there is no need to cancel. And it’s not NordVPN that is the problem, it is the GL-750M router that does not have adequate processing power.
I would strongly recommending checking out our Vilfo router review. This router is about as good as it gets with a fast, powerful processor, great features, and support for all major VPN services. It works with the OpenVPN protocol. I have tested many VPN services with the Vilfo router that I own, and the fastest VPN on this router has been NordVPN, where I hit 268 Mbps. You can see the screenshots in the Vilfo review linked above.
NordVPN also discusses various aspects of their service that give users a speed advantage. Aside from WireGuard support and fast OpenVPN speeds, they are also now rolling out self-owned (colocated) servers with 10 Gbps bandwidth channels. See the details here.
My problem with wireguard:
firewalls just do not work !
A program call xyz.exe that try to connect (let’s say openVPN ) will be shown by firewall as xyz.exe trying to connect.
A program call xyz.exe that try to connect (with wireguard ) will be shown by firewall as The_VPN_i_use.exe trying to connect.
you can’t block it.
This can lead to leak.
I use PIA and they offer wireguard now. Unfortunately my download speed is slower with wireguard which strange
Yes I also found PIA’s WireGuard implementation to be unusually slow in comparison to other WireGuard VPNs, as was noted in the PIA vs NordVPN comparison.
Torguard also has wireguard.
Any comments on how they handle the protocol please ?
Last we checked, TorGuard with WireGuard was buggy and did not work well. See our TorGuard review for the screenshots and error messages.
How Does the WireGuard Protocol Work?
https://www.wireguard.com/#conceptual-overview
I’d like to point out tailscale [https://tailscale.com/].
They are special in that their VPN offering is exclusively built on top of WireGuard without any legacy VPN tech support that other more established VPN providers have to deal with.
Ps – I am not affiliated in any way to Tailscale. I was aware of Tailscale first and only when I tried to look at the larger segment of VPN providers that support Wireguard, I found this article.
Another VPN provider provide free wireguard protocol on port 443 is windscribe VPN. Members get free 10gb/month when they have confirmed their email on sign up. I just used this wireguard on windscribe and the speed is amazing although the server I another continent. The good thing using wireguard on smartphone and we use smartphone for hotspot tethering is the speed between smartphone and computer is very stable I use it now. I download using IDM on computer it takes more than 99% bandwith speed on my phone but still this wireguard protocol still response very stable to open website on phone browser and some other app (non streaming usage).
I’ll have to disagree with this, the Wireguard protocol is only available if you are a paid user of Windscribe. I’m not sure if this person has found a way around that but to get the configuration file the website says you have to have purchased pro… for anyone who thought this was too good to be true lol.
proof: https://windscribe.com/getconfig/wireguard
It isnt avail for manual download and setup using wireguard client. however if you use the windscribe android app or windows beta, you could actually select wireguard. Only a custom manual configuration using your own client requires PRO
Thanks for this very informative comment.
I’ve been with AirVPN for more than 3 years. Despite the said issues, I will likely continue with it when the current subscription expires next January. That’s because my usage of VPN is mostly to stay out of trouble with my internet provider. Things like torrent sessions via Pirate Bay, specifically to avoid certain parties from lodging complaints with my internet provider, and resulting in the latter issuing a warning to me. Or worse. Then in not having websites I visit and sometimes comment at know my real IP address.
But have to say that I’ve also become interested in trying out WireGuard. Especially after receiving an email from Firefox on the Mozilla VPN which runs on servers powered by Mullvad using the WireGuard protocol. I’ll make the decision towards the end of the year.
@ finoderi
says on MAY 8, 2020
I think Wireguard is primarily made for enthusiasts, not for companies. Now almost anybody can use their own little server to easily create VPN tunnel. Or you can use virtual server instance on AWS or DigitalOcean. And you don’t have to worry about logging or storing private keys. Just set your firewall right and enjoy stupendously fast VPN connection.
It is exactly opposite, the WireGuard is designed to create a private connection from point A (You) to point B (Your Company) and not for internet surfing.
You are right, it is a peer to peer tunneling protocol. In the design there is no host or client, just peers. It is amazing for guaranteeing private communication between two servers in an otherwise unknown network. A wireguard host is basically a peer that has routing rules to the Internet.
The privacy concerns are legitimate but some of the core functionality of wireguard would not have been possible otherwise.
VyprVPN have implemented WireGuard but they have not mentioned how they handle this situation anywhere on their website which is unfortunately a poor management since they proudly advertise themselves as “Audited NoLog VPN”
It would be intresting to know how VyprVPN are handling this protocol and aftermath.
Could you reach out to them Sven Taylor to pull their users out of the dark?
P.S Love the website and all the informative articles. Thank You.
Good question. I asked them about this last week and I have not received any reply.
https://support.vyprvpn.com/hc/en-us/articles/360044677511-How-does-VyprVPN-prevent-my-IP-address-from-being-stored-while-using-WireGuard-
VyprVPN will add support to WireGuard soon (currently on Beta). Maybe you could ask them how they’ve implemented it and then update the article?
Yep, will do.
Yes, this is another drawback.
but this means also a verify of an server identity isnt possible with wireguard or ?
I think Wireguard is primarily made for enthusiasts, not for companies. Now almost anybody can use their own little server to easily create VPN tunnel. Or you can use virtual server instance on AWS or DigitalOcean. And you don’t have to worry about logging or storing private keys. Just set your firewall right and enjoy stupendously fast VPN connection.
Hello, do you know if there is a way to implement wireguard VPN in the omental system ADM NAS ASUSTOR
thanks
regards
Agreed…
WireGuard is not ‘by design’ ready for near-Darknet usage and I guess it will never be
That’s the point.
All thoses companies wishing to be the first one to provide ‘WireGuard-based’ services will have it for the money.
They will have to develop around, but the design of WireGuard is not for it.
There will be pain for them, and frustration, as for the writter of this article …