A lot has changed since we first looked at the WireGuard VPN protocol. In this new and updated WireGuard VPN guide, we examine the strengths and weaknesses of this protocol, as well as the best VPNs that support WireGuard.
WireGuard is a relatively new VPN protocol that is already bringing big changes to the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – namely faster speeds and upgraded encryption – the drawbacks of WireGuard often go ignored. So is WireGuard ready for widespread adoption – or do the lingering privacy concerns outweigh the potential benefits?
We’ll answer all these questions and more in this updated WireGuard VPN guide.
WARNING: Right now, WireGuard has some inherent problems that can undermine user privacy if not adequately addressed. Before using the WireGuard VPN protocol, be sure to examine how your VPN provider ensures user privacy with their WireGuard implementation.
Some VPNs have effectively addressed all privacy concerns. For example, NordVPN supports WireGuard directly in their VPN apps using a Double NAT system. This ensures no identifiable user data (IP addresses) are ever stored on a VPN server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we will cover in this updated WireGuard VPN guide:
- Benefits of WireGuard
- WireGuard privacy problems (and solutions)
- Best WireGuard VPN services
- The future of WireGuard
- WireGuard VPN comparison table
OpenVPN vs WireGuard – OpenVPN is considered the gold standard of VPN protocols by many — but things are changing. To compare these two protocols, we put together a WireGuard vs OpenVPN guide, which examines speeds, security, encryption, privacy, and the background of each VPN protocol. We found WireGuard to be about 58% faster than OpenVPN on average, and even faster with nearby servers (450 Mbps).
Now let’s begin with the benefits of the WireGuard VPN protocol.
Benefits of WireGuard VPN
Here are some of the ‘pros’ that WireGuard offers:
Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
You can learn more about WireGuard’s modern cryptography on the official website or in the technical white paper [PDF].
Minimal WireGuard code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
Big performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the following areas:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Fastest VPN protocol we’ve tested in 2022
We have now tested out WireGuard extensively with NordVPN and a few other VPN services that support it. We have found NordVPN’s implementation of the WireGuard VPN protocol, which they call NordLynx, offers the fastest speeds.
Here we are using NordVPN with the WireGuard VPN protocol (NordLynx) with a server in Seattle (USA). We hit speeds of 445 Mbps on a 500 Mbps connection:
This makes WireGuard the fastest VPN protocol we have tested (when used it with NordVPN on a nearby server).
Cross-platform ease of use
Although full implementation was somewhat delayed, WireGuard now works well across all major platforms. WireGuard supports Windows, Mac OS, Android, iOS, and Linux.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
A few VPNs have already integrated full WireGuard support into their lineup of VPN clients. See for example with NordVPN, Surfshark, and also Mullvad.
Merged into Linux and Windows kernels; fully released from beta
On March 29, 2020, it was announced that WireGuard will be officially included in the 5.6 Linux kernel. This is big news that many privacy enthusiasts have been waiting for. In August 2021, WireGuard made it into the Windows kernel.
Additionally, WireGuard is now out of beta with the release of version 1.0+ for nearly every major operating system. You can get more info on WireGuard for different operating systems here.
With these two developments, WireGuard is now considered stable and ready for widespread use. The old warning on the official website about WireGuard being “not yet complete” has been removed.
WireGuard privacy problems (and solutions)
While WireGuard may offer advantages in terms of performance and security, by design it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers who offer privacy services in mind.” Similarly, NordVPN also voiced concerns with the inherent privacy issues of WireGuard:
By implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.
Fortunately, the dust has settled and today there are some good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and a few VPNs have found effective solutions for deploying it while still ensuring user privacy.
To understand the tradeoff between privacy and security with WireGuard, IVPN did a good job distinguishing the two as follows:
The security of the protocol is concerned with protecting the data in a tunnel from being accessed by adversaries: either by breaking the encryption, MITM attacks, or by any other means, no matter how complicated.
Privacy is concerned with whether an adversary can learn anything about you, your communication or any party you’ve communicated with. It has more to do with the metadata rather than the actual data.
Privacy can be violated, even when security is rock solid. For example, when the fact that two parties communication can be determined. Or when a certain piece of information about a party becomes known after the communication took place. However, it should be noted that, if security is weak, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some privacy problems with WireGuard.
By default, WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard was not built for anonymity and privacy, but rather security and speed.
By default, WireGuard saves connected IP addresses on the server . These user IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
So how are VPN services deploying WireGuard while still ensuring user privacy?
Solutions
Based on our research, the solution to this privacy problem varies by the VPN provider. We’ll examine a few below.
NordVPN double NAT system with WireGuard
NordVPN takes a unique approach to the privacy issues with what they call a “double NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they are referring to it as NordLynx.
You can get more info on NordLynx and NordVPN on their website here.
Mullvad and OVPN erase IP address logs after the VPN session ends
Another way VPN providers have addressed the problem with logs is to configure their servers to erase data logs when the session ends.
Two examples of this are with Mullvad and OVPN, both of which are secure VPN services based in Sweden.
OVPN explains:
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past three minutes are removed, which means we have as little information as possible.
Mullvad takes a similar approach:
We added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
Now let’s look at another issue/drawback of WireGuard.
WireGuard does not assign dynamic IP addresses
VPN providers have also voiced concerns about how IP addresses are assigned with WireGuard.
Mullvad had this to say in a blog post:
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you’ve installed software that is malicious, it can also leak that information.
Similarly, OVPN also acknowledges these drawbacks:
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works without issues for smaller installations, but can quickly become complex when tens of thousands of customers need to connect. Development is underway for a model called wg-dynamic, but it is not yet finished.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Solutions
Both OVPN and Mullvad have come up with ways to securely generate keys and manage IP addresses. Each service allows you to regenerate keys and therefore rotate IP addresses, which helps to neutralize this problem. You can get specific details on each of the respective VPN websites.
Block or disable WebRTC – WireGuard relies on statically assigned IP addresses, and as we have covered before, a WebRTC leak can expose your internal and/or external IP address. This is not an issue with your VPN service, but rather a problem with your web browser. Here are some helpful guides to solve these issues:
- Disable or block WebRTC – Our guide has step-by-step information for all major browsers.
- Use the Firefox browser with WebRTC disabled. Firefox, unlike Chromium browsers, can simply disable WebRTC. See our Firefox privacy guide for instructions.
- Use a secure and private browser that limits data exposure.
Now that we’ve covered some different problems and solutions, let’s look at the best WireGuard VPN providers.
WireGuard VPN services
Ok, so you want to try out WireGuard and are wondering what are the best VPN services to do this. The list of VPN services supporting WireGuard continues to grow and we do our best to keep up with the latest developments and update this guide accordingly.
Here are the best VPNs for WireGuard:
NordVPN – Best all-around WireGuard VPN in 2022
| VPN | NordVPN |
| Based in | Panama |
| Logs | No logs (audited) |
| Price | $3.09/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | NordVPN.com |
NordVPN is one of our favorite VPNs and it has now released full WireGuard support via NordLynx with a double NAT system for privacy. In our tests, NordVPN was blazing fast with speeds up to 445 Mbps on a 500 Mbps connection. While NordVPN also offers very fast OpenVPN speeds (consistently over 200 Mbps), we found the WireGuard protocol was still faster. Here’s one example of that:
Note: I have seen recent videos in 2022 of other people getting over 800 Mbps with NordVPN using the WireGuard protocol.
NordVPN is a Panama-based VPN service that excels in the areas of privacy and security. It had undergone two independent audits confirming it to be a no-logs VPN service. In cooperation with Versprite, NordVPN has also completed a full security audit and penetration testing. In 2020, NordVPN announced that all servers in the network are running in RAM-disk mode, which makes it impossible to store any data on the VPN server (no hard drives). Lastly, they are now deploying self-owned (co-located) servers throughout their network, which puts all hardware completely under their control.
To use WireGuard with NordVPN, all you need to do is select the NordLynx protocol in the app, and then connect to a VPN server. Secure key generation and IP address management are all handled in the background by the app to ensure user privacy.
Full WireGuard support in the VPN apps is a seamless and easy option. This is available with the NordVPN apps for Windows, Mac OS, iOS, Android, and Linux.
In addition to WireGuard support, NordVPN also offers many other privacy and security features:
- Double-VPN servers – Encrypt traffic across two different VPN servers for an added layer of security and encryption.
- Tor-over-VPN servers – These are VPN servers that exit onto the Tor network for additional anonymity.
- CyberSec – This feature blocks ads, trackers, and malware domains.
- Obfuscated servers – These servers will help you to get around VPN blocks, such as when using a VPN in China, at school, or with work networks.
NordVPN Cyber Deal is Live:
Get 68% Off NordVPN (drops the price to $3.09 per month) plus 3 months FREE:
(Coupon is applied automatically.)
Our NordVPN review has more information and test results.
Surfshark – A low-cost VPN with WireGuard
| VPN | Surfshark |
| Based in | The Netherlands |
| Logs | No logs |
| Price | $2.30/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | Surfshark.com |
Surfshark is another privacy-focused VPN service that announced support for WireGuard in late 2020. It is incorporated in the British Virgin Islands (an excellent privacy-friendly jurisdiction) and keeps no data logs.
You can easily enable the WireGuard protocol in the Surfshark VPN clients, without having to deal with any keys or certificates. Surfshark currently supports WireGuard with: Windows, Mac OS, Android, and iOS apps (Linux support is still in development). Simply enable WireGuard in the Settings area and you will be off and running:
Surfshark has followed NordVPN’s lead in solving the privacy issues with WireGuard by implementing a double NAT system. This ensures user IP addresses are never stored on a VPN server.
In our tests for the Surfshark review, we found WireGuard to offer huge speed improvements. On a 500 Mbps connection, we were able to hit speeds of 397 Mbps, which is excellent:
In our comparison tests for the Surfshark vs ExpressVPN report, we can see that WireGuard gives Surfshark a major speed advantage over VPN services that are not incorporating this protocol.
We’ve already covered how Surfshark utilized the WireGuard VPN protocol. Now let’s examine some of the other privacy and security features offers by Surfshark:
- Double VPN servers to encrypt traffic over two locations
- NoBorders feature to get around VPN blocks
- Camouflage mode to conceal VPN traffic as regular HTTPS encryption
- CleanWeb feature to block ads and trackers
Surfshark has also made a name for itself in the streaming realm, offering access to a huge variety of streaming services. It is one of the best VPNs for Netflix with support for over 10 different regional libraries.
Check out Surfshark at their website below or read our Surfshark review for more test results and analysis.
VyprVPN – Fast WireGuard VPN speeds, based in Switzerland
| VPN | VyprVPN |
| Based in | Switzerland |
| Logs | No logs (audited) |
| Price | $5.00/mo. |
| Support | 24/7 live chat |
| Refund | 30 days |
| Website | VyprVPN.com |
Next up on our list of VPN services that support WireGuard is VyprVPN. This VPN is based in Switzerland and is an audited no-logs VPN provider. They have officially supported WireGuard in all of their VPN apps since 2020 and tests for our VyprVPN review were impressive. Not only does everything work seamlessly, the speeds are also blazing fast at over 300 Mbps in some cases, as you can see below.
Another unique aspect of VyprVPN is that they own every server in their network, without relying on any third-party rental servers. This gives VyprVPN 100% control over all hardware in their network. A few years back, VyprVPN also underwent a third-party audit from Leviathan Security that confirmed their no-logs policy.
VyprVPN currently supports WireGuard in the Windows, Mac OS, iOS, and Android apps. Unfortunately, like with Surfshark VPN, there is no WireGuard support for Linux at this time. However, enabling WireGuard on other operating systems is quick and easy.
Like the other top WireGuard VPNs, VyprVPN also explains how they modified the default version of WireGuard to make it compatible with its no-logs policy. VyprVPN stated the following on their website,
The VyprVPN implementation provisions a WireGuard configuration on-demand for every connection and nothing is left behind on the server after you disconnect. There is simply no static configuration left behind.
Lastly, for those who enjoy streaming, VyprVPN is also a good option. They support a handful of different Netflix regions and also other streaming services like Disney Plus, Hulu, Amazon Prime, and more.
Note: VyprVPN has (unexpectedly) decided to massively increase prices for 2022. It is now $8.33 per month with the cheapest plan.
See our VyprVPN review for more details and test results.
OVPN with WireGuard
| VPN | OVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | $4.99/mo. |
| Support | Email & Chat |
| Refund | 10 days |
| Website | OVPN.com |
OVPN is a secure, no-logs VPN service based in Sweden. In late 2020, OVPN incorporated WireGuard support into their VPN server network. While OVPN officially supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into all of the VPN clients. To use WireGuard with OVPN, you’ll need to download the official WireGuard client, and then download and import the configuration files.
Right now, the only VPN apps that uses WireGuard automatically are the OVPN Android and iOS apps. However, the goal is to have full WireGuard support in all apps in the coming months.
Website: https://www.ovpn.com/
See our OVPN review for more info.
Mullvad – Swedish VPN with full WireGuard support
| VPN | Mullvad |
| Based in | Sweden |
| Logs | No logs |
| Price | $5.50/mo. |
| Support | |
| Refund | 30 days |
| Website | Mullvad.net |
Mullvad is a secure VPN in Sweden that was an early adopter of WireGuard. Like NordVPN, Mullvad offers full WireGuard support with all of their VPN apps. It is a no-logs VPN service focused on privacy.
Unlike NordVPN, however, Mullvad keeps temporary logs of user IP addresses, but as they explained above, these logs are automatically erased when the VPN session ends. Mullvad also replaces WireGuard keys once a week automatically in the VPN apps. You also have the option to manually regenerate WireGuard keys in the user settings area.
You can easily use WireGuard within the Mullvad apps by selecting WireGuard from the available VPN protocols. WireGuard is now the default protocol on iOS and Android. Key management is also available directly in the Mullvad VPN clients.
Website: https://mullvad.net/
AzireVPN with WireGuard
| VPN | AzireVPN |
| Based in | Sweden |
| Logs | No logs |
| Price | €3.25/mo. |
| Support | |
| Refund | 7 days |
| Website | AzireVPN.com |
Similar to Mullvad and OVPN, AzireVPN is another no-logs Swedish VPN service with a strong focus on privacy. It was one of the earliest adopters of the WireGuard VPN protocol, offering support all the way back in 2017. The AzireVPN server network is much smaller than other VPN services, but they also have very strict standards for server selection, with all locations running on premium hardware with high-capacity bandwidth channels.
Similar to OVPN above, AzireVPN supports WireGuard through the official WireGuard clients. Simply install the WireGuard client on your operating system, then download and import the configuration files.
Website: https://www.azirevpn.com
Other VPN services that support WireGuard
This list is not exhaustive, but here are some other VPNs that support WireGuard. We have not tested these services yet with their WireGuard implementation, but they all offer a refund window allowing you to test it out risk-free.
- VPN.ac – Based in Romania, VPN.ac offers a secure VPN with full WireGuard support through the WireGuard clients.
- Trust.Zone – Trust.Zone is a privacy-focused VPN based in Seychelles. They offer basic VPN apps, but they do not directly support WireGuard. Instead, you can use WireGuard with third-party clients.
- TorGuard – TorGuard is a US VPN service (Five Eyes warning) that offers full support for the WireGuard protocol. You can use WireGuard with TorGuard through the WireGuard clients.
- IVPN – IVPN is a well-regarded VPN service in Gibraltar. Like NordVPN and Mullvad, IVPN has successfully integrated WireGuard into their own VPN clients. It is one of the most expensive WireGuard VPNs, but does well in the privacy category.
- Private Internet Access – PIA is a US VPN service that has rolled out support for WireGuard in their desktop and mobile clients. In our speed tests for the PIA vs NordVPN comparison, we found PIA’s implementation of WireGuard to be quite slow.
- CyberGhost – CyberGhost VPN has also now implemented WireGuard. Unfortunately, we found it to still be slow, especially compared to other WireGuard VPN services. You can see this in the Surfshark vs CyberGhost comparison.
- IPVanish – IPVanish now supports WireGuard. But let us not forget about the IPVanish logging scandal, where they logged users for the FBI. This VPN comes with both pros and cons.
- ProtonVPN – ProtonVPN is another new addition that has added WireGuard support. While we like and recommend this VPN service, it does come with drawbacks. These include an above-average price and limited features. It also had some performance issues, as you can see in the ProtonVPN vs NordVPN report.
One major VPN provider that you will not see, however, is ExpressVPN. As we pointed out in our ExpressVPN review, this provider has resisted implementing WireGuard and has instead opted for a self-developed protocol called Lightway. In terms of speed and security, Lightway has a lot in common with WireGuard. However, unlike WireGuard, there are very few other VPNs using Lightway. And in case you are wondering, we found Lightway to be slower than WireGuard in our NordVPN vs ExpressVPN comparison.
Looking at the future of WireGuard VPN
WireGuard’s future is looking bright. Even though it has some drawbacks, the improved speeds and upgraded security make WireGuard an appealing VPN protocol to consider. And with ransomware and cybersecurity incidents in the news every week, using a secure and updated VPN protocol has its benefits.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been fully released and incorporated into the Linux and Windows kernels, it is safe to say this VPN protocol is ready for mainstream use and the future is looking good.
This WireGuard VPN guide was last updated on June 14, 2022 with new information.
I want to know how the F^%$ Secure VPN Wireguard got onto my system. I use AVG and it did not come with it when I installed it. It does not show up in program files and I can’t delete it.
I’ve been using Mullvad for my VPN provider because it allows me to use a wireguard client running on an OpenBSD machine (and which is in fact built in to the OpenBSD kernel). I’d like to try out other providers, but (not surprisingly) none of them provide clients for OpenBSD, and I haven’t found any indication on their web-sites whether it’s possible to use a third-party wireguard client. Are there any other providers whose solutions for mitigating wireguard’s security issues don’t require that their own specialized clients be used?
By way of a partial answer to my question, I’ve just received responses from NordVPN and ProtonVPN: both say that they are working on manual connection methods, but that at present it’s necessary to use their client applications.
I’m using the built in Wireguard with Fedora 36 with ProtonVPN. I doubt I’ll continue using that VPN after what I paid runs out. Proton’s codebase is a writhing horror of incompetence. Don’t use it unless you can compile it and even then it’s icky sticky.
I can only compile their encrypted email bridge software which is using GO and other bits of cruft. GO is Google’s excretion, some privacy that is. My other concern is their knack of dumping my speed to clogged drain flow right when I need the damn thing. Openvpn client is about 60% slower than Wireguard. Doesn’t matter which you use they’ll flush the speed down the drain.
It’s overpriced, if their servers are coded like their clients it’s probably just waiting to be pwned. I think the Linux client has three ancient libraries they’re carrying on their backs and handing out like candy to little kids to compile and use. Have fun with that.
However you can get a config and as best I can tell the security and speed are awesome due to Wireguard.
Go to ProtonVPN, login and get a configuration file with keys and settings generated. Use the information in that to configure your system.
For Fedora find the website blogs gnome org and look up Thomas Haller on that page. There will be a post about getting wireguard up with NetworkManager using nmcli and the generated config. This is very trivial to do but rubiks cube level to figure out on your own. Also don’t expect the freaks at Fedora/Gnome not to leak IP. Fixing that is not easy. Wireguard is NOT privacy friendly and it is NOT the VPN provider at fault. It’s damn near impossible to stop Fedora from blindly and stupidly bringing the link back up without the VPN. I’ve finally broken down and run another daemon process to slam the damn network off if I see any connection change. It’s brutal, dirty and stupid but works.
The privacy stuff is all on Linux probably due to systemd, gnome, redhate etal. Proton’s code might compromise privacy depending on just how bad it is. I have some view of what they publicly release and can only just the rest of them base on their code.
Yea it’s a real email. It’s tied to me. Sue me.
I use OVPN with Wireguard, they now have wireguard app for IOS, Windows and Linux (with full GUI on Linux!) , and I guess MacOS too. Although in beta2 for Linux and Windows, but they work nicely. In Linux especially, very stable. Now we are only waiting for Wireguard in their Vilfo router too.
I get around 475Mbit out of my 500Mbit cable with their VPN. I am satisfied with the way OVPN secures Wireguard (as explained on their site)
So looking at mullvad/ovpn, they force your connection to reconnect automatically to their server after 3 minutes to recycle ip address log? I’m bit confused about how that works. How would it work if setup on a VPN router? Thanks friend.
Sven, could you look into ProtonVPN and how they are implementing WireGuard? If you are not familiar, ProtonVPN offers tiered subscription model, including the best free option I have found anywhere. You do need a Protonmail email account last I checked, but they are also the most secure free email provider I have found. I’ve been happy with both so far, but they are pushing WireGuard hard and I’m wondering if it is really private anymore.
Also, what do you think about the comments that WireGuard does not work with firewalls?
Yep, we’ll be checking it out with a new ProtonVPN update in the coming months, and then updating content accordingly.
Can you check ig wireguard use wireguard the right way ? Does they log the real ip adress ?
https://protonvpn.com/blog/openvpn-vs-wireguard/
No, Proton email is NOT needed to use Proton VPN.
A no log vpn IS required if you do not want your email connection information to be leaked. This is detailed on the Proton website. With both you’re protected. Without both you are not. I’m not sure of the technical details. Proton sneers are foreign requests but honors ones that go through the Swiss bureaucratic colon. I have other issues with Proton but so far the people are quite solid.
Sven, could you give us some inside into tailscale and compare it with NordVPN?
Hi Victor we have not looked into tailscale.
Have you checked out Tailscale? [www.tailscale.com]
your article is misleading… surfshark does not offer ‘full wireguard support’
no linux… + app only
wasted an hour yesterday signing up and cancelling based on an article similar to yours…
definitely not ‘fulll support’
It says right in the article under the Surfshark section:
“Linux support is still in development”
I guess I’ll make that section bold to help avoid further confusion.
A few points. The “storing of ip addresses” by wireshark is configurable, and there are a number of ways to tell it to write that data only to RAM and never to nonvolitile media. So your first point is entirely moot, and nordvpn’s double-NAT solution is vast overkill for the situation. And there remains the hard fact that in VPN land, there must be some part of the system that knows where I’m connecting from, so that it knows where to send the packets meant for me. Even the lofty NordVPN can’t change physics there. They do what everyone else does, store that data in RAM instead of hard drives/ssds, so that shutting down a physical machine remotely has the implicit effect of permanently deleting every byte that was in RAM at the time. Thats how that works.
Secondly, your bandwidth tests seem strange. From my own testing, Nord and PIA were absolutely identical speed and latency wise, partially, I believe, because they were both terminating in (lol) the same colo in a city. They might even be in racks next to each other. And that speed is on average about 10% less bandwidth than on my raw fibre connection, and usually less than 5ms in latency.
Lastly, “mixed traffic” isn’t a problem. Just the opposite actually. It absolutely doesn’t matter how many other peoples’ traffic is coming along the same route through the same interfaces as me, if we’re all keyed users than my packets contain an encrypted header which explicitly, logically ties them all together as destined for the same place. If you want to know where that place is, you decrypt the header. If you want to decrypt that header, you need my private key. If you want my private key, you can go fuck yourself. All public/private key encryption works this way, and thus NAT isn’t necessary if you’re not writing IP addresses to nonvolitile media.
Which is to say… if you ARE using NAT this way, like NordVPN, it may be implied that you’re doing so because you ARE writing IP addresses to nonvolitile media, somewhere along the line.
If Wireguard was set up on a private personal network with a Raspberry Pi then the two privacy cons that you have listed wouldn’t be an issue anymore correct?
Sure, but you will have new problems because your traffic is not getting mixed with other users in this setup, which means all activity is still traceable back to you.
Good point, would it only be traceable if someone was able to break past the wire guards vpn security?
For context, I came across your article trying to decide between OpenVPN and Wireguard for my Raspberry Pi running PiHole. I’m looking for a secure, fast and private way for myself and my family to browse without ads and trackers.
I should have prefaced my comment before with “it all depends on your threat model and who you are trying to secure your data from.”
So with the setup you describe, traffic will be encrypted between your device and the Raspberry Pi, so everything downstream of the Raspberry Pi, will be on the regular unencrypted internet. So your ISP will see everything you are doing and every site you visit will have the unique IP address (and location) of your Raspberry Pi.
When connecting to a commercial VPN service, with a server in let’s say Germany, your ISP will not be able to see anything you are doing because all traffic will be encrypted between your device and the VPN server in Germany. Additionally, your traffic will be getting mixed with all the other people on that same server, sharing the same IP address, which is a further benefit to blending in with the crowd. And if it is a verified no logs VPN provider, you can be further assured your activities are not being monitored and tracked. But again, it all depends on your threat model and who you are securing your data from.