A lot has changed since we looked at WireGuard last year. In this updated WireGuard VPN guide we examine the strengths and weaknesses of this protocol, as well as the best WireGuard VPN services.
WireGuard is a relatively new VPN protocol that is already bringing big changes to the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – namely faster speeds and upgraded encryption – the drawbacks of WireGuard often go ignored. So is WireGuard ready for widespread adoption – or do the lingering privacy concerns outweigh the potential benefits?
We’ll answer all these questions and more in this updated WireGuard VPN guide!
WARNING: Right now, WireGuard has some inherent problems that can undermine user privacy if not adequately addressed. Before using the WireGuard VPN protocol, be sure to examine how your VPN provider ensures user privacy with their WireGuard implementation.
Some VPNs have effectively addressed all privacy concerns. For example, NordVPN supports WireGuard directly in their VPN clients using a Double NAT system. This ensures no identifiable user data (IP addresses) are ever stored on the server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we will cover in this updated WireGuard VPN guide:
- Benefits of WireGuard
- WireGuard privacy problems (and solutions)
- Best WireGuard VPN services
- The future of WireGuard
- WireGuard VPN comparison table
Now let’s begin with the benefits of the WireGuard VPN protocol.
Benefits of WireGuard VPN
Here are some of the ‘pros’ that WireGuard offers:
1. Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
2. Simple and minimal code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
3. Performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the way of:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
4. Cross-platform ease of use
Although full implementation has been somewhat delayed, WireGuard should work very well across different platforms. WireGuard supports Mac OS, Android, iOS, and Linux, with Windows support still in development.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
5. Now merged into Linux kernel and released from beta
On March 29, 2020, it was announced that WireGuard will be officially included in the 5.6 Linux kernel. This is big news that many privacy enthusiasts have been waiting for.
Additionally, WireGuard is now out of beta with the release of version 1.0 for Linux. You can get more info on WireGuard for different operating systems here.
With these two developments, WireGuard is now considered stable and ready for widespread use. The previous warning on the official website about WireGuard being “not yet complete” has been removed.
WireGuard privacy problems (and solutions)
While WireGuard may offer advantages in terms of performance and security, by design it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers who offer privacy services in mind.” Similarly, NordVPN also voiced concerns with the inherent privacy issues of WireGuard:
By implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.
Fortunately, the dust has settled and there are some good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and a few VPNs have found effective solutions for deploying it while still ensuring user privacy.
To understand the tradeoff between privacy and security with WireGuard, IVPN did a good job distinguishing the two as follows:
The security of the protocol is concerned with protecting the data in a tunnel from being accessed by adversaries: either by breaking the encryption, MITM attacks, or by any other means, no matter how complicated.
Privacy is concerned with whether an adversary can learn anything about you, your communication or any party you’ve communicated with. It has more to do with the metadata rather than the actual data.
Privacy can be violated, even when security is rock solid. For example, when the fact that two parties communication can be determined. Or when a certain piece of information about a party becomes known after the communication took place. However, it should be noted that, if security is weak, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some privacy problems with WireGuard.
Problem 1: WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard was not built for anonymity and privacy, but rather security and speed.
By default, WireGuard saves connected IP addresses on the server . These user IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
So how are VPN services deploying WireGuard while still ensuring user privacy?
Based on our research, the solution to this privacy problem varies by the VPN provider. We’ll examine a few below.
NordVPN double NAT system with WireGuard
NordVPN takes a unique approach to the privacy issues with what they call a “double NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they are referring to this as NordLynx.
You can get more info on NordLynx and NordVPN on their website here.
Mullvad and OVPN erase IP address logs after the VPN session ends
Another way VPN providers have addressed the problem with logs is to configure their servers to erase these logs when the session ends.
Two examples of this are with Mullvad and OVPN, both of which are secure VPN services based in Sweden.
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past three minutes are removed, which means we have as little information as possible
Mullvad takes a similar approach:
We added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
Now let’s look at another issue/drawback of WireGuard.
Problem 2: WireGuard does not assign dynamic IP addresses
VPN providers have also voiced concerns about how IP addresses are assigned with WireGuard.
Mullvad had this to say in a blog post:
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you’ve installed software that is malicious, it can also leak that information.
Similarly, OVPN also acknowledges these drawbacks:
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works without issues for smaller installations, but can quickly become complex when tens of thousands of customers need to connect. Development is underway for a model called wg-dynamic, but it is not yet finished.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Both OVPN and Mullvad have come up with ways to securely generate keys and manage IP addresses. Each service allows you to regenerate keys and therefore rotate IP addresses, which helps to neutralize this problem. You can get specific details on each of the respective VPN websites.
Block or disable WebRTC – WireGuard relies on statically assigned IP addresses, and as we have covered before, a WebRTC leak can expose your internal and/or external IP address. This is not an issue with your VPN service, but rather a problem with your web browser. Here are some helpful guides to solve these issues:
- Disable or block WebRTC – Our guide has step-by-step information for all major browsers.
- Use the Firefox browser with WebRTC disabled. Firefox, unlike Chromium browsers, can simply disable WebRTC. See our Firefox privacy guide for instructions.
- Use a secure and private browser that limits data exposure.
Now that we’ve covered some different problems and solutions, let’s look at the best WireGuard VPN providers.
WireGuard VPN services
Ok, so you want to try out WireGuard and are wondering what are the best VPN services to do this. The list of VPN services supporting WireGuard continues to grow and we do our best to keep up with the latest developments and update this guide accordingly.
Here are the best VPNs for WireGuard:
1. NordVPN – Best all-around WireGuard VPN
|Logs||No logs (audited)|
|Support||24/7 Live chat|
NordVPN is one of our favorite VPNs and it has now released full WireGuard support via NordLynx with a double NAT system for privacy. This should offer faster speeds than ever before with legacy VPN protocols, such as OpenVPN and IPSec. NordVPN is a Panama-based VPN service that has undergone major security upgrades over the past year. In cooperation with Versprite, NordVPN has an ongoing security audit, while also upgrading all VPN servers to run in RAM-disk mode only (no physical hard drives). It also passed an audit by PWC that verified NordVPN as a no-logs service.
To use WireGuard with NordVPN, all you need to do is select the NordLynx protocol in the app, and then connect to a VPN server. Secure key generation and IP address management is all handled in the background by the app to ensure user privacy.
Full WireGuard support in the VPN apps is a seamless and easy option. This is available with the NordVPN apps for Windows, Mac OS, iOS, Android, and Linux.
In addition to WireGuard support, NordVPN also offers many other privacy and security features:
- Double-VPN servers – Encrypt traffic across two different VPN servers for an added layer of security and encryption.
- Tor-over-VPN servers – These are VPN servers that exit onto the Tor network.
- CyberSec – This feature blocks ads, trackers, and malware domains and is activated directly in the VPN app.
- Obfuscated servers – These servers will help you to get around VPN blocks, such as when using a VPN in China, at school, or with work networks.
Our NordVPN review has more information and test results.
2. Mullvad – Swedish VPN with full WireGuard support
Mullvad is a VPN in Sweden that was an early adopter of WireGuard. Like NordVPN, Mullvad offers full WireGuard support with their VPN apps. It is a no-logs VPN service focused on privacy.
You can easily use WireGuard within the Mullvad apps by selecting WireGuard from the available VPN protocols. With iOS and Android devices, WireGuard is the default protocol. Key management is also available right through the Mullvad clients.
3. OVPN with WireGuard
|Support||Email and chat|
OVPN is a secure, no-logs VPN service based in Sweden. They have recently incorporated WireGuard support into their VPN server network. While OVPN officially supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into their VPN clients. To use WireGuard with OVPN, you’ll need to download the official WireGuard client (here), and then download and import the configuration files.
OVPN is currently working on implementing WireGuard into their VPN clients and we can expect this to be complete in the coming months.
4. AzireVPN with WireGuard
Similar to Mullvad and OVPN, AzireVPN is a no-logs Swedish VPN service with a strong focus on privacy. It was one of the earliest adopters of the WireGuard VPN protocol, offering support all the way back in 2017. The AzireVPN server network is much smaller than other VPN services, but they also have very strict standards for server selection, with all locations running on premium hardware with high-capacity bandwidth channels.
Similar to OVPN above, AzireVPN supports WireGuard through the official WireGuard clients. Simply install the WireGuard client on your operating system, then download and import the configuration files.
Other VPN services that support WireGuard
This list is not exhaustive, but here are some other VPNs that support WireGuard. We have not tested these services yet, but they all offer a refund window allowing you to test it out risk-free.
- VPN.ac – Based in Romania, VPN.ac offers a secure VPN with full WireGuard support through the WireGuard clients.
- TorGuard – TorGuard is a US VPN service (Five Eyes warning) that offers full support for the WireGuard protocol. You can use WireGuard with TorGuard through the WireGuard clients.
- IVPN – IVPN is a well-regarded VPN service in Gibraltar. Like NordVPN and Mullvad, IVPN has successfully integrated WireGuard into their own VPN clients. It is one of the most expensive WireGuard VPNs, but does well in the privacy category.
- Private Internet Access – PIA is a US VPN service that has rolled out support for WireGuard in their desktop and mobile clients. (Note that PIA is owned by Kape Technologies, an Israeli firm with a history of producing malware that now also owns CyberGhost VPN and Zenmate.)
The future of WireGuard
WireGuard’s future is looking bright.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been released under version 1.0 and incorporated into the Linux kernel, it is safe to say this VPN protocol is ready for mainstream use.
WireGuard VPN Comparison Table
(30 day refund)
(30 day refund)
(10 day refund)
(7 day refund)