WireGuard is an interesting new VPN protocol that has the potential to bring major change to the VPN industry. In comparison to existing VPN protocols, such as OpenVPN and IPSec, WireGuard may offer faster speeds and better reliability with new and improved encryption standards.
While it does offer some promising features in terms of simplicity, speed, and cryptography, WireGuard also has some noteworthy drawbacks, which we will discuss at length below.
In this five-part WireGuard VPN guide we will cover:
- What is WireGuard
- WireGuard Pros
- WireGuard Cons (why it is not yet recommended)
- Which VPN providers currently support WireGuard
- The future of WireGuard
So let’s dive in!
What is WireGuard?
WireGuard is a new, experimental VPN protocol that aims to offer a simpler, faster, and more secure solution for VPN tunneling than the existing VPN protocols. WireGuard has some major differences when compared to OpenVPN and IPSec, such as the code size (under 4,000 lines!), speed, and encryption standards.
The developer behind WireGuard is Jason Donenfeld, the founder of Edge Security. (The term “WireGuard” is also a registered trademark of Donenfeld.) In one interview I watched, Donenfeld said the idea for WireGuard came when he was living overseas and needed a VPN for Netflix.
Why is there so much buzz surrounding WireGuard?
The answer is simple: it offers many advantages over existing VPN protocols, as we’ll show you below. It has even caught the attention of Linus Torvalds, the developer behind Linux, who had this to say in the Linux Kernel Mailing List:
Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
Let’s first examine the advantages of WireGuard.
Here are some of the ‘pros’ that WireGuard offers:
1. Updated encryption
As explained in various interviews, Jason Donenfeld wanted to upgrade what he considered to be “outdated” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on their website:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
2. Simple and minimal code base
WireGuard really stands out in terms of its code base, which is currently about 3,800 lines. This is in stark contrast to OpenVPN and OpenSSL, which combined have around 600,000 lines. IPSec is also bulky at around 400,000 total lines with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- It is much easier to audit. OpenVPN would take a large team many days to audit. One person can read through WireGuard’s codebase in a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
While the smaller code base is indeed an advantage, it also reflects some limitations, as we’ll discuss below.
3. Performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to offer significant improvements in the area of performance:
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Theoretically, WireGuard should offer improved performance in the way of:
- Faster speeds
- Better battery life with phones/tablets
- Better roaming support (mobile devices)
- More reliability
- Faster at establishing connections/reconnections (faster handshake)
WireGuard should really be beneficial for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
4. Cross-platform ease of use
Although not yet ready for prime time, WireGuard should work very well across different platforms. WireGuard supports Mac OS, Android, iOS, and Linux, with Windows support still in development.
Another interesting feature with WireGuard is that it utilizes public keys for identification and encryption, whereas OpenVPN uses certificates. This does create some issues for utilizing WireGuard in a VPN client, however, such as key generation and management.
While WireGuard offers many exciting advantages, it currently comes with some noteworthy drawbacks.
1. Still under “heavy” development, not ready, not audited
Despite the fact that WireGuard remains under “heavy development” and not yet ready for general use, there are many people looking to use it right away as their primary VPN protocol. You can find lots of WireGuard promotion on reddit and various forums – i.e. chasing the latest VPN trend.
It must be pointed out that WireGuard is not complete, it has not passed a security audit, and the developers explicitly warn about trusting the current code:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come.
Nonetheless, there are a handful of VPNs getting ready or offering WireGuard support right now. At this point, however, you should only use WireGuard for testing purposes only.
2. WireGuard privacy concerns and logs
While WireGuard may offer advantages in terms of performance and security, by design it is not good for privacy.
A number of VPN providers have expressed concerns about WireGuard’s ability to be used without logs, and how this may affect user privacy.
AzireVPN raised similar concerns last year:
At AzireVPN, we care about our no-logging policy, that’s why all of our servers are running on diskless hardware and all log files are piped to /dev/null.
AzireVPN attempted to get around these issues by hiring Jason Donenfeld to “write a rootkit-like module that removes the ability of an ordinary system administrator to query endpoint or allowed-ip information about WireGuard peers and disable the ability to run tcpdump” (see here).
WireGuard has no dynamic address management, the client addresses are fixed. That means we would have to register every active device of our customers and assign the static IP addresses on each of our VPN servers. In addition, we would have to store the last login timestamp for each device in order to reclaim unused IP addresses. Our users would then not be able to connect your devices after a few weeks because the addresses would have been reassigned.
It is particularly important to us that we do not create or store any connection logs at all. Therefore, we cannot store the above registration and login data that would currently be required for WireGuard to operate.
ExpressVPN raised similar concerns over WireGuard and its implications for privacy on their blog:
One of the challenges WireGuard faces is to ensure anonymity for VPNs. No single user should be statically allocated a single IP address, neither on a public nor a virtual network. A user’s internal IP address might be discovered by an adversary (through WebRTC, for example), who might then be able to match it with records acquired from a VPN provider (through theft, sale, or legal seizure). A good VPN must be unable to match such an identifier to a single user. Currently, this setup is not easily achieved with WireGuard.
ExpressVPN will be supporting efforts to review and audit the WireGuard code, as we have done in the past with OpenVPN. We will contribute code and report bugs whenever we can and raise security and privacy concerns directly with the development team.
AirVPN is another VPN service that has voiced concerns over WireGuard’s implications for anonymity, as they have explained in their forum:
Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer. Our service aims to provide some anonymity layer, therefore we can’t take into consideration something that weakens it so deeply.
We will gladly take Wireguard into consideration when it reaches a stable release AND offers at least the most basic options which OpenVPN has been able to offer since 15 years ago. The infrastructure can be adapted, our mission can’t.
In their forums, AirVPN further explained why WireGuard does not (yet) meet their requirements:
- Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic;
- Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental sofware); the impact on security caused by this flaw is very high;
- TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that’s a horrible regression when compared to OpenVPN);
- there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.
Despite these concerns, many VPN services are watching the project and are interested in implementing WireGuard after it has been thoroughly audited and improved.
In the meantime, however, as AirVPN stated in their forum, “We will not use our customers as testers.”
3. New and untested
Sure, OpenVPN has its issues, but it also has a long track record and is a proven VPN protocol with extensive auditing. While Donenfeld may refer to OpenVPN as “outdated” in various interviews, others may see it as proven and trustworthy – qualities that WireGuard currently lacks.
Initially released in 2001, OpenVPN has a very long history. OpenVPN also benefits from a large user base and active development with regular updates. In May 2017 it underwent a major audit by OSTIF, the Open Source Technology Improvement Fund.
At this point, WireGuard appears to be more of a niche project – but one with big potential for the industry. It is very new and is not yet out of the “heavy development” phase, although it has undergone a formal verification. Even after WireGuard is officially released, however, users would be wise to proceed with caution.
4. Limited adoption (for now)
As we covered above, there are some big hurdles in the way of industry-wide WireGuard adoption:
- The issue with key management and distribution (rather than using certificates).
- WireGuard needs its own infrastructure, separate from existing OpenVPN servers.
- Compatibility with existing operations. For providers that have built their service and features around OpenVPN, WireGuard may not be in the cards any time soon.
Perfect Privacy also explained that WireGuard is not compatible with their existing server-side features, such as multi-hop VPN cascades, TrackStop, and NeuroRouting. Nonetheless, I reached out to Perfect Privacy and they confirmed they may support WireGuard as a stand-alone option when the time comes.
Similarly, AirVPN also stated that WireGuard is “totally unusable” in their infrastructure:
At the moment it is totally unusable in our infrastructure because it lacks TCP support, lacks dynamic VPN IP assignment, and (at least the build we have seen) lacks a strictly necessary security feature (verification of the CA certificate provided by the server, therefore the client can’t be sure that on the other side some hostile entity is not impersonating a VPN server).
Conclusion: not recommended
Considering the current state of WireGuard, the privacy implications, and the fact that it has not been audited, WireGuard is not recommended for regular use.
Given our focus on privacy and online anonymity, the privacy concerns that are inherent with WireGuard are a major drawback. This is not likely to improve and it forces VPN services to create some kind of unique out-of-the-box solution to make it work with their no-logs policies, as we saw above with AzireVPN. This is not the case with OpenVPN.
Nonetheless, WireGuard may be ideal for various users, depending on their threat model and specific needs. At the present time, however, it would be wise to stay with OpenVPN or perhaps IPSec for regular use.
Which VPN services support WireGuard?
Here are the VPNs that currently support WireGuard or have confirmed they are testing out WireGuard with the intention of supporting the protocol when it’s ready:
- NordVPN (still in testing)
- Private Internet Access (still in testing)
Now we’ll take a closer look at each of these WireGuard VPN services below.
AzireVPN – WireGuard servers live
AzireVPN is a Sweden-based VPN service that is heavily focused on privacy and security. It has been operating since 2012 and offers excellent support for those wanting to test out WireGuard.
AzireVPN have been one of the earliest adopters of WireGuard and has a WireGuard section on their website.
We have developed an API for keys distribution and are looking into adding WireGuard to our client. At the moment, this protocol can be used on Windows, Linux, macOS, Android and routers running OpenWRT, but support for Windows is coming soon. Simply sign up to connect to all of our WireGuard servers, available in each of our locations.
Note: AzireVPN currently supports Windows users via the third-party TunSafe VPN client. However, there is no official WireGuard support for Windows at this time and the developer recommends not using third-party clients:
A Windows client is coming soon. In the meantime, you are strongly advised to stay away from Windows clients that are not released from this site, as they may be dangerous to use, despite marketing efforts.
AzireVPN has a smaller server network, but it is composed entirely of dedicated, self-owned servers running in reputable data centers. They have server locations in Miami (USA), Toronto (Canada), Sweden, Spain, and the United Kingdom. All of these server locations currently support WireGuard, as well as full IPv6 connectivity.
VPN.ac – WireGuard servers live
VPN.ac is a secure and reliable service based in Romania, run by a network security company. As I discussed in my review of VPN.ac, it is an excellent all-around provider, with the only noteworthy drawback being the connection logs (but they are erased daily).
VPN.ac announced on their blog that after having tested WireGuard internally, they have decided to support the protocol. As they explained on their website (blog):
Initially it will be available in beta. The implementation is a bit challenging, due to WireGuard’s design which doesn’t make it fit into our infrastructure out of the box.
We want the implementation to be as good and simple as possible from scratch, and entirely automated. This requires quite some work on the back-end side: APIs, servers sync-ing keys and so on. Not as easy as firing up yet another server, but definitely doable.
VPN.ac has laid out three stages for fully integrating WireGuard into their service:
- Stage 1: design and deploy the back-end APIs
- Stage 2: front-end availability of config generator for manual setup / 3rd party client software
- Stage 3: implementation into our VPN client apps
VPN.ac also offers discounted test accounts (see FAQ page), which gives you a one-week full trial subscription for $2.
Mullvad – WireGuard servers live
Like AzireVPN, Mullvad is also based in Sweden and is a privacy-focused service.
Mullvad currently supports WireGuard on Linux, Mac OS, Android, and some routers. They also have a large network of active WireGuard servers (49 total) in addition to 281 OpenVPN servers.
IVPN – WireGuard servers live
IVPN is a Gibraltar-based VPN service with some great advanced features. It looks like IVPN is the first provider to build WireGuard into its own VPN clients, as they explain on their website:
WireGuard is available on our macOS, iOS & Android clients. You can also connect using most of the Linux distros. WireGuard is not supported on Windows at this time.
IVPN currently has 10 WireGuard server locations.
Other WireGuard VPN providers
There are also a few different VPN services that have publicly stated their intentions to add WireGuard, but are not yet ready for implementation.
NordVPN does not currently support WireGuard, but they are actively testing it out and preparing for a release when it is ready.
Private Internet Access
Private Internet Access is a big supporter of WireGuard and has even donated to the cause. Nonetheless, it is not ready to pull the trigger and offer WireGuard to its users due to the current status and lack of an audit, as they have explained on reddit:
WireGuard is great, but it is under active development. This means that there are security bugs waiting to be found, and there could be serious consequences for VPN providers who are early adopters. A security or privacy breach is a risk we cannot take as an organization.
There are surely other providers watching the project and weighing the pros and cons of adding it to their service. I’ll update this guide with other providers when the status changes.
The future of WireGuard VPN
So what does the future hold for WireGuard VPN?
Once WireGuard is fully released, gets audited, and is cleared for regular use, it will likely continue to gain popularity – assuming that it is well-received by the VPN user base. With increasing popularity and demand, you can be sure that more VPN services will incorporate WireGuard into their infrastructure – even if that comes with some growing pains.
Due to user interest, we are already seeing early adopters and various VPN providers using their WireGuard implementation as a marketing tool, with accompanying press releases (**cough** just for testing **cough**). This trend will likely continue.
WireGuard may very well become the go-to VPN protocol in the years ahead, especially for mobile users who are sick of connection problems and speed bottlenecks with existing protocols.
If you would like to try this new VPN protocol, you can test drive it with one of the WireGuard VPN services above. Be sure to consider the privacy and security implications given the current state of the project. Until WireGuard is fully released and audited, however, it would be best to stick with OpenVPN or IPSec for regular use.
Last updated on March 19, 2019.