WireGuard, both the free VPN protocol and software, started getting popular in 2020. This comes as no surprise. Its target audience is the general populace that wants the benefits of a VPN but not to get into the nitty-gritty. It attracts users with newer cryptography standards and a new method of VPN tunneling, boosting security considerably. Additionally, it’s considered fast while being lightweight and effortlessly flies under the radar of network inspections. It has some drawbacks, but those can be mitigated by experienced VPN providers. With that said, let’s dive into the advantages and disadvantages of WireGuard.
Advantages of WireGuard
We prefer to look on the bright side. So, let’s start with the pros of WireGuard.
Exceptional VPN speed, ping, and throughput
WireGuard is undeniably at the top of the leaderboard in regards to speed. Unsurprisingly, it’s hard to get precise results, since they vary daily and depend on the VPN provider and which server you connect to. For example, people over at Vlad Talks Tech conducted a speed test in May 2021 and found it had a 15% higher speed compared to OpenVPN when both utilized using UDP (User Datagram Protocol). WireGuard Performance test demonstrated a 13% higher throughout than IPsec using AES-GCM encryption and a 75% boost in throughput compared to OpenVPN. Similarly, WireGuard had a 77.5% lower ping than IPsec and a 74% lower latency than OpenVPN.
Easy to use on multiple devices simultaneously
WireGuard lets you forget about downloading and changing VPN configuration files manually. Yes, even when the IP address expires or you want to switch locations. After you install a WireGuard app (or a third-party app that supports it) and sign in, you already have server endpoint data. The VPN tunnel is established when your device and the server perform the first handshake and exchange keys. From that point on, they can discover each other automatically and the VPN configuration is updated on the fly. To learn more, read about “IP Roaming” in the WireGuard breakdown we mentioned in the beginning.
Growing app support and a time-saving functionality
While reading the breakdown, refer to the “Where does WireGuard work?” section for a list of supported platforms. An added (and crucial, might we add) benefit is that connecting to the VPN server is instantaneous with WireGuard. This is in opposition to a few seconds or even up to 20 seconds on other protocols. Also, we presume you’ll connect a few times per day on multiple devices. This, alongside the fact that reconnecting after the kill switch intervenes is now immediate, unquestionably adds up over time.
Don’t let the fact this protocol doesn’t use AES or SHA fool you. The cipher used for symmetric encryption, ChaCha20, is just as powerful, and likely faster. It’s based on the Elliptic Curve Diffie-Hellman (ECDHE) protocol for key agreement and combined with Poly1305 for data exchange. Case in point, as of 2015, the best attack only cracked 8 of the 12 or 20 rounds of encryption (hence ChaCha12 and ChaCha20) the data goes through.
Free, open-source, concise code
Another crucial merit of WireGuard is its code. We covered this in the “Is WireGuard open-source?” section in the aforementioned WireGuard examination. Long story short, it only uses 4000 lines of code to deploy full functionality and cryptography. To give you an idea, if you were to join OpenVPN and OpenSSL, you’d get around 600,000 lines of code, while IPsec, combined with StrongSwan and XFRM reaches the 400,000 lines mark.
Easy audits and light on the system resources
The advantage of WireGuard above makes it quick and easy to audit for any bugs, inconsistencies, and security exploits. It also creates a smaller attack surface, reducing the chance a vulnerability can even be found. Since code is compact when implemented into software, it leads to lower battery drain, less CPU usage, and lower system requirements for the devices. It’s only going to get faster as more hardware start supporting ChaCha20 and Poly1305, as it currently relies on software instructions.
Stealthy and well-protected
While its focus isn’t on obfuscation, it only communicates with the IP addresses that are on the Allowed list. In other words, it doesn’t respond to unauthorized packets and remains hidden from them. Plus, WireGuard doesn’t reuse cryptographic nonces and uses a 64bit counter which cannot be wound backward. This makes the protocol particularly resistant against DoS (Denial of Service) and replay attacks, as well as network inspections.
Disadvantages of WireGuard
Things look quite promising, no doubt. However, there are some cons of WireGuard you should be aware of:
No obfuscation by default
Because its goal is to provide VPN tunneling most simply and efficiently possible, WireGuard leaves the doors open for obfuscation on a layer above. This allows users who want to build a VPN and VPN providers alike to set it up in a way they prefer. Unfortunately, it also means that without concealing the VPN tunnel, you’ll likely struggle to pass the DPI (Deep Packet Inspection) and thus may not bypass VPN blocks on major streaming services and in China.
Prone to data packet loss
This isn’t WireGuard’s fault but rather that of UDP (User Datagram Protocol). While considerably faster than TCP, it doesn’t check if the data packets arrived at the destination. WireGuard intended it that way; they noticed that TCP-over-TCP tunneling quells network performance. Instead, they use a sliding window that counts the greatest counter received and record the last 2000 values. They also suggest using third-party software to tunnel UDP packets into a TCP connection if need be. The VPN providers do the same unless they have a custom solution to the loss of data packets.
Certain privacy concerns
Don’t jump to conclusions. Read the “Security problems: Reason for concern?” section in the WireGuard article at the start. As you can see, these only apply to the unaltered version of the protocol. Each VPN provider has its solution – exactly what the WireGuard developer predicted. For example, NordVPN uses a double NAT system in their in-house WireGuard-based VPN protocol, NordLynx. It provides the same IP address to every user, but as soon as the tunneling is achieved, each tunnel gets a unique IP address. That way NordVPN doesn’t have to store logs, delegates IP addresses dynamically, implements TCP tunneling if necessary, and supports PFC (Perfect Forward Secrecy).