You might have heard the term WireGuard thrown around on the Internet in connection with VPNs. If you nodded, you may also be conflicted. While many praise its speed, others claim it comes with design flaws that threaten security and make it inferior to OpenVPN or IPsec. To be frank, both are true, but not the full story. Its effects also depend on what you seek to achieve from VPN use – different strokes for different folks, right? Rest assured, it comes with multiple benefits. Otherwise, it wouldn’t exist, be under the spotlight, or get developed as heavily as it is. With that out of the way, let’s answer, “what is WireGuard?”
Definition of WireGuard
WireGuard is a secure communication protocol that provides VPN tunneling and allows establishing encrypted Virtual Private Networks (VPNs). Right off the bat, you should know WireGuard only works via UDP (User Datagram Protocol). While less secure than TDP (Transmission Control Protocol), UDP is superior when it comes to speed. Furthermore, this VPN protocol supports both IPv4 and IPv6, both outside and within the tunnel. Moreover, it can encapsulate them within one another (protect IPv4 data with an IPv6 protection packet and vice versa).
One thing to note
WireGuard also refers to the eponymous free software (program or application) that utilizes the aforementioned VPN protocol, primarily on mobile devices. These are intended as lightweight, user-friendly ways to create WireGuard tunnels to a chosen server and check the status from any supported device.
Is WireGuard open-source?
Yes, WireGuard is open-source and free. What’s more, it’s extremely lightweight and optimized, going so far as to have its source code called “work of art compared to IPsec and OpenVPN” by the creator of Linux, Linus Torvalds, in 2018. The same year, an Ars Technica examination found it had 4000 lines of code, which included both kernel and cryptography. In contrast, OpenVPN had over 100,000, and that only covered the kernel. It hinges on OpenSSL for cryptography, which came up to about 400,000 lines of code combined.
How does WireGuard work?
WireGuard doesn’t dabble in different types of encryption, algorithms for hashing, and multiple ways of key exchange such as SHA or AES. Instead, it’s based on tried and tested cryptography primitives (well-established low-level algorithms) and a system of public keys exchange via pre-shared symmetric key mode. They call the procedure “Cryptokey Routing”. Each network interface gets a short private and public key and assigns users a VPN IP address based on the latter. Public keys are distributed similarly to OpenSSH public keys and used for authentication between peers (such as an application on the client-side) and the network interface.
However, network interfaces only communicate with the peers whose public IP address is on the Allowed list. Otherwise, packets are dropped. In other words, when sending data packets, the list of IP addresses represents the routing table. When receiving them, it becomes an Access Control List. Because it won’t respond to unknown packets, any inquiries and scanning of your network won’t reveal you’re using a VPN. Even better, once WireGuard detects there’s no data transfer, the connection is paused, saving data on both sides.
Evident advantages over standard cryptography
The VPN configuration between the client and server is not only pre-defined but also connectionless. This consumes fewer resources and makes the protocol user-friendly. Because it’s based on crypto primitives, users don’t need to (and can’t) tinker with the configuration and wreak havoc. Moreover, connecting and reconnecting to the VPN server is instantaneous. As a reminder, VPNs based on other protocols usually need a few or up to 30 seconds to fully establish the VPN connection.
Detailed data for advanced users
We tried to explain the way WireGuard works in layman’s terms. For those with extensive knowledge, here’s what it uses and what for:
- Curve25519 to exchange public keys
- BLAKE2s as a cryptographic hash function (CHF)
- ChaCha20 to achieve symmetric encryption
- SipHash to implement hash tables for keys
- Poly1305 to authenticate message codes (MACs or tags)
When you use WireGuard for the first time, the protocol knows the endpoint for the server. That way, you can encrypt the data you send before you get any back. However, the server has no data about the peer. Instead, it pinpoints the client endpoint manually, based on the location of the data it received and verified. The process then turns into a back-and-forth. Both client and server can discover new endpoints using the location of the latest successful decryption. Therefore, both sides can switch between types of connections (Wi-Fi, mobile data, etc.) without interruption or editing the VPN configuration.
Where does WireGuard work?
WireGuard currently works on Linux (and distributions based on its kernel/compatible with Network Manager), Android, Windows 7+, macOS, NetBSD, FreeBSD, and OpenBSD. The integration into third-party software should expand its support of devices and operating systems.
How fast is WireGuard?
This is very hard to gauge and depends on your system and network. However, a test conducted by VladTalks Tech in May 2021 found WireGuard to be 15% faster than OpenVPN when they both used UDP. The speed increase rose to 56% when OpenVPN shifted to the commonly used TCP-over-TCP mode of communication. Furthermore, Perimeter81 testing concluded that WireGuard has nearly 3.9 times higher bandwidth than OpenVPN and 3.2 times lower ping time.
Security problems: Reason for concern?
WireGuard has advantages and disadvantages, and we’ll get into them all separately. For now, let’s dive into 4 frequent complaints:
1. It can’t allocate dynamic IP addresses
This is true. You take a risk when you always get an identical VPN IP address but only for the in-house protocol. Third-party providers that utilize WireGuard configure the protocol themselves and most allocate IP addresses dynamically.
2. It logs my real IP address
By default, WireGuard doesn’t delete logged real IP addresses. While this can be a problem if external VPN services want to prevent logging, nothing stops them from deleting them. This is a standard practice in the Privacy Policies of reputable VPN providers.
3. WireGuard doesn’t change keys
Correct again – this VPN protocol supports forward secrecy. However, the keys remain static during handshakes unlike PFC (Perfect Forward Secrecy) where VPNs generate a new encryption key for every session. If someone breaks into the server and obtains it, they can decrypt your Internet traffic.
4. It lacks obfuscation
Yes, you might fail to watch restricted shows or bypass the Great Firewall of China with WireGuard by default. External VPN services solve this by enveloping WireGuard connection into a bonus layer on top.