With the potential to bring major change to the VPN industry, an interesting new VPN (Virtual Private Network) protocol called WireGuard is currently gaining traction among Linux users and application developers. So, what is WireGuard? What are its pros? What are its privacy problems? I’ll answer all these questions in this article, so let’s begin.
What is WireGuard?
Well, as already mentioned above, it’s a VPN protocol but what’s not mentioned is that it utilizes state-of-the-art cryptography and is fast, easy to configure, open source and secure. It aims to be faster, simpler and leaner than IPsec and OpenVPN so that it can be easily deployed on all sorts of systems from low-end devices like Raspberry Pi to high-end servers.
The developer behind WireGuard is Jason Donenfeld (security researcher & kernel developer and the founder of Edge Security). IPsec, OpenVPN and other such solutions were developed decades ago. Jason realized that they were slow and were not so easy to configure and manage properly. Thus compelling him to create a new open source VPN protocol and solution which is faster, secure easier to deploy and manage.
He once said in an interview that the idea for WireGuard came to him when he was living overseas and needed a VPN for Netflix.
Originally developed for Linux, WireGuard is now available across a number of platforms.
- Updated encryption
As mentioned above, IPsec, OpenVPN and other such solutions were developed decades ago, Jason wanted to upgrade what he considered to be “outdated” protocols. WireGuard supports all the state-of-the-art cryptography like the Noise protocol framework, Curve25519 (for ECDH), ChaCha20 (for symmetric encryption), Poly1305, BLAKE2 (for hashing and keyed hashing), SipHash24 (for hashtable keys), HKDF (for key derivation), and secure trusted constructions.
If you want to learn more about WireGuard’s modern cryptography, then you should definitely pay a visit to the official website of WireGuard.
- Simple and minimal code base
Now, you’ll be thinking since it supports all these state-of-the-art cryptography, its code base is going to be bigger too. Well, you’ll be surprised to know that WireGuard has a very lean codebase with just about 4000 lines of code. This is in stark contrast to OpenVPN and IPSec, which have over 400,000 and 600,000 lines of code, respectively.
A smaller code base provides a lot of advantages such as:
- It is much easier to audit. OpenVPN and IPSec would take many days to audit (that too if it’s done by a large team, for a smaller team it may take even longer). One person can read through WireGuard’s codebase in a few hours.
- Easier to audit means it’s easier to find vulnerabilities, which helps keep WireGuard secure
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
- Performance improvements
Theoretically, improved performance should be offered by WireGuard in the way of:
- Greater speeds
- Increased battery life with phones and other mobile devices
- Better roaming support (phones and other mobile devices)
- More reliability
- Quicker at establishing connections (faster handshake)
Mobile VPN users will find WireGuard to be particularly beneficial. If your mobile device switches from Wi-Fi to mobile/cell data or in other words changes network interfaces, the connection will not be interrupted and will remain as long as the VPN client continues to send authenticated data to the VPN server.
- Cross-platform ease of use
Although, there is still sometime before its fully implemented, WireGuard should still work very well across different platforms. It supports Mac OS, Android, iOS, Linux, and Windows.
- Now merged into Linux kernel
In the end of March this year, it was announced that WireGuard will be officially included in the 5.6 Linux kernel.
New Linux users will find this to be confusing. You know that you can install and configure a WireGuard VPN server on Linux but then you also read the news that Linux Kernel 5.6 is going to include WireGuard. Let me make it simpler for you.
Previously, WireGuard could be installed on Linux as a kernel module. Regular applications like Audacity, GIMP, Thunderbird etc are installed on top of the Linux kernel (in user space), not inside it.
When you install WireGuard as a kernel module, you are basically modifying the Linux kernel on your own and adding some code to it. Starting kernel 5.6, you won’t need to manually add the kernel module. It will be included in the kernel by default.
WireGuard Privacy Problems
There is no doubt when it comes to performance and security, WireGuard offers a lot of advantages, but by design it is not ideal for privacy. Let’s examine some privacy issues with WireGuard.
Issue 1: WireGuard stores user IP addresses on the VPN server indefinitely
By default, WireGuard saves connected IP addresses on the server. These user IP addresses are saved on the server indefinitely, or until it is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
Issue 2: WireGuard does not assign dynamic IP addresses
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works for smaller installations without much of an issue, but can quickly become complex when a large number of customers need to connect.
WireGuard VPN Services
In the end, let’s take a look at some of the best VPN services that supports WireGuard.
This Panama-based VPN service has now released full WireGuard support via NordLynx with a double NAT (Network Address Translation) system for privacy.
One can easily use WireGuard with NordVPN, just open the NordVPN app (on Windows, Mac OS, iOS, Android, or Linux), select the NordLynx protocol and then connect to a VPN server. Secure key generation and IP address management is all handled in the background by the app to ensure user privacy.
This free and open-source commercial VPN service based in Sweden was one of the early adopter of WireGuard VPN protocol. Like NordVPN, this one too offers full WireGuard support with their VPN apps.
To use WireGuard with Mullvad, all you need to do is select the WireGuard protocol in the app. With iOS and Android devices, WireGuard is the default protocol.
AzireVPN is also one of the earliest adopters of the WireGuard, offering support all the way back in ’17. While AzireVPN supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into their VPN clients. To use WireGuard with AzireVPN, you’ll need to install the official WireGuard client (here) on your OS, and then download and import the configuration files.
That’s all folks!