With the potential to bring major change to the VPN industry, an interesting new VPN (Virtual Private Network) protocol called WireGuard is gaining traction among Linux users and application developers. So, what is WireGuard? What are its pros? What are its privacy problems? I’ll answer all these questions in this article, so let’s begin.
What is WireGuard?
Well, as already mentioned above, it’s a VPN protocol but what’s not mentioned is that it utilizes state-of-the-art cryptography and is fast, easy to configure, open-source, and secure. It aims to be faster, simpler, and leaner than IPsec and OpenVPN so that it can be easily deployed on all sorts of systems, from low-end devices like Raspberry Pi to high-end servers.
The developer behind WireGuard is Jason Donenfeld (security researcher & kernel developer, and the founder of Edge Security). IPsec, OpenVPN, and other such solutions were developed decades ago. Jason realized that they were slow and were not so easy to configure and manage properly. Thus compelling him to create a new open-source VPN protocol and solution which is faster, secure easier to deploy and manage.
He once said in an interview that the idea for WireGuard came to him when he was living overseas and needed a VPN for Netflix.
Originally developed for Linux, WireGuard is now available across several platforms.
- Updated encryption
As mentioned above, IPsec, OpenVPN, and other such solutions were developed decades ago; Jason wanted to upgrade what he considered to be “outdated” protocols. WireGuard supports all the state-of-the-art cryptography like the Noise protocol framework, Curve25519 (for ECDH), ChaCha20 (for symmetric encryption), Poly1305, BLAKE2 (for hashing and keyed hashing), SipHash24 (for hashtable keys), HKDF (for key derivation), and secure trusted constructions.
If you want to learn more about WireGuard’s modern cryptography, then you should definitely pay a visit to the official website of WireGuard.
- The simple and minimal codebase
Now, you’ll be thinking since it supports all these state-of-the-art cryptography, its codebase is going to be bigger too. Well, you’ll be surprised to know that WireGuard has a very lean codebase with just about 4000 lines of code. This is in stark contrast to OpenVPN and IPSec, which have over 400,000 and 600,000 lines of code, respectively.
A smaller codebase provides a lot of advantages such as:
- It is much easier to audit. OpenVPN and IPSec would take many days to audit (that too if it’s done by a large team, it may take even longer). One person can read through WireGuard’s codebase in a few hours.
- Easier to audit means it’s easier to find vulnerabilities, which helps keep WireGuard secure.
- Much smaller attack surface in comparison to OpenVPN and IPSec
- Better performance
- Performance improvements
Theoretically, improved performance should be offered by WireGuard in the way of:
- Greater speeds
- Increased battery life with phones and other mobile devices
- Better roaming support (phones and other mobile devices)
- More reliability
- Quicker at establishing connections (faster handshake)
Mobile VPN users will find WireGuard to be particularly beneficial. If your mobile device switches from Wi-Fi to mobile/cell data or, in other words, changes network interfaces, the connection will not be interrupted. It will remain as long as the VPN client continues to send authenticated data to the VPN server.
- Cross-platform ease of use
Although there is still some time before it’s fully implemented, WireGuard should still work very well across different platforms. It supports Mac OS, Android, iOS, Linux, and Windows.
- Now merged into Linux kernel.
At the end of March this year, it was announced that WireGuard would be officially included in the 5.6 Linux kernel.
New Linux users will find this to be confusing. You know that you can install and configure a WireGuard VPN server on Linux, but then you also read the news that Linux Kernel 5.6 will include WireGuard. Let me make it simpler for you.
Previously, WireGuard could be installed on Linux as a kernel module. Regular applications like Audacity, GIMP, Thunderbird, etc., are installed on top of the Linux kernel (in userspace), not inside it.
When you install WireGuard as a kernel module, you are basically modifying the Linux kernel on your own and adding some code to it. Starting kernel 5.6, you won’t need to add the kernel module manually. It will be included in the kernel by default.
WireGuard Privacy Problems
There is no doubt that when it comes to performance and security, WireGuard offers many advantages, but by design, it is not ideal for privacy. Let’s examine some privacy issues with WireGuard.
Issue 1: WireGuard stores user IP addresses on the VPN server indefinitely
By default, WireGuard saves connected IP addresses on the server. These user IP addresses are saved on the server indefinitely or until it is rebooted. This makes the out-of-the-box version of WireGuard incompatible with no-logs VPN services.
Issue 2: WireGuard does not assign dynamic IP addresses
At present, WireGuard requires that each key pair (which can be viewed as a device) is assigned a static internal IP address. This works for smaller installations without much of an issue but can quickly become complex when many customers need to connect.
WireGuard VPN Services
In the end, let’s take a look at some of the best VPN services that support WireGuard.
This Panama-based VPN service has now released full WireGuard support via NordLynx with a double NAT (Network Address Translation) system for privacy.
One can easily use WireGuard with NordVPN, open the NordVPN app (on Windows, Mac OS, iOS, Android, or Linux), select the NordLynx protocol, and connect to a VPN server. Secure key generation and IP address management are handled in the app’s background to ensure user privacy.
This free and open-source commercial VPN service based in Sweden was one of the early adopters of the WireGuard VPN protocol. Like NordVPN, this one too offers full WireGuard support with their VPN apps.
To use WireGuard with Mullvad, all you need to do is select the WireGuard protocol in the app. With iOS and Android devices, WireGuard is the default protocol.
AzireVPN is also one of the earliest adopters of the WireGuard, offering support all the way back in ’17. While AzireVPN supports WireGuard, they have not yet incorporated the WireGuard VPN protocol into their VPN clients. To use WireGuard with AzireVPN, you’ll need to install the official WireGuard client (here) on your OS and then download and import the configuration files.
That’s all, folks!