If you use a VPN, there’s a good chance it runs using OpenVPN or IPsec, which have been the dominant standards for quite a while. WireGuard, however, is giving them a run for their money, and it’s easy to see why. It’s cleanly-coded, connects in a snap, uses heavily-tested modern cryptography, and works with just about everything. WireGuard was even included in the Linux kernel 5.6. Linux creator Linus Torvalds said, “Compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
What is WireGuard and what makes it different?
Like OpenVPN and IPsec, WireGuard is a VPN system. This means it establishes an encrypted connection between a client machine (your computer) and a server located somewhere else. You send your requests to the server, and the server forwards them to the site you’re trying to access. The site then sends the information back to the server in the middle, and the server relays that back to you. It’s great for privacy and security as long as you can trust your VPN provider and the technology it’s using.
One reason WireGuard is so popular is because it enables increased trust in the technology side of things. It’s open source, and at just under 4,000 lines of code, it’s around 1 percent of the size of competing technologies (OpenVPN/IPsec). This means a knowledgeable individual could get their head around it relatively quickly. This represents WireGuard’s “security through simplicity” philosophy. With a smaller attack surface, overlooked vulnerabilities are harder to find, and patching them when they do appear is easier.
The codebase is so small partially because WireGuard uses a customized (but still cryptographically-valid) suite of some of the most modern cryptographic tools (ChaCha20, Curve25519, Poly1305, BLAKE2s, SipHash24, etc.). They establish and encrypt communications rather than implement entire protocols. The system has been rigorously tested and found to be sound.
Additionally, it maintains its security through versioning. When an issue is discovered with one of its protocols, WireGuard can simply be patched and updated. That’s actually faster and potentially more secure than the more complex process of “cryptographic agility” that older VPNs use to swap protocols out in a more piece-by-piece way.
For most users, however, the most noticeable changes brought by WireGuard are how quickly it connects and how stable it is. That’s because WireGuard’s encryption system is based on exchanging keys (much like SSH). This is much faster than the certificate-based system that dominates most VPNs. It also consumes fewer resources than its competitors, making it noticeably easier on the machines that run it.
Also read: What Is a VPN, and Why Do I Need One?
Are there any issues with WireGuard?
As with any system, WireGuard isn’t 100 percent perfect. The dev team is still building out some features and working on improving compatibility with different systems. But it’s completely usable and secure in its current form.
One of the most common complaints about WireGuard, though, is that it’s built for security and not for privacy. It provides a communication protocol and comes with some built-in privacy measures but leaves a lot up to the people who are running the servers. Most of this has to do with the way it stores IP addresses. Every VPN protocol needs to know where to send the data. Because of the way WireGuard connects, it typically takes longer to “forget” a connected IP than something like OpenVPN does.
This is an issue that most WireGuard VPN providers take care of by ensuring that the addresses are deleted regularly and not logged. It’s quite fixable. It’s worth pointing out that no VPN technology is safe if a provider wants to keep logs. A VPN that wants to spy on you can do it with WireGuard or OpenVPN, so either way, you have to find one you can reasonably trust not to.
How can I start using WireGuard?
WireGuard is quickly gaining traction among many VPN subscription services. If you want to start using it, you only have to do a quick search for providers that have implemented the system. NordVPN, Private Internet Access, ExpressVPN, and TorGuard are all reliable services that give you the option of using WireGuard.
If you’re more of a do-it-yourself VPN person, WireGuard is open source and supports a wide variety of platforms. You could use anything from a virtual private server to a Raspberry Pi to get your own WireGuard VPN implementation up and running. I was able to start an encrypted WireGuard connection between a Windows 10 machine and an Ubuntu 20.04 VPS pretty quickly. However, it did take some bug-hunting before it would actually transmit data.
Is WireGuard the future?
Unless something goes terribly wrong, WireGuard is likely to become the default option for many VPN connections, especially considering its favored place in the Linux kernel. OpenVPN and IPsec are very established widespread technologies, though, and they’re not going away anytime soon. WireGuard is still a very new technology. While it arguably has the edge in a lot of ways, its competitors are already embedded in many systems and retain some comparative advantages. That said, WireGuard is the next generation of VPN software. Unless you have a good reason not to use it, it’s probably the way to go.
If you are looking for a VPN service, learn the things you should look for when choosing a VPN provider.
Image credits: Orange blue public key cryptography, Public key encryption, WireGuard: Next Generation Kernel Network Tunnel, WireGuard Presentation
