What Is WireGuard?

What is Wireguard

Heard about the WireGuard VPN protocol? It seems to be the newest development in terms of VPN connections, promising high security, enhanced performance compared to OpenVPN and IPSec, and ease of use.

But what is WireGuard, exactly? What kind of protocol is it, how does it work, and what specific details do you need to know about it? If you want to learn about that, this in-depth guide is just what you need.

Disclaimer: At the moment of writing of this article, WireGuard is still under heavy development and in the testing phase. If any new information comes up in the future that conflicts with what we wrote in this guide, feel free to reach out to us and let us know about it.

What Is WireGuard?

WireGuard is a new open-source VPN protocol that aims to provide a faster, simpler, and safer online experience to Internet users. The protocol is claimed to offer better performance than OpenVPN, and to be generally more useful and better designed than IPSec.

WireGuard was developed by Jason Donenfeld, the man who founded Edge Security. Despite how “young” the WireGuard protocol is (it officially emerged in 2018, but was in development prior to that date), it has been quickly accepted by online users, and even managed to catch the attention of main Linux developer Linus Torvalds who called it a “work of art.”

How Does the WireGuard Protocol Work?

Like any VPN protocol, Wireguard is responsible for creating a secure connection (also called a “tunnel”) between two network entities. In this case, those entities will be the VPN client and the VPN server.

One interesting thing to note about WireGuard is that the connection handshakes are performed every few minutes, and they are done based on time instead of the contents of data packets. Because of that, packet loss won’t be as likely to cause annoying disconnections.

Users also don’t need to ask the protocol to disconnect, reconnect, or reinitialize since WireGuard uses separate packet queue per host, and automatically detects when handshakes our out of date.

Also, once the VPN tunnel is established between the client and the server, the server must receive at least one encrypted data packet from the client before it can actually use the session. This way, proper key confirmation is ensured.

General Technical Details About WireGuard VPN

  • WireGuard uses the following ciphers:
    • ChaCha20 for symmetric encryption
    • Poly1305 for authentication
    • Curve25519 for ECDH (Elliptic-curve Diffie-Hellman – a key agreement protocol)
    • BLAKE2s for hashing and keyed hashing
    • SipHash24 for hashtable keys
    • HKDF for key derivation
  • Besides the symmetric encryption key, WireGuard also supports an optional pre-shared key which can be mixed into the public key cryptography.
  • When using WireGuard, the VPN server doesn’t respond to a client that has not been authorized to reduce the risk of DoS attacks. The first handshake message that’s sent to the server also includes a TAI64N timestamp to prevent replay attacks.
  • At the moment, WireGuard only works on UDP and doesn’t officially support TCP (though, there are workarounds made by GitHub programmers and third-party services).
  • WireGuard doesn’t reuse nonces (a number that can be used in cryptographic communications). Instead, it relies on a 64-bit counter which can’t be wound backwards. This way, replay attacks are less of a risk, and UDP packets aren’t sent out of order (something that can happen with UDP).
  • WireGuard features a lighter build than most VPN protocols – well, at least the open-source ones (OpenVPN, SoftEther, IKEv2) where the whole code is visible. All in all, the total number of code lines that are used in WireGuard is under 4,000.

Is WireGuard Safe to Use?

Judging by what kind of encryption WireGuard uses, and the fact that it can support so many ciphers, it’s pretty safe to say that it would be a secure protocol. It has high potential seeing as how the main goal behind WireGuard is to improve “outdated” protocols.

Also, due to WireGuard’s smaller code base makes it much easier and less time-consuming to perform security audits of the protocol. In turn, that means vulnerabilities can be found and fixed faster. What’s more, there’s a much smaller attack surface that can be exploited by cybercriminals.

Unfortunately, as of the moment of writing of this article, WireGuard isn’t a stable protocol. It’s still a work in progress, and should mostly just be used for experimentation. Relying on it to 100% protect your online traffic and data is very risky. In the future, though, it might become the go-to option for online security.

And that’s not the only problem – WireGuard has some privacy concerns you should know about. Apparently, WireGuard can’t really be used by third-party VPN providers without logging user data. Why? Because WireGuard’s had no dynamic address management, and the client addresses are hard-coded into the configuration. Also, the way WireGuard works would force providers to store your last login timestamp for each one of your devices in order to reclaim unused IP addresses.

Is the WireGuard VPN Protocol Fast?

According to all the data we have on WireGuard right now, the protocol should offer very fast online speeds. The benchmarks show that WireGuard is significantly faster than OpenVPN and IPSec, and that the protocol is capable of a throughput of around 1000 Mbps.

The WireGuard protocol should be able to offer decent speeds thanks to its small code base. Also, the protocol is allegedly programmed in such a way that it can establish connections and handshakes faster while also offering better reliability. Mobile users also stand to benefit since WireGuard is designed to be less resource-intensive (so it doesn’t eat up too much battery), and to offer improved roaming support.

Linux users are likely to get the best speeds with WireGuard VPN connections for now, though, since the protocol lives inside the Linux kernel (the key component of the operating system), meaning it can offer high-speed secure networking.

Is Setting Up a WireGuard VPN Connection Hard?

Well, let’s put it this way – it’s not really hard if you know what you’re doing, and if you’re familiar with Linux. The steps you need to follow aren’t necessarily complicated, but you do need to do extra stuff like enabling IP forwarding, and finding a way to tunnel UDP packets over TCP if you want to fully bypass firewalls. According to this reviewer, setting up a secure WireGuard network took them around six hours.

And while WireGuard allegedly works on macOS, Android, and iOS, the setup process isn’t as straightforward as it is on Linux. Plus, you might have to use third-party software or code.

Can WireGuard Bypass Firewalls?

The WireGuard protocol should normally be able to bypass firewalls, but there is one concern – since the protocol only uses the UDP transmission protocol (it’s hard to say which port exactly, though it might be port 51820), there’s a chance it might be blocked by firewalls or network admins who shut down UDP altogether and only allow TCP traffic.

Luckily, there is a way to make UDP packets tunnel over TCP, so that issue could be bypassed. It’s also possible to program the connection to use port 443 (the HTTPS traffic port) to make it even more difficult to block. The only problem with all that is that the solutions are on Linux for the moment.

What Is a WireGuard VPN?

A WireGuard VPN would be a service provided by a third-party VPN provider. Basically, you’d be able to set up a WireGuard connection through the VPN client which you download and install.

At the moment, you won’t be able to really find many providers who offer access to the WireGuard protocol since it’s still a work in progress, and using it can put user data at risk.

WireGuard Advantages and Disadvantages

Advantages

  • WireGuard uses state-of-the-art cryptography to offer highly secure online connections.
  • The WireGuard VPN protocol features a lighter code base than OpenVPN and IPSec, which makes it easier to audit to find vulnerabilities.
  • WireGuard is designed to offer high speeds, and current benchmarks show that it’s faster than IPSec and OpenVPN.
  • The WireGuard protocol features performance improvements that can lower battery consumption and improve roaming support on mobile devices.
  • Once WireGuard is 100% working, it could potentially be very easy to configure since it only uses public keys for identification and encryption, so it won’t need a certificate infrastructure.
  • WireGuard is difficult to set up if you’re not familiar with Linux or if you’re trying to configure the protocol on other platforms.

Disadvantages

  • WireGuard is currently a work in progress, so it’s a protocol that should be used for experimentation instead of securing online data.
  • At the moment, WireGuard only works on UDP, and doesn’t use port 443 (HTTPS traffic port). As a result, it can potentially be blocked with by a network admin.
  • WireGuard mostly works well on Linux distributions. There are ports for other platforms, but they’re not extremely reliable.
  • There are some privacy concerns with WireGuard since the way it’s programmed would force VPN providers to log user data.
  • WireGuard is very new and hasn’t been tested thoroughly.

How Good Is the WireGuard Protocol Compared to Other VPN Protocols?

Here’s all you need to know about the advantages and disadvantages of using WireGuard over other VPN protocols.

Since WireGuard is still in development, we can’t really recommend it over other protocols yet, but it will likely become a good alternative to most of the protocols on this list in the future.

WireGuard vs. PPTP

Even though WireGuard is currently an experimental protocol, the security it offers seems to be much better and reliable than what PPTP can provide. For one, the ChaCha20 cipher WireGuard’s built on is more secure than PPTP’s MPPE encryption which has many vulnerabilities. Also, there’s the fact that PPTP traffic has been cracked by the NSA, and that PPTP, unlike WireGuard, is not open-source.

In terms of stability, WireGuard fares better since PPTP is very easily blocked with NAT firewalls because PPTP doesn’t natively work with NAT. Though, it’s worth mentioning that WireGuard could be blocked by network admins too in its current state since it only uses the UDP protocol – unless extra precautions are taken to have it tunnel UDP packets over TCP, of course.

PPTP is known to be a very fast protocol (which is why many people still use it), but WireGuard might offer very fast connections too due to its light build. For now, though, there’s no benchmark showcasing just how fast WireGuard is in comparison to PPTP.

As for cross-platform availability, PPTP fares better than WireGuard since it’s available on more platforms, and it’s even natively integrated into many of them. Still, it’s worth mentioning that this might no longer be the case in the future. Some platforms (like macOS Sierra and iOS 10) have stopped offering native support for PPTP, and it wouldn’t be far-fetched to assume they’d start offering native support for WireGuard instead – once it’s fully stable, of course.

Right now, it’s actually hard to recommend either one of these protocols for a secure connection. WireGuard will definitely become the obvious option once it goes through enough testing, and the development process is finished. But for now, it’s better to pick a different protocol (like OpenVPN or SoftEther) if you want a secure, private online experience.

In case you’d like to learn more about PPTP, follow this link.

WireGuard vs. L2TP/IPSec

Since WireGuard aims to replace the “obsolete” IPSec, it’s safe to assume it would be able to offer a more convenient and safer online experience than L2TP/IPSec – especially since the code is open-source, so there are no concerns about any government entity tampering with it. Don’t forget – Snowden has claimed that the NSA intentionally weakened the L2TP/IPSec protocol. While there’s no evidence to back that claim up, it’s still something worth keeping in mind.

One thing we know for sure, though, is that WireGuard is much faster than IPSec, and features better performance too. According to the benchmarks on the WireGuard website, WireGuard is capable of a throughput of up to 1000 Mbps while IPSec can only handle throughputs of around 800 Mbps. The lighter code base is also likely to help WireGuard deliver better performance – not to mention that L2TP/IPSec’s double encapsulation feature tends to slow down connections.

L2TP/IPSec does shine when it comes to availability, though. It works on more platforms than WireGuard, and is even natively integrated into many operating systems and devices. On the other hand, L2TP/IPSec is easier to block than WireGuard – especially with a NAT firewall.

But WireGuard is still in development for now, so it’s overall safer to use L2TP/IPSec (or other better alternatives) when browsing the web. If you’d like to find out more about L2TP/IPSec, we’ve got an in-depth guide on it.

WireGuard vs. IKEv2/IPSec

In terms of security, both WireGuard and IKEv2/IPSec have a lot to offer. While WireGuard relies on new, state-of-the-art encryption, IKEv2 offers support for multiple powerful ciphers. Also, IKEv2 has open-source implementations, so it can be as trustworthy as WireGuard. The only problem with IKE as a whole is the fact that there are leaked NSA presentations that allegedly show how it could be used to decrypt IPSec traffic.

IKEv2/IPSec and WireGuard both do a good job of bypassing firewalls, but they don’t use port 443 (the HTTPS traffic port), so they might get blocked by a diligent network admin. As for speeds, it’s a bit hard to say, but it’s not far-fetched to claim that they’re tied or that IKEv2 is almost as fast as WireGuard. True, IPSec is pretty slow on its own, but IKEv2/IPSec is capable of offering very high speeds.

Regarding stability, IKEv2/IPSec is the superior option for now seeing as how WireGuard has no stable build yet. Also, IKEv2 offers support for MOBIKE, a feature that allows the protocol to resist network changes (like when you switch from a WiFi connection to your data plan) without dropping.

Besides that, it’s also worth noting that both protocols are available on a similar number of platforms, but IKEv2/IPSec stands out more because it works on BlackBerry devices too, making it an ideal choice for mobile users.

Since WireGuard is still a work in progress, IKEv2/IPSec is a much safer option for now. If you’d like to find out more about IKEv2/IPSec, check out this article we wrote about it

WireGuard vs. IPSec

WireGuard’s goal is to be better than IPSec, and it’s likely going to achieve that once it’s fully operational. While IPSec is secure, WireGuard uses modern, state-of-the-art encryption and ciphers to offer even more data protection – not to mention the protocol is open-source, which makes it much more trustworthy.

Also, WireGuard allegedly has a significantly smaller code base than IPSec, which would make it more performant and easier to audit to find vulnerabilities. And if we consider the benchmarks done by the WireGuard team, we can also see that the protocol is faster than IPSec and has a lower ping time compared to it.

IPSec is available on more platforms than WireGuard for the moment, true, but you should also know that IPSec is potentially easier to block with a firewall than WireGuard is.

In the end, it’s still better to stick to IPSec for now, but switching to WireGuard will likely be a very good idea once the protocol is fully developed.

Want to learn more about IPSec? Check out this article.

WireGuard vs. SSTP

SSTP is considered to be as secure as OpenVPN, so it’s very likely that SSTP encryption is as strong as WireGuard VPN security – at least for now. Still, we do need to mention the elephant in the room – SSTP is solely owned by Microsoft, a company that previously had no problems handing over access to encrypted messages to the NSA. And yes, that also means SSTP is not open-source like WireGuard is.

On the other hand, SSTP is much harder to block with a firewall than WireGuard currently is. Why? Because SSTP can use port 443. Since that port is reserved for HTTPS traffic, it can’t normally be blocked by network admins. WireGuard can also be configured (with some effort) to use port 443, but – by default – it uses UDP ports. Unfortunately, it’s not unheard of for a network admin to block UDP entirely, and only allow TCP traffic on the network.

As for speeds, it’s pretty safe to assume that WireGuard is faster than SSTP. Don’t forget – SSTP speeds are somewhat similar to OpenVPN speeds. And since WireGuard is much faster than OpenVPN, it’s likely faster than SSTP too. It’s also likely much lighter, but that’s just a speculation.

And regarding availability, for now, it seems that SSTP works on slightly more platforms (Windows Vista and higher, Android, Linux, and routers) than WireGuard which is normally only available on Linux at the moment, though some ports to other platforms do exist but they don’t seem to be `00% reliable. In the future, WireGuard will likely be supported on more operating systems and devices.

All in all, SSTP is a better choice than WireGuard – but only because the WireGuard protocol isn’t stable and out of development yet. When it will be complete, the choice will depend on how much you trust Microsoft with your data.

Interested in finding out more about SSTP and how good of a protocol it is? Follow this link then.

WireGuard vs. SoftEther

SoftEther and WireGuard are essentially the new protocols on the block, though WireGuard is the “youngest” between them. Both protocols are open-source, feature top-notch security, and offer very high-speeds. There’s a chance WireGuard is a bit speedier since its throughput can go up to 1000 Mbps while SoftEther’s throughput goes up to approximately 900 Mbps.

SoftEther is still a better option right now since the protocol is more stable, and can’t really be blocked by network administrators since it can use the HTTPS traffic port (port 443). Also, SoftEther works on multiple platforms compared to WireGuard, and is offered by more VPN providers as a connection option too.

It’s also worth mentioning that SoftEther’s VPN server can run multiple protocols, but it doesn’t have support for WireGuard – for the moment at least.

In case you’d be interested in finding out more about SoftEther, we’ve got an article about it right here.

WireGuard vs. OpenVPN

In terms of security, both protocols have a lot to offer – highly-secure ciphers and 256-bit encryption. Of course, WireGuard isn’t as reliable since it’s still in development. When it comes out of development, it could likely match OpenVPN security-wise. However, if measures aren’t taken to ensure WireGuard can use TCP and port 443 without workarounds having to be involved, a network administrator will have a much easier time blocking it than OpenVPN who can use both UDP and TCP, and port 443.

When it comes to speeds, there’s a huge gap between WireGuard and OpenVPN. According to these benchmarks, the difference in throughput between the two protocols is around 700-800 Mbps. Also, the ping time is way lower with WireGuard (0.403 ms) compared to OpenVPN (1.541 ms).

On the other hand, OpenVPN is available on multiple other platforms, has been around for many years, and it’s pretty much offered by all VPN providers.

If you’d like to read more about OpenVPN, here’s a useful guide you should check out.

All That Considered, Should You Use the WireGuard Protocol?

For the moment, it’s best to only use WireGuard if you want to test out the protocol and experiment with it to see what it’s capable of, what vulnerabilities it has, and how well it can handle firewalls.

But you should definitely avoid using the WireGuard protocol if you want your online traffic and Internet privacy to be protected. Unfortunately, it isn’t stable enough to guarantee truly secure connections – not to mention that using WireGuard with a third-party VPN service means you won’t get to take advantage of a no-log policy since the provider can’t adhere to it with WireGuard.

Looking for a VPN With Multiple Protocol Options?

CactusVPN is just what you need. We’ll start out by saying that we don’t yet offer the WireGuard protocol. It’s not because we can’t, though, but because we don’t want our users to be the ones testing the protocol right now, potentially putting their data in danger. Plus, we have a strict no-log policy at our company, and the way WireGuard currently works basically goes against it

Still, we do offer high-end encryption (military-grade AES, for example) and multiple VPN protocols to choose from:

  • SoftEther
  • OpenVPN (both TCP and UDP)
  • SSTP
  • IKEv2/IPSec
  • L2TP/IPSec
  • PPTP

We also offer DNS leak protection and a Killswitch to make sure your data is always safe, and we provide access to high-speed servers and unlimited bandwidth to ensure you enjoy a smooth online experience.

Enjoy Plenty of Cross-Platform Compatibility

We offer access to user-friendly VPN clients that work across multiple operating systems and devices:

  • Windows
  • macOS
  • iOS
  • Android
  • Android TV
  • Amazon Fire TV

That, and we provide straightforward step-by-step tutorials that will show you how to easily configure our services on platforms that don’t natively support VPNs.

Give Our Service a Try Free of Charge First

No need to make a commitment right away. You can first take advantage of our free 24-hour trial to make sure CactusVPN can meet all your needs. And no need to worry – we don’t ask for any credit card info at all.

Oh, and you might also like to know that we provide a 30-day money-back guarantee in case the service doesn’t work as advertised once you do become a CactusVPN user.

Conclusion – What Is WireGuard?

WireGuard is a new open-source VPN protocol that officially came out in 2018. While it does boast state-of-the-art security and significantly improved performance (it’s faster and lighter than OpenVPN and IPSec), the protocol is currently under heavy development. That means it’s not safe to use if you want to secure your online traffic and data – at least for now.

You won’t really find many VPN providers offering access to WireGuard connections at the moment because doing that can potentially endanger user data. What’s more, the way WireGuard is designed forces VPN providers to log user data, which can go against their no-log policies.
Once WireGuard is fully developed and polished, it will likely become the go-to protocol for safe, fast online connections. Until then, though, you should consider choosing a VPN provider that offers OpenVPN and SoftEther connections instead.

Want to protect your online identity?

Protect online privacy, secure your connection and access blocked websites

Try CactusVPN For Free
Posted on
By
Tim has been writing content and copy for a living for over 4 years, and has been covering VPN, Internet privacy, and cybersecurity topics for more than 2 years. He enjoys staying up-to-date with the latest in Internet privacy news, and helping people find new ways to secure their online rights.