What Is WireGuard? (An In-Depth Look at the Newest VPN Protocol)

It was developed by Jason Donenfeld, the man who founded Edge Security.

Despite how “young” the WireGuard protocol is, it has been quickly accepted by online users, and even managed to catch the attention of main Linux developer Linus Torvalds who called it a “work of art.”

It used to be in the development phase until a few months ago. But it underwent numerous audits (and passed them), and was eventually included in the Linux Kernel version 5.6 tree (meaning Linux users were able to start using WireGuard once running the 5.6 update).

While WireGuard was developed with Linux in mind, that doesn’t mean you can’t use it on other platforms. As long as the VPN you’re using properly configured the protocol, you can use it on different operating systems (like Windows and Android).

How Does the WireGuard Protocol Work?

Like any VPN protocol, Wireguard is responsible for creating a secure connection (also called a “VPN tunnel”) between a VPN app and a VPN server.

Here’s how it stands out, though – unlike most protocols, it works pretty similar to SSH (Secure Shell). Basically, it exchanges public keys. Once they’re exchanged and the app-server tunnel is established, there’s no need to keep managing the connection.Also, once WireGuard establishes the VPN tunnel, the server must receive at least one encrypted data packet from the client before it can actually use the session. That ensures proper key confirmation.

General Technical Details About WireGuard VPN

• WireGuard uses the following modern ciphers:
  • ChaCha20 for symmetric encryption (with Poly1305 for authentication and using RFC7539’s AEAD construction.
  • Curve25519 for ECDH (Elliptic-curve Diffie-Hellman – a key agreement protocol)
  • BLAKE2s for hashing and keyed hashing
  • SipHash24 for hashtable keys
  • HKDF for key derivation
• Besides the symmetric encryption key, WireGuard also supports an optional pre-shared key which can be mixed into the public key cryptography.
• When using WireGuard, the VPN server doesn’t respond to a client that has not been authorized to reduce the risk of DoS attacks. The first handshake message that’s sent to the server also includes a TAI64N timestamp to prevent replay attacks.
• WireGuard only works on UDP and doesn’t officially support TCP (though, there are workarounds made by GitHub programmers and third-party services). It can freely use any port from the high ports range. The default UDP port is 51820.
• WireGuard doesn’t reuse nonces (a number that can be used in cryptographic communications). Instead, it relies on a 64-bit counter which can’t be wound backwards. This way, replay attacks are less of a risk, and UDP packets aren’t sent out of order (something that can happen with UDP).
• WireGuard features a lighter build than most VPN protocols – well, at least the open-source ones (OpenVPN, SoftEther, IKEv2) where the whole code is visible. All in all, the total number of code lines that are used in WireGuard is around 4,000.

Is WireGuard Safe to Use?

Yes – after numerous audits, it’s finally clear: WireGuard offers excellent security.

For starters, it puts an end to cryptographic agility (being able to pick between different encryption options, for example) since that can cause faulty deployments. Instead, it uses modern, peer-reviewed, and thoroughly-tested cryptographic algorithms. That way, there’s no way for someone to accidentally misconfigure the cryptography and put user data at risk.

If any of those algorithms suffer a vulnerability, the problem is easily solved by releasing a new protocol version.

Also, WireGuard’s smaller code base makes it much easier and less time-consuming to perform security audits of the protocol. For example, it would only take one person a few hours to read through the whole code base (provided they know what they’re doing).

So it’s faster to find and fix vulnerabilities that way. What’s more, there’s a much smaller attack surface that can be exploited by cybercriminals.

There used to be a huge concern that VPN providers who use WireGuard wouldn’t be able to offer complete privacy because the protocol stores user IPs on the server until it’s restarted. However, that issue was quickly solved – providers either used a double NAT system or erased IP logs once the VPN session ended.

Is the WireGuard VPN Protocol Fast?

Yes. Original benchmarks estimated that the protocol is much faster than OpenVPN and IPSec. Since then, numerous VPN review sites and tech blocks tested WireGuard speeds compared to other protocols.

For example, this site tested 114 VPN servers, and found that WireGuard came in first in 58.8% of download tests. Also, the average speed loss was only around 19.1%. So if your original speeds hover around 100 Mbps, you’d get roughly 80 Mbps VPN speeds using WireGuard.

The WireGuard protocol can offer fast speeds thanks to its small code base. Also, it can establish connections and handshakes faster while also offering better reliability. Furthermore, it uses CPU cores very efficiently.

Mobile users also stand to benefit since WireGuard is designed to be less resource-intensive (so it doesn’t eat up too much battery), and to offer improved roaming support.

Linux users are likely to get the best speeds with WireGuard VPN connections since the protocol lives inside the Linux kernel (the key component of the operating system), meaning it can offer high-speed secure networking. 

However, WireGuard implementations on other platforms run in user space (so the protocol has access to limited system memory). Even so, the protocol still offers better speeds than some of its competitors (like OpenVPN).

Is Setting Up WireGuard VPN Hard?

If you use Linux, it’s extremely simple. Since it’s part of the operating system, you just need to type in a few commands, and you’re good to go.

While it might not be as straightforward on other operating systems, it’s far from difficult. WireGuard now offers downloadable clients for Windows, macOS, iOS, and Android. And getting used to them won’t take you too much time.

Luckily, many VPNs have started incorporating WireGuard in their service (like CactusVPN). And they built it straight into their apps, meaning you can use it like any other protocol – just pick it from a list, and connect to a server.

Can WireGuard Bypass Firewalls?

Like any VPN protocol, WireGuard should be able to bypass firewalls. It routes your traffic through a new IP which isn’t blocked by the firewall, after all.

But if the network admin blocks all UDP ports, they’ll block all WireGuard traffic since it only runs over UDP, and can’t use TCP port 443 (the HTTPS port). 

Like we said earlier, there is a way to tunnel UDP packets over TCP, and program the connection to use port 443. Here’s a tutorial for that, though keep in mind it’s only for Linux. Some VPN users have said that method didn’t work for the, though, and recommended this one instead (be wary – it’s a lengthy process, and only works on Linux).

We also some people on Reddit saying they can prevent firewalls from blocking WireGuard by using UDP port 53 (which is needed for DNS resolutions).

A bit inconvenient, sure, but keep this in mind – if a network admin blocks your VPN’s IP address with a firewall, they’ll automatically stop you from using it. And it doesn’t matter what protocol you’re using – WireGuard, OpenVPN, SoftEther, SSTP, etc.

What Is a WireGuard VPN?

This would be a VPN provider that offers WireGuard VPN connections through its service – either manual or automatically through their apps.

Despite how new the protocol is, many providers have already incorporated it into their services – including CactusVPN.

WireGuard Advantages and Disadvantages

How Good Is the WireGuard Protocol Compared to Other VPN Protocols?

If you’re not sure if you should use WireGuard or a different protocol, here’s how they compare to each other:

WireGuard vs. PPTP

Security – WireGuard is far superior to PPTP in terms of security. It uses modern cryptography while PPTP’s encryption is very weak. So weak, in fact, that the NSA can actually crack it. Also, PPTP isn’t open-source like WireGuard, so you can’t check the code yourself to make sure there’s nothing fishy going on in the background.

Stability – WireGuard again comes on top since NAT firewalls can easily block PPTP. True, network admins can block WireGuard too – but only if they block most (if not all) UDP ports, which is a bit unrealistic.

Speed – PPTP is very fast, but so is WireGuard. When testing them, we got smooth speeds while streaming Netflix in Ultra HD with both protocols.

Availability – Both protocols are available on the most popular platforms. However, some newer versions have dropped support for PPTP since it’s so risky (like macOS Sierra and iOS 10).

Bottom Line – It’s obvious that WireGuard is the best option. It offers nearly the same speeds as PPTP, but you also get better security.

Read More: What Is PPTP? (Everything You Need to Know)

WireGuard vs. L2TP/IPSec

Security – Both WireGuard and L2TP/IPSec offer a decent level of security, but WireGuard uses newer algorithms that can’t be tampered with (users can’t make changes that might accidentally put data at risk). Also, WireGuard is open-source, which makes it more transparent and easier to audit.

Stability – We haven’t encountered stability issues with either protocol. Still, it’s easier for a network admin to block L2TP/IPSec since it only uses three ports (UDP 500, UDP 4500, and ESP IP Protocol 50). If you use L2TP on its own, it only uses one port – UDP 1701. WireGuard, on the other hand, uses tons of UDP ports.

Speed – WireGuard is definitely faster than L2TP/IPSec. The latter encapsulates your data twice, using up more resources.

Availability – You can use both protocols on most operating systems.

Bottom Line – You should be safe with either protocol, but we’d recommend sticking to WireGuard when possible. It’s just faster and better for your privacy.

Related: What Is L2TP (Layer 2 Tunneling Protocol)?

WireGuard vs. IKEv2/IPSec

Security – IKEv2 uses IPSec for security, so what we said above applies here too: your data should be safe with both protocols. But if you want a more modern approach to cryptography, you should stick to WireGuard. And while IKEv2 has some open-source implementations, most providers don’t use them.

Stability – Like L2TP/IPSec, IKEv2/IPSec is easier to block because it uses fewer ports: UDP 500, ESP IP Protocol 50, UDP 4500. On the plus side, IKEv2 offers MOBIKE – a feature that lets the protocol resist network changes. So if you switch from WiFi to mobile data on mobile, your VPN shouldn’t disconnect.

Speed – Both protocols are very fast. We sometimes have faster speeds with WireGuard, but not by much.

Availability – They both work on most operating systems. The only difference is that IKEv2/IPSec is natively available on BlackBerry devices.

Bottom Line – Whether you need speed or security (or both), either protocol is an excellent choice. Maybe stick to IKEv2/IPSec if you’re using a smartphone since the MOBIKE feature is really useful.

Learn More: What Is IKEv2?

WireGuard vs. IPSec

Security – IPSec provides decent security, but WireGuard’s modern, state-of-the-art cryptography definitely comes on top. Not to mention it’s also open-source, so easier to audit.

Stability – It might be easier for a network admin to block IPSec instead of WireGuard since it uses less ports (one to be exact – ESP IP Protocol 50).

Speed – WireGuard’s code base is much smaller than IPSec, so it’s faster. Online benchmarks back that up too.

Availability – While IPSec is natively available on a lot of platforms, most VPN providers don’t offer this protocol in a stand-alone format, only paired with L2TP or IKEv2.

Bottom Line – There’s no reason not to use WireGuard instead of IPSec. You get better security, speeds, and more convenient availability.

Find Out More: What Is IPSec and How Does it Work?

WireGuard vs. SSTP

Security – We believe both protocols can secure your data. But if you’re obsessed with privacy, stick with WireGuard. It’s open-source and not owned by Microsoft (a company that shared data with the NSA).

Stability – You shouldn’t experience random disconnects with either protocol. However, SSTP gets an extra point because network admins can’t easily block it. The protocol uses TCP port 443, which is the HTTPS port. WireGuard only uses UDP ports (a lot of them, though).

Speed – WireGuard is less resource-intensive than SSTP, so you’ll always get smoother speeds.

Availability – WireGuard actually works on more platforms since macOS and iOS don’t support SSTP out of the box. 

Bottom Line – If you want security, both protocols are decent options. But if you want security, guaranteed privacy, and speed, then stick to WireGuard.

Also Check Out: What Is SSTP? (Your Guide to the SSTP VPN Protocol)

WireGuard vs. SoftEther

Security – You get powerful security with both protocols. And they’re both open-source, so easy to trust.

Stability – WireGuard and SoftEther are both stable, but SoftEther can use TCP port 443. So network admins can’t block it as easily as WireGuard.

Speed – You should get fast speeds with both protocols. There’s actually a study that claims SoftEther is four times faster than PPTP (it’s from 2006, though). 

Availability – WireGuard offers more cross-platform compatibility since the SoftEther client only works on Windows, macOS, and Linux. Also, there really aren’t many VPN providers that offer SoftEther (we do, though). But even when SoftEther is available, you can’t use it inside the VPN app. Instead, you have to install and use the SoftEther client instead.

Bottom Line – You get great security and speeds with both protocols. But if you’re looking for an easy protocol to use, you should pick WireGuard. SoftEther is better suited to more advanced users.

Related: What Is SoftEther? (Complete Guide)

WireGuard vs. OpenVPN

Security – OpenVPN uses the OpenSSL library to implement all sorts of cryptographic algorithms (the most popular being AES-256). WireGuard uses modern, fixed algorithms (you can’t change them) to allegedly avoid misconfigurations that result in security vulnerabilities. Overall, they both offer excellent security.

Stability – OpenVPN connections might be more likely to drop over TCP if you use a very remote server and have slow ISP speeds. On the plus side, network admins can’t block it since it uses TCP port 443 (the one for HTTPS traffic). WireGuard is restricted to UDP ports, and might be harder to use if the network you’re using blocked many of them.

Speed – WireGuard is without a doubt faster than OpenVPN. Its code base is much more lightweight (roughly 4,000 lines compared to 70,000 – 600,000 lines), and it uses CPU cores more efficiently. In our tests, WireGuard was faster even when we used OpenVPN over UDP.

Availability – Both protocols work on most operating systems, though there are more VPN providers that offer OpenVPN.

Bottom Line – It’s a close call, and the decision is up to you. If you want the default security standard, use OpenVPN. If you want a newer approach to VPN cryptography, use WireGuard. And if you want high-end security and lighting-fast speeds, always use WireGuard.

Read More: What Is OpenVPN & How Does OpenVPN Work?

So Should You Use the WireGuard Protocol?

If you have the option, yes, definitely. It’s a very secure protocol that offers smooth speeds and an awesome level of privacy. Make sure that your VPN provider properly implemented the protocol to avoid any unpleasant surprises (IP logging), though.

Conclusion – What Is WireGuard?

WireGuard is the newest addition to the VPN protocol “family.” It underwent heavy development, testing, and auditing, and is now a really secure protocol that uses modern cryptography. It’s also very fast to boot since it has a lightweight code base and is optimized for speed.

All in all, if you want security and smooth speeds, don’t hesitate to use WireGuard.

How do you feel about it, though? Are you happy with how secure it is, or do you think there’s still room for improvement? 

Please let us know in the comments below.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

Computer vector created by vectorjuice – www.freepik.com