Understanding all the fuss about WireGuard in the VPN
WireGuard is a protocol that has been talked about a lot lately. It will improve the security and speed of VPNs, but there are also downsides.
WireGuard is one of the protocols that are added more and more by VPN providers. A few months ago, WireGuard got some media coverage, because Linus Torvald told us this about it:
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art – Linus Torvald on the Linux Development Mailing List
Okay when Linus Torvald likes the code of something, we listen. But Torvald appreciates the technical aspect. It is true that WireGuard has everything to please on the development side. But it’s its efficiency that will make the difference. VPN protocol is the technology that encrypts data when using a VPN connection. This is what helps prevent attacks to intercept your data and avoid being hacked when you are on public WiFi, for example.
WireGuard was developed by Jason A. Donenfield in 2015 as a module for the Linux kernel. The goal was to create a VPN protocol from scratch, so that it was lightweight, convenient to use, and most importantly, that it used the latest encryption standards. The goals were realized in 2020 with the integration of WireGuard into the Linux 5.6 kernel. This means that any Linux distribution compiled with this version of the kernel will be able to benefit from WireGuard natively.
The advantages of WireGuard
Since this is a new VPN protocol, it has far fewer lines of code than the protocols currently in use. In VPNs, we are used to mainly using two protocols, OpenVPN and the L2TP/IPSec combination. And let’s say that implementing these protocols on servers is like buying a bunch of razor blades, putting them in a glass of water, swallowing them while chewing well, then grab a spoon and tear your eyes out with and then, slit your throat in front of a mirror, bursting into laughter. This is absolute crap, because OpenVPN and IPSec are very old protocols.
OpenVPN and OpenSSL have 600,000 lines of code in total and for IPVPN that’s 400,000 lines of code. By comparison, WireGuard has 4,000 lines of code. This therefore makes it a very light and very secure protocol. Because the more lines of code a program has, the more surface there is to attack it and find security holes.
Easy to install
For the VPN user, it is still easy to use. You take a subscription, you download the VPN software for your platform and you’re done. You can’t see anything under the hood, but on the VPN provider side, it’s another hassle. Most importantly, they can have hundreds of VPN servers around the world and each one needs to be configured and maintained at regular intervals.
Bottom, I offer a list of VPN providers that already support WireGuard, but that doesn’t mean it’s a cinch. For the VPN, you can buy them, but you can also configure your own VPN server. If you are getting started with WireGuard, you will need to read the documentation well and spend time to understand all the technical aspects. You should already be familiar with the creation of VPN servers. But overall, it will take you less time.
WireGuard uses the latest encryption protocols
Another reason the VPN world is passionate about WireGuard is the encryption protocols used and the overall approach. Among the protocols, we can mention:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using the AEAD construct of RFC7539
- Curve25519 for ECDH
- BLAKE2s for hashing and key hashing, described in RFC7693
- SipHash24 for hash keys
- HKDF for key derivation, as described in RFC5869
Even if you do not understand anything about these encryption protocols, just know that they are the most recent, but especially that their approach is different in the event of a breach. Like any VPN protocol, you need to generate both public and private keys for WireGuard (again, this is technical setup that the VPN user couldn’t care less about).
WireGuard’s keys are 256 Bits while OpenVPN uses keys up to 4096 bits. But WireGuard’s design is against brute force attacks while OpenVPN uses a dictionary attack. OpenVPN uses the length of the key to keep it safe at all times, but that’s a technical dead end. Because it weighs down the protocol, therefore the server and the VPN connection.
With a 256 bit key, you will need to force about 2256. Even if you find the key solution halfway through, you will still need to test 2255 possibilities. If you have a computer powerful enough, capable of trying 38 million keys per second, knowing that you will need to know the public key of the WireGuard server, you will need 1.52 x 1069 seconds to find the correct key. In comparison, the age of the universe is 4.32 x 1017 seconds. I think we have room …
WireGuard’s approach is elegant, because as long as the computational algorithms behind WireGuard’s protocols are not compromised, then a 256-bit key is sufficient. As long as computers don’t get more powerful, then WireGuard has nothing to fear and this fearlessness is governed by the laws of physics.
More simplified handshaking
In addition to the encryption protocol, we also have Handshaking which is the negotiation when two entities initiate a communication. Basically, when your computer connects to a VPN server, handshaking makes sure that someone doesn’t stick their disgusting sweaty hand in your conversation. With OpenVPN and IPSec and even encryption in general, we use what is called crypto agile.
This consists of combining several calculation algorithms and mathematical problems to secure the exchanges. This is a method that works well because it allows you to regularly change the state of the art of encryption and always find new ways to secure data. But by using several components, we end up with a handshaking which is very heavy.
WireGuard makes an encryption scheme using crypto versionning. If a main WireGuard protocol is knocked out, we’ll just create another protocol with version 2.0. And the VPN providers will be told to upgrade to this second version. On the one hand, it takes the load off the server and on the other hand, it’s much easier to implement rather than piling up layer after layer of patches and ending up with what is commonly referred to as a big bag of shit.
WireGuard is 5-10 times faster
Despite the fact that WireGuard is a fairly new protocol, everyone agrees that it is much faster than OpenVPN. And that speed is crucial in connection failover and kill switches found in many applications. For example, WireGuard on your Smartphone will allow you to switch from the Wifi network to 4G or vice versa in a few milliseconds. At no time will your connection be compromised.
The Kill Switch, invented by Hide My Ass, cuts the internet connection when the VPN connection is not available. This is to prevent your unencrypted connection and your real IP address from being disclosed even for a few minutes. With WireGuard, a VPN server can still have micro-cuts, but it will be much less obvious and reduce the risk to the user.
Does WireGuard pose any privacy concerns?
On security, lightness, speed, WireGuard is vastly superior to the old VPN protocols which are starting to be dated. But there are VPN providers, notably Cactus VPN, that have pointed to issues with WireGuard’s privacy protection. The problem is that WireGuard needs to assign a static IP address (so it doesn’t change) to every user that connects to the server. OpenVPN and all other protocols dynamically assign the IP address.
With a static assignment, the VPN provider will need to create a table, containing static IP addresses for its users along with their connection times. As many VPN companies promote a zero data policy, then this would contradict their practices. However, WireGuard supporters believe that this is a false problem. Because WireGuard is primarily a VPN protocol, its role is to provide a security who is reliable as possible.
Security vs privacy
We confuse security and privacy, but they are two different things. Security is about the encryption algorithms and that your data is not compromised by an attack. Privacy is about an adversary who might get information about you. It is not the role of the protocol, but of the person who implements it. That is, it’s up to VPN providers to setup WireGuard to respect the privacy they promise to their users.
And after a few grimaces, they start doing it. Nordvpn offers what it calls double Network Address Translation (NAT) while Ivpn uses the connection time for each exchange so that information is stored on its servers at a minimum. In fact, he hardly manages to store anything. And each supplier will try to offer their own solution.
VPN providers that support WireGuard
- Mullvad – Mullvad is my favorite among VPN providers. It offers a unique approach to account creation with random ticket generation. This way, you don’t need to provide an email address and it allows you to pay by cryptocurrency. It was one of the first VPN providers to implement WireGuard.
- NordVPN – NordVPN very well known because of its very aggressive marketing strategy. And he implemented WireGuard through his own technology, called NordLynx. It is compatible with most of the clients offered by Nordvpn.
- IVPN – IVPN has also implemented WireGuard, but based on the duration of the exchanges. The storage of information is so minimal that it is unusable.
- Private Internet Access – PIA is also a great VPN provider. It will be remembered that he preferred to leave Russia rather than provide access to its servers to the Russian authorities. But WireGuard is still in beta on Private Internet Access.
- ProtonVPN – Currently ProtonVPN does not yet support WireGuard, however, it is only a matter of time. If you are already with this provider, no need to change. ProtonVPN also contributed to the funding of the WireGuard project.
- VPN.ac – This VPN provider is being talked about a lot because they have a very transparent approach to privacy. It keeps some information, but it is secure to the extent possible. Its implementation of WireGuard is very advanced and available on most of its applications.
- Azire VPN – If there is one VPN provider that could rival Mullvad on an obsession with privacy, it’s AzireVPN. Very transparent, prices as clear as crystal and a good interface overall. Its integration with WireGuard is also very successful.
- VyprVPN – Since version 4.0 of its software, VyprVPN supports Wireguard on all devices. VyprVPN is considered the fastest VPN on the market. It is slightly more expensive than its competitors, but its reliability is exemplary. It is also one of the few to have its own server infrastructure.
- StrongVPN – Not the best VPN when you look at the reviews, but it took WireGuard’s wagon as well. What’s interesting is that while other vendors offer WireGuard as an option that must be enabled manually, StrongVPN offers it as the default protocol. This means that he is confident in his implementation.
The bottom line is that WireGuard has everything to revolutionize the world of VPNs as we know it. On the one hand, we will have irreproachable security and a light configuration that will allow new players to enter this sector. The privacy issues with the storage of IP addresses were resolved fairly quickly by various vendors. OpenVPN has always been a disaster on smartphones and mobile.
In contrast, WireGuard is designed to be versatile whether it’s on a small Raspberry Pi or a monstrous Xeon server. No VPN protocol is perfect and there will always be loopholes. However, WireGuard’s approach makes it easier to fix them. In the old protocols, you tended to fill in a gap today for ten that you discover next week.