WireGuard protocol: everything you need to know
The new WireGuard VPN protocol has made a big splash lately. Major tech and programming personalities like Linus Torvalds, the creator of Linux, have praised it as a “work of art” compared to earlier VPN protocols like OpenVPN and IPSec. An early review from Ars Technica found that it connected and reconnected much faster than other protocols and that its cryptographical choices meant that it was more secure too.
In this article, you’ll learn what the hype is all about—and how WireGuard can help you protect your browsing.
Pros & cons
In a nutshell, WireGuard is a newer protocol, so it has some great advantages and some growing pains. Here are its biggest pros:
- Agility. WireGuard connects and reconnects fast, even when you’re roaming across networks. It stays connected in situations where other VPN protocols would falter. Other VPN protocols sometimes feel brittle or clunky by comparison.
- Security. Compared to other VPN software, WireGuard chooses smart, modern cryptographic primitives with secure defaults. Plus, it’s very small and simple in relation to older protocols, meaning that security researchers can audit it much more easily.
- Speed. WireGuard uses fast cryptography code. Plus, its low-level component lives within the Linux kernel (on servers and Linux desktops), making it faster than userspace VPNs.
- Ease of deployment. Both the client and server parts of WireGuard are really easy to install. You can download ready-to-go client apps for desktops and mobile devices from the platform app store. On the server side, setting up WireGuard is not much harder than configuring SSH, a task that nearly every IT professional is familiar with.
Despite those advantages, WireGuard also suffers from some issues:
- Baked-in support. Even though WireGuard offers client apps for every major platform, it doesn’t work without extra software except on some Linux distros. If you want to use a VPN on a device where you can’t install apps, you’ll need to use a different protocol.
- Obfuscation. The WireGuard project does not seek to build a VPN that counters deep-packet inspection. If, for example, you’re trying to get through the Great Firewall of China, WireGuard by itself won’t do the trick. However, WireGuard’s architecture allows it to support obfuscation tunnels as a layer on top.
What is WireGuard?
WireGuard is a VPN protocol—the way that a client (like your computer or phone) communicates with a VPN server. You might also hear “WireGuard” refer to the app you can run on your devices as well.
It only supports UDP, which uses no handshake protocols. That's one of the reasons why it's so fast. It can skip the checks that OpenVPN TCP has to perform.
How does WireGuard work?
WireGuard uses modern cryptography and network code to create an encrypted tunnel between two devices. Using some clever strategies, it even works when the client device’s IP address changes. For example, you can switch from mobile data to Wi-Fi without waiting thirty seconds for the VPN to reconnect.
You can read more about WireGuard’s deep technical details on their website.
Is WireGuard secure?
Owing to its use of modern, well-vetted cryptography, WireGuard is one of the safest VPN protocols out there. Without compromising either the VPN server or your client device, an external attacker can’t figure out much about your browsing.
What undoubtedly contributes to its safety is that its code is very streamlined and uses fewer lines of code than, i.e., OpenVPN. The less complex setup, the less it's prone to errors and misconfigurations. All of this adds to your overall safety.
Why is WireGuard important?
Previous VPN protocols were clunky to set up and configure. Even more importantly, IPSec and OpenVPN were huge, poorly-audited codebases that could have contained all sorts of security bugs lurking below the surface. The benefit you’re most likely to notice as an end user is WireGuard’s faster connections and easier roaming.
Is WireGuard better than other protocols?
Yes. Since it uses faster cryptography and runs within the Linux kernel, WireGuard can be faster at transferring data than other protocols. You’re more likely to notice the fact that WireGuard connects faster, however. Here’s how it stacks up against the two other common protocols today:
WireGuard vs. OpenVPN
One test found that WireGuard beat OpenVPN in raw speed by about 15% in normal conditions. When OpenVPN was restricted to its slower TCP mode, WireGuard was 56% faster. While the best-case comparison isn’t a mind-blowing difference, you’ll definitely feel WireGuard’s speed boost, particularly with big downloads.
Both OpenVPN and WireGuard are open-source, have very few vulnerabilities, and will require additional configuration files to set up on most devices. The difference is that WireGuard is using much more advanced cryptographic libraries and is much more efficient.
WireGuard vs. IPSec/IKEv2
IPSec is also a fast, fairly recent protocol. However, WireGuard has two advantages: its cryptographic primitives may be faster, and it’s built into the Linux kernel. One test found that IPSec beat WireGuard in one particular situation, while WireGuard was more consistently fast.
The difference between IKEv2 and WireGuard is that the former will be supported by default on most devices. For WireGuard, you'll need to install additional files. Though, it does have an edge with its more modern cryptographic libraries. Though IKEv2 isn't very CPU-intensive in its defense and will be fast in most usage cases.
How to easily configure WireGuard clients
Instead of manually copying certificates and typing details, the WireGuard app on mobile devices lets you just scan a QR code. Your VPN provider or server software can provide you with a QR code to scan. Then, from the WireGuard app, hit the plus sign and choose “Create from QR code”.
VPNs supporting WireGuard
Given its significant advantages for the average end user, many commercial VPN providers have been quick to hop on the WireGuard bandwagon.
As one of the early financial contributors to the WireGuard project, Mullvad supported WireGuard from an early stage. WireGuard is now the preferred method to use Mullvad.
Just like Mullvad, IVPN financially backed WireGuard as well as supporting it in their software. You can easily use the WireGuard protocol from IVPN’s apps without additional software.
The first "big" VPN to adopt WireGuard was NordVPN. They did so by modifying the open source WireGuard software and creating their own protocol - NordLynx.
Private Internet Access, cryptostorm, and a number of other VPN providers were early backers of WireGuard. As the WireGuard protocol and software matured, more and more commercial VPN providers began to support WireGuard. Search your favorite provider’s website for WireGuard; odds are that the provider already offers it.
Any VPN you create yourself
Of course, if you want to create your own VPN server, you can set it up to support WireGuard out of the box. If you opt to go this route, a big advantage of using WireGuard is that there are far fewer configuration options to tweak for maximum security.
While existing VPN protocols like IPSec and OpenVPN worked just fine for most people, they’re not perfect. Older protocols can be slow, rely on outdated cryptography, and are hard to keep secure. WireGuard turned the world of VPN protocols on its head.
If you’re looking to stay on the cutting edge of technology with a next-generation VPN experience, look no further than WireGuard.
Thinking of trying out a VPN service? Read one of our VPN guides or reviews
Is WireGuard a VPN?
Not really. WireGuard is a VPN protocol, not a VPN service. Your device can talk to a VPN server using WireGuard, but WireGuard itself does not provide a service you can pay for.
What Port Does WireGuard Use?
WireGuard can use any “high” port (above the ones restricted on modern operating systems), but its default is 51820/UDP.
Is WireGuard Better Than OpenVPN?
Depends on your needs. WireGuard is simpler, faster, and easier to set up than OpenVPN, but some devices don’t work with it yet. For example, if you have an older router that you’re using for a router-based VPN, you might have to stick with OpenVPN.
Is WireGuard multithreaded?
WireGuard connection is accelerated by multithreading. It means that the protocol can take advantage of multiple CPU cores for enhanced performance.
Is WireGuard safe for Torrenting?
WireGuard is safe for torrenting, but keep in mind that enabling kill switch and exercising general caution is as important as your tunneling protocol choices.