Skip to main content

What is WireGuard?

What is WireGuard?
(Image credit: WireGuard)

The key goal of any VPN is to create a secure encrypted tunnel for all your internet traffic, shielding it from hackers and others - like your ISP - that want to take a peek.

VPN providers can choose from many protocols - OpenVPN, IKEv2, L2TP, SSTP, more -to create and manage the encrypted tunnel, each with their advantages and disadvantages. 

OpenVPN is the most popular option, but its original design dates back to 2001, and much has changed in our internet technology and use in the last 20 years. 

WireGuard is a more recent entry into the world of VPN protocols and it's already gained acceptance across the cybersecurity sphere. In this article, we're taking a closer look at WireGuard, its major pluses, and one or two potential down sides.

A lighter VPN protocol...

WireGuard's developer, security researcher Jason A. Donenfeld, began work on the protocol in 2016. Originally developed for Linux, it's now also available on Windows, Mac, Android and iOS.

One major advantage of WireGuard is its simplicity. While OpenVPN and IKEv2 require hundreds of thousands of lines of code, WireGuard works with under 5,000 (opens in new tab), and that has all kinds of benefits. 

Fewer bugs and security vulnerabilities, for instance. Reduced CPU usage. Faster connection times. And it's much better suited for routers and mobile devices that don't have desktop levels of computing power.

Cryptography is another highlight, with WireGuard using state-of-the-art protocols such as Curve25519, ChaCha20, Poly1305 and BLAKE2.

Low-level but important benefits include the ability to run inside the Linux kernel, the guts of the OS which does all the low-level heavy lifting. OpenVPN runs outside the kernel, so Linux must do extra work (a 'context switch', technically speaking) to help OpenVPN work with the system, every time it sends or receives packets. WireGuard lives inside the kernel, with no need for context switching, potentially delivering a big performance boost. 

How big? In August 2021 Donenfeld reported (opens in new tab) a wifi speed increase from 95Mbps to 600Mbps with a new kernel-friendly Windows beta, though it's not yet clear how typical that might be.

StrongVPN supports the WireGuard protocol

(Image credit: StrongVPN)

...but it's not perfect

With these obvious advantages, it's no surprise that WireGuard is now widely supported in the VPN world. Surfshark, Private Internet Access, VyprVPN, StrongVPN, TorGuard and others include it in their apps, and NordVPN used WireGuard as the basis for its NordLynx protocol.

The technology isn't supported by everyone, though, and there are several issues for VPN providers to solve before they can make it work.

WireGuard doesn't have a way to allocate dynamic IP addresses, for instance. This means in theory that your VPN IP address could be the same every time you connect, perhaps allowing you to be tracked online.

WireGuard doesn't automatically delete your IP address when you disconnect, either. It might stay in memory for who-knows-how-long after the session has ended. OpenVPN and other protocols work harder to protect your privacy by deleting IPs when they're no longer needed, reducing the opportunity for your address to be logged.

There's also no support for forward secrecy, a system where VPN data is encrypted using a new private key every session. WireGuard uses the same key by default, which means if a hacker gets into the server and can steal your key, he may also be able to decrypt your traffic.

Don't panic, though

Although WireGuard has privacy concerns, they're not bugs or issues with the design. The whole point of the protocol is to keep things simple and throw away a lot of the complexity, and these are some of the features that got left out.

These concerns don't mean connecting using WireGuard is less secure than OpenVPN, either, because the top VPNs have created their own app and server-based solutions.

IVPN has come up with its own way to assign dynamic IP addresses and give you a new private key, for instance. And it fixes the 'stores IP addresses forever' issue by detecting when nothing's happened on the connection for three minutes, then deleting and reconfiguring your connection. (Read more on IVPN's WireGuard knowledgebase article (opens in new tab).)

The end result means WireGuard offers the best of all worlds, with both leading-edge performance and all the privacy features you'd expect.

The extra work for providers means it's not going to be easy for everyone to implement WireGuard, though, and beware: smaller VPNs may never support it at all.

Mike Williams
Mike Williams

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.