WireGuard VPN : Tutorial About WireGuard
Since there is a high risk of sniffing network traffic by hackers, companies that have one or more branch offices need to transfer their private and mission-critical data in a secure way between these remote and main corporate networks. Also, working remotely has become common practice and is deemed necessary for most organizations around the world following the COVID-19 pandemic. However, it carries significant risks too. Remote users may expose the company networks or systems to cyber threats such as malware, cybercriminals and more.
To accomplish the data transfer between remote sites/users and the data center securely an encrypted tunnel is created by applying virtual private network solutions on network infrastructures. The following VPN protocols are commonly used:
- IKEv2/IPsec and L2TP/IPsec
IPsec and OpenVPN are the most common VPN protocols used in cybersecurity. Although both IPsec and OpenVPN are secure, reliable, stable, and reputable VPN solutions, a fairly new VPN protocol is already revolutionizing the VPN industry:
In this tutorial, we will cover the following information about
- What is WireGuard?
- How does WireGuard work?
- Is WireGuard Safe?
- Advantages and disadvantages of WireGuard VPN
- Privacy problems of WireGuard and solutions
- Installation of WireGuard on different platforms
What is WireGuard?
If you are looking for a very simple, but fast and modern Virtual private network (VPN) solution that employs cutting-edge cryptography, then WireGuard is best for providing your expectations. WireGuard is an open-source project that was designed with the aims of high-speed performance, low attack surface and ease of use by
Jason Donenfeld in 2016. Jason Donenfeld started the implementation of the WireGuard as a replacement for IPsec and OpenVPN. Today, he is not too far from his goals, since it might be considered the fastest, simplest, easiest to configure/maintain/audit and most secure VPN protocol in the cybersecurity world. And,
Linus Torvalds, the creator of the Linux kernel, praised WireGuard, calling it a '
work of art' in comparison to OpenVPN and IPsec. It was originally designed for the Linux kernel, but it is widely deployable now and you can run it on many popular platforms such as Windows, BSD, macOS, iOS, and Android. WireGuard has been included by default in Linux since Kernel version 5.6 released on March 29, 2020. This is also considered the first stable release of WireGuard. The kernel components are released under the
GPLv2. Other projects are licensed under Apache 2.0, MIT, BSD or GPL.
How does WireGuard work?
WireGuard enables the implementation of a virtual private network that is both simple and effective. By default, it was intended to make the tunnel more secure and easier to manage.
The implementation of the WireGuard registered mark of Jason Donenfeld has the following goals:
- Keep it short and simple so that auditing and reviewing the code for security flaws is simple. WireGuard contains fewer than 4,000 lines of code (excluding cryptographic primitives).
- Be extremely fast, so that it can compete with IPsec in terms of performance.
- In response to incoming packets, avoid allocations and other resource-intensive allocations.
- Integrate with existing kernel infrastructure and userland expectations, tools, and APIs as natively and smoothly as possible.
- Be able to be built as an external kernel module without requiring any modifications to the core Linux kernel.
To achieve the aforementioned objectives, the listed capabilities and features are implemented on the WireGuard:
- WireGuard is a Layer 3 secure network tunnel that works with both IPv4 and IPv6 protocols. It supports the v4-in-v6 encapsulation and vice versa.
- It is a UDP-based service, which is one of the primary reasons for its speed. So, it consumes network bandwidth more efficiently than other VPN protocols.
- It is implemented as a kernel virtual network interface for Linux.
- It is based on modern conservative cryptographic principles. The protocols and primitives listed below are used:
ChaCha20for symmetric encryption.
BLAKE2sfor hashing and keyed hashing
SipHash24for hashtable keys
HKDFfor key derivation
- Its authentication model is similar to the one used by OpenSSH. Short pre-shared static keys Curve25519 points are used for mutual authentication.
- The following topologies may be implemented by using WireGuard:
The following VPN applications and providers support the WireGuard protocol:
- NordVPN via NordLynx
- Mozilla VPN
- Private Inernet Access
You can read more about WireGuard's deep technical details on their website.
Is WireGuard safe?
One of the main goals of WireGuard's developers is to gain speed without causing any security vulnerabilities. WireGuard employs cutting-edge encryption protocols, making it potentially more secure than older VPN protocols.
Also, WireGuard's design lends itself to secure coding patterns in practice. Some aspects of WireGuard grew out of an earlier kernel rootkit project. It runs in stealth mode and has a minimal attack surface. It does not respond to any unauthenticated packets. Since WireGuard only responds to packets with correct crypto, scanners and service discovery are hampered. When the peers have no data to exchange, both of them become silent. It also has a novel cookie structure to reduce DoS risks.
WireGuard is also a simplified VPN protocol. It has only 4.000 lines of code which is far less than other VPN protocols. For comparison, IPsec has 419.792 lines of code. The smaller code, the more secure application. Since compact codes allow for easy and regular auditing and development, which leads to fewer vulnerabilities.
As explained above WireGuard is a highly secure protocol, but it is not designed with privacy in mind. WireGuard's most serious privacy flaw is the way it assigns IP addresses. Instead of assigning a different IP address to the user, it gives the same IP address each time. This IP address allocation mechanism allows the WireGuard to be fast. On the other hand, it means the VPN server must keep track of the user's real IP addresses and connection timestamps. Anyone who have an access to the logs can view that who accessed to VPN server and when.
Despite the privacy concerns, some VPN providers, including NordVPN, IVPN, and Mullvad, have mitigated the risks of WireGuard by combining it with custom security features.
What Are the Benefits of WireGuard VPN?
WireGuard VPN provides its users with many advantages that make it very attractive in the cybersecurity industry. In this section, we will cover the following benefits of the WireGuard:
Works Well Across All Major Platforms
1. Wireguard is Simple
One of the main advantages of the WireGuard is its simplicity. It is easy to install, configure, and maintain. To summarize, it simplifies administering the virtual private networks. The following features of WireGuard are examples of its simplicity:
- WireGuard uses a simple standard interface via an ordinary network interface card. Here is a sample configuration:
# ip link add wg0 type wireguard
# ip address add 172.16.10.0/24 dev wg0
# ip route add default via wg0
# ifconfig wg0
# iptables A INPUT -i wg0
- While the WireGuard interface can exist in one namespace, the physical interface can live in another.
- Everything that normally builds on top of network interfaces such as
eth0can also be built on top of WireGuard interface
- The administrator can definitely say where the packet is coming from. If the packet comes from the WireGuard interface and has Adam's tunnel IP address as a source IP, then it absolutely comes from Adam's device.
- WireGuard appears
statelessto the user. The administrator sets up an interface, configures its peers, and then the tunnel just works. Everything else, such as session state, connections, and so on, is invisible to administrators.
- If the WireGuard is not configured correctly, most of the time it will not work, rather than running insecurely.
- WireGuard, like SSH, uses identities that are simply static public keys.
- WireGuard works with iptables rules which are plain and clear.
2. Wireguard is Lighter
WireGuard has a smaller code base which is less than 4,000 lines of code. It is easily implemented with basic data structures.
Figure 1. Lines of Code comparison for VPN protocols
Being a lightweight protocol gains an edge for WireGuard over its competitors. Because it has much less code than other VPN solutions, it has the following benefits:
- it is faster and more secure(much smaller attack surface) than other VPN protocols
- it is suitable for embedded devices with limited computing power, such as a router or mobile device too
- its codebase is easily and quickly auditable. Easier to audit means easier to find vulnerabilities
- it can be easily maintained and integrated with other applications
- it consumes fewer CPU resources than other VPN solutions. That means longer battery life and less lag when using other applications on mobile devices.
3. Updated Encryption
To protect the user data WireGuard employs cutting-edge cryptographic techniques such as:
Poly1305for data authentication
Curve25519for key exchange
SipHash24for hash keys
HKDFfor key derivation
Noise protocol framework.
Some advantages of the cryptographic methods used by WireGuard are listed below:
- ChaCha20 with Poly1305 outperforms AES on embedded devices that don't have cryptographic hardware acceleration.
- BLAKE2s is faster than SHA-3.
Security researchers from different sectors such as academia and IT have reviewed the WireGuard covering aspects of the protocol, cryptography, and implementation. They formally verified it to make conservative and reasonable choices. This means that there is security proof of the WireGuard protocol. It has been proven to have the following security features:
Strong key agreement & authenticity
Key-compromise impersonation resistance
Unknown key-share attack resistance
The WireGuard keeps its cryptographic techniques up-to-date. If a serious security flaw in the cryptographic primitives used is detected, a new version of the protocol is released.
You can learn more about WireGuard's modern cryptography on the official website or in the technical white paper.
4. Wireguard is Fast
The biggest advantage of the WireGuard protocol is that it provides extremely fast VPN connections that connect almost instantly. Since it operates exclusively in kernel space, it does not need to copy packets twice between user space and kernel space. As a result, it is much faster than other VPN solutions which live in userspace and use a virtual network interface driver.
Another factor that boosts the WireGuard's performance is that it uses ChaCha20 with Poly1305 which is extremely fast on nearly all hardware. ChaCha20 can be implemented efficiently on nearly all general-purpose processors.
Also, as covered above, WireGuard has a simple design which means that it has less overhead than its competitors. Having less overhead provides it better performance.
There are many WireGuard benchmarks on the internet. WireGuard's official website shares benchmarks that show WireGuard has four times better throughput and ping response time than OpenVPN and better speeds than IPsec protocols on the same hardware.
Figure 2 Comparison of WireGuard with other VPN protocols
WireGuard provides you not only high throughput and less ping response time but also quick handshake which means high connection and reconnection speeds. Therefore, on mobile phones switching from mobile data to Wi-Fi or vice versa does not make a significant disruption to WireGuard users.
Non-Linux WireGuard implementations such as Windows, Android, and macOS, on the other hand, run in userspace and do not benefit from the same performance as the kernel implementation. Nonetheless, they match or outperform OpenVPN in the majority of cases.
5. Wireguard is Works Well Across All Major Platforms
It was originally designed for the Linux kernel, but it is widely deployable now and you can run it on many popular platforms such as Windows, BSD, macOS, iOS, and Android.
Because WireGuard has a simple design, it can be easily independently verified and reimplemented on a wide range of platforms. The cryptographic constructions and primitives used ensure high speed in a wide range of devices, from data center servers to cell phones, as well as long-term security properties. For example, ChaCha20 with Poly1305 used by WireGuard can be implemented efficiently on nearly all general-purpose processors.
What Are the Disadvantages of WireGuard VPN?
Although WireGuard possesses many important benefits, there are certain drawbacks that should not be ignored. Before deciding on using the WireGuard protocol in your network infrastructure, it is advised to examine the disadvantages of WireGuard listed below:
1. Privacy Concerns
The main drawback of the WireGuard protocol is that it was not built for anonymity and privacy. Its privacy is primarily questioned because it requires users to log their data. Instead of assigning a different IP address to the user, it gives the same IP address each time. This IP address allocation mechanism forces the VPN server to keep track of the user's real IP addresses and connection timestamps. These user IP addresses are stored indefinitely on the server, or until the server is rebooted. Anyone who has access to the logs can view who accessed the VPN server and when. This is a violation of the VPN provider's privacy policies. Therefore VPNs that offer WireGuard solve this problem in their own software. Some VPN services have also stated that they will not use WireGuard until the issue is resolved.
2. Protocol Support
It may be skeptical because WireGuard does not use the internet's gold standard of encryption, AES-256, and instead employs an untested component of encryption known as ChaCha20.
Another disadvantage of WireGuard protocol is that most of the time it is blocked by a network administrator. This is due to the fact that it currently only supports UDP. HTTPS traffic port known as Port 443 is not supported too.
3. Stability Issues
The WireGuard protocol is currently experiencing a number of stability difficulties. It could be in the form of either speed or security. Because the WireGuard is in trial mode, these issues are typical. These may usually be corrected when the development stage is completed.
What Are The WireGuard Privacy Problems and Solutions?
WireGuard has some inherent flaws that, if not addressed properly, can jeopardize user privacy.
As explained above WireGuard does not allocate a dynamic IP address to the VPN user. And, it indefinitely stores user IP addresses on the VPN server until the server reboots. So, there is no anonymity and privacy in WireGuard. Before using the WireGuard VPN protocol, make sure to investigate how your VPN provider protects user privacy through WireGuard implementation.
Fortunately, some VPN providers that provide WireGuard have developed their own systems to circumvent this privacy flaw. They offer their own modified versions of WireGuard that work around the IP address issue and do not keep user logs.
The following WireGuard providers solve its privacy problem:
Solutions for keeping user IP addresses
NordVPN developed their WireGuard implementation which called as NordLynx. NordLynx uses a double-NAT system for privacy.
"The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active. Meanwhile, user authentication is done with the help of a secure external database." -
Mullvad and OVPN have practical solutions available right now as well. To address the WireGuard privacy issue, they delete unnecessary records. The records that map the IP addresses to encryption keys are erased as soon as the session ends between the VPN client and server for three minutes. Storing data only for as long as necessary and having as little information as possible reduces the risk of personal data being revealed significantly.
Solution for Static IP Problem
Assigning a static IP for each device, even internally, is not ideal. Because if a user experiences WebRTC leaks, that static internal IP address could be exposed to the outside world. Also, the static IP assignment method quickly becomes complex in enormous networks.
Both Mullvad and OVPN have devised methods for managing IP addresses and securely generating keys. They allow you to regenerate keys and, as a result, IP addresses are rotated. This helps to mitigate this issue.
Since WireGuard is based on statically assigned IP addresses, a WebRTC leak can reveal your internal/external IP address. This is not a problem with your VPN service, but with your web browser. It is strongly recommended that you should disable/block WebRTC in the browser. To prevent yourself from WebRTC attacks, you may also use a secure and private browser that limits data exposure. A list of secure and private browsers are available here:
Firefox: Unlike Chromium browsers, you can simply disable WebRTC on Firefox.
Brave: Brave is a Chromium-based browser that is fast, secure, and privacy-focused by default.
Tor: The Tor browser is a fortified version of Firefox that is set up to operate on the Tor network.
Bromite: Bromite is a Chromium-based browser for Android only. It includes some excellent features by default, such as ad-blocking and various privacy enhancements.
What's the Difference Between WireGuard and OpenVPN?
OpenVPN is an open-source VPN protocol that creates secure site-to-site or point-to-point connections. James Yonan first published it in 2001, and it is now one of the most extensively used VPN protocols among VPN users.
The main differences between WireGuard and OpenVPN will be discussed briefly below.
First of all, OpenVPN is more compatible than the WireGuard. It supports not only common platforms, such as Windows, Linux, macOS, Android, and iOS but also less common platforms like Solaris, ChromeOS, and QNX. On the other hand, you can use WireGuard on the most common desktop/server platforms, such as Linux, FreeBSD, Windows, and mobile devices like Android and iOS. Both of them are supported by the most popular VPN service providers. While the fastest VPN provider that uses WireGuard is NordVPN, ProtonVPN is one of the fast VPN services that supports OpenVPN. In summary, WireGuard is currently supported by fewer VPN services providers and on fewer devices than OpenVPN.
Secondly, WireGuard provides a more secure VPN service than OpenVPN by using more modern and updated encryption techniques. While WireGuard supports ChaCha20, BLAKE2s, Curve25519, and SipHash24, OpenVPN uses outdated RSA and AES encryption. OpenVPN employs certificates for authentication and encryption, but WireGuard does not. For those duties, WireGuard employs public-key encryption. Secure key generation and administration are performed in the background, with the option to pre-share a key for added security. Also, WireGuard has less code than OpenVPN. Therefore, its attack surface is smaller. But, neither of them has any known security vulnerabilities.
Another important difference is that WireGuard is faster than OpenVPN and has higher performance.
OpenVPN is better than WireGuard in terms of privacy. Because WireGuard may cause privacy problems. While OpenVPN doesn't keep any personal information, such as IP addresses are stored by WireGuard on the VPN server until it reboots. This poses a privacy concern since if the server is hacked in any way, users' IP addresses will be disclosed, revealing their online activities.
WireGuard is more easy-to-use, user-friendly, easy-to-audit, and has fewer lines of code. However, OpenVPN's code is sophisticated, with hundreds of thousands of lines. Therefore dealing with OpenVPN code will take a long time, and you'll need skills to do it.
OpenVPN offers TCP connections but WireGuard can not. OpenVPN may be readily set up to use either UDP or TCP to run on any port, such as 443, to bypass firewall restrictions. OpenVPN performs better at protecting users from being prevented by censorship since WireGuard can only be used with UDP (User Datagram Protocol) rather than TCP.
Finally, when roaming across networks, WireGuard is more stable than OpenVPN. WireGuard clients can switch networks without losing the connection. However, over unreliable networks where packet loss and congestion are widespread, OpenVPN is very steady and quick. It provides a TCP mode for very unstable connections, but due to the inefficiencies of encapsulating TCP within TCP, this option sacrifices significant performance.
You can find out who won compared to some categories in the table below.
Table 1. WireGuard vs OpenVPN
How to Install Wireguard?
To learn how to install WireGuard server on Linux, you can view the peer-to-peer WireGuard VPN installation tutorial