WireGuard has certainly made the VPN industry stand up and take notice in recent times. This high speed, secure and low footprint open-source protocol utilizes state-of-the-art cryptography and offers stiff competition for the likes of IPsec and OpenVPN. From the users point of view, what benefits can they expect from WireGuard and what are some of the myths surrounding its use that have been touted in the media and elsewhere?
About the author
Tomislav Čohar is the founder of hide.me VPN.
The use of more modern and efficient cryptographic techniques means that WireGuard is an extremely fast protocol that doesn’t sacrifice security. WireGuard works from within the Linux kernel meaning that it can process data faster - this eliminates much of the latency associated with other VPN protocols. With security in mind, WireGuard is a lot newer than the likes of OpenVPN, which means it was built from the ground up to support more modern encryption methods and hash functions such as ChaCha20, BLAKE2s, SipHash24, HKDF, and Curve25519.
WireGuard also offers a lower footprint - unlike OpenVPN and IPsec, it was made to be as lightweight as possible and can be implemented with just a few thousand lines of code. This has the added benefit of making for a smaller attack surface, which in turn makes auditing the code a much more simple and efficient process. And it also has built-in roaming capabilities allowing users to switch from something like Wi-Fi to 4G LTE, seamlessly whilst connected.
WireGuard uses your network more efficiently than other protocols. It’s overhead is just a mere 32 bytes while other protocols use much more space for their signaling. This means more space for your data and, in turn, higher throughput.
Debunking the myths
Taking all of these benefits into account, recent media coverage and some claims have certainly been a cause to raise eyebrows. Let’s take a look at just a few of the myths that have been circulating in recent weeks and months so that you can better understand exactly what WireGuard can deliver.
Myth 1 - WireGuard is an upgrade that will dramatically increase internet speeds. Are other protocols much slower?
Some are, but that heavily depends on the circumstances and is not really related to crypto. What good is a speedy crypto if you're connected through a dialup modem? Also, if you are a provider that supports much faster protocols (such as SoftEther on Windows or IKEv2 on anything else), then WireGuard isn't going to deliver dramatic speed promises.
Myth 2 - WireGuard demands that each device on the network get a static or fixed IP address
Actually, WireGuard doesn’t demand anything. It behaves just like any other protocol - it operates as a versatile cryptographic piece of a larger puzzle called a VPN tunnel. It's really more about how you manage it. Using a simple or rigid setup means static IPs on the servers. But it can be managed dynamically. Adding IPs when they're needed and getting rid of them as soon as the VPN session is done, means that WireGuard may behave just like any other VPN protocol.
Myth 3 - WireGuard significantly changes the way servers can communicate with each other
No it doesn’t - it’s the same ball game. Just like the other protocols. It really doesn’t get more simple than that.
Myth 4 - The highest possible performance comes from running in-kernel
Not true at all - IPSec is way faster on all platforms! IPSec is way faster because it runs in the kernel too, but is way more optimized for Intel CPUs. The thing is, running within the kernel is a major speedup, but WireGuard is not the only protocol to run that way. PPTP/L2TP do too. OpenVPN developers plan to release a kernel module for Linux soon. SoftEther, which is completely running in the userspace, outperforms WireGuard when the throughput is the primary concern.
Myth 5 - WireGuard sticks to strong but simple ways of exchanging and verifying data
Actually, it only supports one method of key exchange. Only one AEAD is supported. Other VPN protocols support a plethora of cryptography systems but tend to settle on AES. AES is not flawed, no exploit has been found yet. Also, AES cipher ( Rijndael is the actual cipher name ) is cryptographically stronger than ChaCha20 which is used by WireGuard. However, It is computationally expensive when compared to ChaCha20. ChaCha20 is a tradeoff, best bang for the buck. One could argue that Poly1305 MAC is stronger than GCM, but then again we come to the point of AES-GCM being supported in the hardware.
Moving forward with WireGuard
WireGuard certainly is an interesting VPN protocol with the ability to be a game changer for the VPN industry. In comparison to some existing VPN protocols, WireGuard may offer faster speeds and better reliability with new and improved encryption standards. As it increases in popularity and demand increases, it is inevitable that more VPN services will include WireGuard into their frameworks.
Continue reading...
About the author
Tomislav Čohar is the founder of hide.me VPN.
The use of more modern and efficient cryptographic techniques means that WireGuard is an extremely fast protocol that doesn’t sacrifice security. WireGuard works from within the Linux kernel meaning that it can process data faster - this eliminates much of the latency associated with other VPN protocols. With security in mind, WireGuard is a lot newer than the likes of OpenVPN, which means it was built from the ground up to support more modern encryption methods and hash functions such as ChaCha20, BLAKE2s, SipHash24, HKDF, and Curve25519.
WireGuard also offers a lower footprint - unlike OpenVPN and IPsec, it was made to be as lightweight as possible and can be implemented with just a few thousand lines of code. This has the added benefit of making for a smaller attack surface, which in turn makes auditing the code a much more simple and efficient process. And it also has built-in roaming capabilities allowing users to switch from something like Wi-Fi to 4G LTE, seamlessly whilst connected.
WireGuard uses your network more efficiently than other protocols. It’s overhead is just a mere 32 bytes while other protocols use much more space for their signaling. This means more space for your data and, in turn, higher throughput.
Debunking the myths
Taking all of these benefits into account, recent media coverage and some claims have certainly been a cause to raise eyebrows. Let’s take a look at just a few of the myths that have been circulating in recent weeks and months so that you can better understand exactly what WireGuard can deliver.
Myth 1 - WireGuard is an upgrade that will dramatically increase internet speeds. Are other protocols much slower?
Some are, but that heavily depends on the circumstances and is not really related to crypto. What good is a speedy crypto if you're connected through a dialup modem? Also, if you are a provider that supports much faster protocols (such as SoftEther on Windows or IKEv2 on anything else), then WireGuard isn't going to deliver dramatic speed promises.
Myth 2 - WireGuard demands that each device on the network get a static or fixed IP address
Actually, WireGuard doesn’t demand anything. It behaves just like any other protocol - it operates as a versatile cryptographic piece of a larger puzzle called a VPN tunnel. It's really more about how you manage it. Using a simple or rigid setup means static IPs on the servers. But it can be managed dynamically. Adding IPs when they're needed and getting rid of them as soon as the VPN session is done, means that WireGuard may behave just like any other VPN protocol.
Myth 3 - WireGuard significantly changes the way servers can communicate with each other
No it doesn’t - it’s the same ball game. Just like the other protocols. It really doesn’t get more simple than that.
Myth 4 - The highest possible performance comes from running in-kernel
Not true at all - IPSec is way faster on all platforms! IPSec is way faster because it runs in the kernel too, but is way more optimized for Intel CPUs. The thing is, running within the kernel is a major speedup, but WireGuard is not the only protocol to run that way. PPTP/L2TP do too. OpenVPN developers plan to release a kernel module for Linux soon. SoftEther, which is completely running in the userspace, outperforms WireGuard when the throughput is the primary concern.
Myth 5 - WireGuard sticks to strong but simple ways of exchanging and verifying data
Actually, it only supports one method of key exchange. Only one AEAD is supported. Other VPN protocols support a plethora of cryptography systems but tend to settle on AES. AES is not flawed, no exploit has been found yet. Also, AES cipher ( Rijndael is the actual cipher name ) is cryptographically stronger than ChaCha20 which is used by WireGuard. However, It is computationally expensive when compared to ChaCha20. ChaCha20 is a tradeoff, best bang for the buck. One could argue that Poly1305 MAC is stronger than GCM, but then again we come to the point of AES-GCM being supported in the hardware.
Moving forward with WireGuard
WireGuard certainly is an interesting VPN protocol with the ability to be a game changer for the VPN industry. In comparison to some existing VPN protocols, WireGuard may offer faster speeds and better reliability with new and improved encryption standards. As it increases in popularity and demand increases, it is inevitable that more VPN services will include WireGuard into their frameworks.
- We've featured the best VPN solutions for business.
Continue reading...