By Tomislav Čohar, co-founder, hide.me VPN
Offering high speeds, excellent levels of security and a low footprint, WireGuard has rightly caused ripples within the VPN industry. WireGuard is an open-source protocol that employs cutting-edge cryptography and provides fierce competition for the likes of IPsec and OpenVPN. As a user then, what advances can you expect from WireGuard? Has this protocol been over-hyped and are we just seeing a flurry of smoke and mirrors from a biased media?
WireGuard certainly offers a lower footprint – it was made to be as lightweight as possible and can be implemented with just a few thousand lines of code. The resulting reduced attack surface is certainly a benefit and also makes auditing the code a much more straightforward process. Users enjoy the benefits of being able to switch seamlessly from something like Wi-FI to 4G LTE due to WireGuard’s built-in roaming capabilities. Also, WireGuard uses your network more adroitly than other VPN protocols. With a mere 32 bytes overhead, it trumps other protocols that use much more space for their signaling. As a user, you get more space for your data with higher throughput.
WireGuard is a remarkably fast protocol that doesn’t skimp on security. This is thanks to the use of modern and efficient cryptography constructs. WireGuard works from within the Linux kernel meaning that it can process data faster, eliminating much of the latency associated with other protocols. Keeping on the security track, with WireGuard being a more recent addition compared to the likes of OpenVPN, it has benefitted from being built from the ground up to support more modern encryption methods and hash functions.
Telling it straight
Taking all of these benefits into account, recent media coverage and some claims have certainly been a cause to raise eyebrows. Let’s take a look at just a few of the myths that have been circulating in recent weeks and months so that you can better understand exactly what WireGuard can deliver.
Fixed IP address
So does WireGuard insist that each device on the network get a fixed IP address? No, not really. In fact, it doesn’t really demand anything and largely performs in a similar fashion to any other protocol; operating as a versatile cryptographic piece of a larger puzzle called a VPN tunnel. It’s more useful to think about how you manage it. If you use a simple or rigid setup, this requires static IPs on the servers. However, it can be managed in a more dynamic fashion. WireGuard is able to perform just like any other VPN protocol by adding IPs when they’re needed and getting rid of them as soon as the VPN session is concluded.
Server Communication and data exchange
Can WireGuard offer a considerable change to the way servers communicate with each other?
Again, not really, it operates in a similar fashion to all the other protocols. What about the exchange and verification of data? Is it the case that WireGuard sticks to strong but simple ways of exchanging and verifying data? In fact, WireGuard only supports one method of key exchange. There is only support for one AEAD. Other protocols support a profusion of cryptosystems but tend to settle on AES. AES is not flawed, no exploit has been found yet. Also, AES256 cipher is cryptographically stronger than ChaCha20 which is used by WireGuard. However, It is computationally expensive when compared to ChaCha20. ChaCha20 offers the best bang for the buck. One could argue that Poly1305 MAC is stronger than GHASH, but then again we come to the point of the whole AES-GCM construct being supported in Intel’s hardware.
Internet Speed
When we talk about who is quick and who is slow, are other protocols more sluggish than WireGuard? Would you see a dramatic increase in speed by adopting WireGuard? Essentially, some VPN protocols are slower, but this is almost entirely down to circumstances and not really related to crypto. If you are connecting through a dialup modem, for example, then speedy crypto becomes a moot point. Additionally, if you are a provider that supports much faster protocols then WireGuard isn’t going to be able to deliver on impressive speed promises.
Our measurements show that OpenVPN usually outperforms WireGuard by at least 10 percent (on the Windows platform when WinTUN driver is used and when the OS is running on an Intel CPU. On Linux, again on an Intel CPU, WireGuard outperforms OpenVPN significantly (by more than 40%), but it is still significantly slower than IPSec (by more than 10 percent). These measurements were performed on an 1 Gigabit LAN since such a speed is commercially available for our customers. On 10 Gigabit Ethernet, OpenVPN pales in comparison with WireGuard as it is about 10 times slower. IPSec, on the other hand, outperforms WireGuard by more than 30 percent when AES is used as a symmetric algorithm.
Running in-kernel
Can you achieve the highest possible performance just by running in-kernel? Not really – actually, IPSec is way faster on all platforms. IPSec runs much faster because it runs in the kernel too, but is significantly more optimized for Intel CPUs. The point is, running within the kernel offers a major speed increase but WireGuard is not the only protocol to run in such away. PPTP/L2TP do too. OpenVPN developers plan to release a kernel module for Linux soon. SoftEther (which runs completely in the userspace) outperforms WireGuard when throughput is the primary concern.
WireGuard definitely warrants all of the interest it has garnered – it remains to be seen whether it becomes a revolution for the VPN industry. As things stand it certainly offers faster speeds and better reliability compared to some of the existing VPN protocols – and there is the added promise of new and improved encryption standards. It is surely only a matter of time before we see more and more VPN services incorporating WireGuard into their structure.
About the Author