In a world becoming ever more digital, a VPN is as important as a good antivirus. Useful for more than just overcoming geographical restrictions and providing unrestricted access to streaming platforms, they are crucial to hide your IP address and secure your connection thanks to military-grade encryption and connection protocols. The latter are some of the most important features hiding under the hood of any VPN, responsible for the overall speed and safety of every connection.
While nowadays we’re rightfully acquainted with the likes of OpenVPN and IPSec – the industry standard in terms of security – the natural evolution of technology opens new horizons every day. That’s where WireGuard steps in, a new VPN protocol created by security researcher Jason A. Donenfeld that’s already being pointed to as the future of the VPN sector.
What Is WireGuard?
While it was first implemented in March 2020, the earliest traces of WireGuard’s code immediately started to draw attention when they appeared in June 2016. Originally written for the Linux kernel, WireGuard is now available across all the major platforms including Windows, Mac, iOS, and Android. Thanks to its light design, WireGuard’s main features are simplicity, safety, and speed.
With 400,000 lines in its code base, complexity is one of OpenVPN’s disadvantages. The same is true for IPSec, at 600,000 lines. Although there’s no denying that these two are industry leaders when it comes to security, the more code used, the greater the chance of a vulnerability. In turn, WireGuard is 100 times smaller with only 4,000 lines of code.
In other words, the essence of WireGuard not only drastically reduces any space for attacks, but it also makes it easier to be correctly deployed by developers, as well as being audited for maintenance and to find bugs.
This doesn’t mean that security is compromised, though. On the contrary, WireGuard uses advanced cryptography methods praised by high-tier VPN providers.
How WireGuard’s Cryptography Works
In addition to its great simplicity, WireGuard doesn’t ease up on security and it’s even considered by many VPN providers as the revolutionary future of the industry.
For the more hardcore users, the state-of-the-art cryptography that characterizes WireGuard includes a curve25519 key exchange, ChaCha20 encryption, Poly1305 for data authentication, SipHash for hashtable keys, and BLAKE2s for hashing. Also, while working exclusively over UDP, it supports both IPv4 and IPv6 IP addresses, plus multiple network topologies including point-to-point, star, and mesh. For those interested in learning more, WireGuard’s website goes into even greater detail about the cryptography used.
However, WireGuard is still currently under heavy development and there’s a downside to it in terms of anonymity. The protocol requires the use of a local static IP address since it’s unable to assign these dynamically to everyone connected to a server. This means the user’s identity must be stored on the server and linked to an internal IP address assigned by the VPN. Fortunately, this has already been addressed in different ways by the few VPN providers that offer WireGuard.
Recommended VPNs With WireGuard Protocol
Although WireGuard is still not as popular as OpenVPN or other protocols, some VPN companies spotted its potential early on and have already incorporated it into their software.
Panama-based NordVPN is one of the industry leaders and a great choice for those looking for a service with extra emphasis on security. It’s also one of the few featuring WireGuard, provided through a project called NordLynx. This is the company’s response to the protocol’s anonymity flaw, which was solved by implementing a double NAT (Network Address Translation) system that creates two local network interfaces for each user. Without going into much detail, this ensures users privacy by establishing a secure VPN connection without storing any identifiable data on a server. Linux users are the only ones who can already try NordLynx, but it’s expected to arrive on other platforms in the future as well.
Private Internet Access
With a name that speaks for itself, Private Internet Access (PIA) has been another benchmark of the VPN industry. Delivering a user-friendly service that also pays close attention to security, PIA was actually one of the VPN providers funding WireGuard. Unlike NordVPN, all PIA users can use WireGuard as the company’s apps already support this revolutionary protocol. To circumvent the anonymity issue and ensure total protection, PIA added one extra layer of privacy to these connections by running an RSA certificate-protected RESTful API. Additionally, because the user’s public WireGuard IP address is temporarily left in RAM memory during connection, PIA also implemented a daemon that deletes connection data every three minutes.
While Mullvad may slip by unnoticed, it was not only another VPN provider donating to WireGuard, but also one of the very few to spot its potential back in 2016. Currently, Mullvad customers can already opt for WireGuard connections on up to five devices on a handful of different platforms, such as Windows, macOS, Linux, Android, and iOS. The company has also made some further modifications to this protocol by removing and reapplying the peer if there’s no handshake within 600 seconds, this removes the public IP address left in RAM during connection. Furthermore, Mullvad also encourages its users to use multihop to hide their IP address even more, as well as to run frequent WebRTC leak tests when using WireGuard.