What is WireGuard?
WireGuard® is a security-focused virtual private network (VPN) protocol that also aims to be faster and simpler than traditional protocols like IPsec and OpenVPN. WireGuard securely encapsulates IP packets over UDP; it uses public-key cryptography for the initial handshake, but leaves key distribution responsibilities to higher layers.
Here are some key features of WireGuard that make it an appealing alternative:
- It is open-source, with estimated ~1% of the codebase of OpenVPN or IPsec. This greatly reduces the attack surface and makes it easier for security researchers to look for vulnerabilities.
- It uses a small subset of modern cryptographic primitives to enhance security. This also reduces dependencies and the time required to patch potential vulnerabilities.
- It passes traffic only over UDP, not TCP. This may be a challenge in networks that do not allow UDP traffic.
- It fully supports IPv6, both inside and outside of the tunnel.
- It is cross-platform, and also works seamlessly on mobile devices. It is almost 2x faster than OpenVPN across most implementations.
- It supports Perfect Forward Secrecy (PFS) to protect user data from future attacks.
- It was incorporated into the Linux kernel in Mar 2020. Phew.
There are occasional privacy concerns around the protocol though, generally that it stores users' IP addresses on the VPN server until the next reboot. While this could be a concern, you could manage the risk by using privacy-focused VPNs. Both Private Internet Access (PIA) and Mullvad support WireGuard, don't store activity logs, and would be my top recommendations for VPN providers. If you are looking for a WireGuard-supported home router instead, the GL.iNet Wireless VPN Router is a great choice. Alternatively, you could set up your own VPN server using a WireGuard implementation - see this post for more details on Algo VPN.