What is WireGuard® protocol?

WireGuard® is a new open-source VPN protocol that uses state-of-the-art cryptography and aims to outperform the existing VPN protocols like IPsec and OpenVPN. It was originally released for the Linux kernel, but is now cross-platform and can be widely deployable. Though WireGuard® is still under development, it can already be considered as one of the most secure, fast, and easy-to-use solutions in the VPN industry.

Features and technical details

The WireGuard® protocol features much lighter code base than most VPN protocols (at least open-source ones). It consists of just around 4000 lines of code, which largely contrasts strongSwan/IPsec and OpenVPN/OpenSSL, which have 400,000 and 600,000 lines of code correspondingly.

Such a light build means WireGuard® is much easier to audit for security vulnerabilities. Audit of WireGuard® may be done by a single individual, whereas auditing of enormous IPSec or OpenVPN’s code bases is a difficult task even for a whole team of security experts. WireGuard®’s smaller code base also implies minimal attack surface that can be exploited by cybercriminals.

The state-of-the-art cryptography employed by WireGuard® includes the following protocols and cryptographic primitives:

  • ChaCha20 for symmetric encryption, authenticated with Poly1305
  • Curve25519 for ECDH
  • SipHash24 for hashtable keys
  • BLAKE2s for hashing and keyed hashing
  • HKDF for key derivation

The usage of high-speed cryptographic primitives and the fact that WireGuard® lives inside the Linux kernel can make networking both secure and very high-speed. WireGuard®’s good performance makes it suitable for both small devices like smartphones and loaded backbone routers.

Another noteworthy peculiarity about WireGuard® VPN protocol is that connection handshakes take place every few minutes to provide rotating keys for perfect forward secrecy. They are performed based on time rather than contents of data packets. There is an in-built mechanism ensuring that the latest keys and handshakes are up-to-date and renegotiated when required. It utilizes a separate packet queue per host, thus minimizing packet loss during handshakes, at the same time providing uninterrupted performance for clients.

Simply put, you turn on your device and everything is handled automatically for you. No need to disconnect, reconnect, or reinitialize, just enjoy the smooth VPN connection!

Pros

  • Open source
  • Features light code base
  • Easier to audit
  • Uses state-of-the-art cryptography
  • Extremely secure
  • Offers high speeds

Cons

  • Still under development
  • Can potentially be blocked by network admins

“WireGuard” is a registered trademark of Jason A. Donenfeld.