WireGuard is an experimental VPN protocol that is generating a fair amount of excitement in the VPN world.
It is extremely lightweight (at just 3782 lines of code), which makes it much faster than traditional VPN protocols such as OpenVPN and IPsec. The brevity of the code also makes it easy to audit, and because it uses proven cryptographic primitives, it should be very secure.
WireGuard, therefore, has great potential, but it is still very much at the experimental and developmental stages. It has not yet been properly audited for security issues, and the lack of a secure key sharing system across servers prevents widespread commercial roll-out at this time.
This last issue could be resolved by using a more traditional public-key cryptosystem such RSA to distribute keys. But doing so would add complexity, and thus remove many of the advantages of using WireGuard in the first place.
WireGuard is therefore very much a work in progress. It is nevertheless very interesting that some providers are beginning to experiment with the new protocol. And with special thanks to NordVPN, we are very excited to have the opportunity for a hands-on look at it.
Please do also check out What is WireGuard VPN protocol? for a more detailed look at the theory behind this new VPN protocol.
At present, WireGuard is officially available for Android and Linux, although support for Windows and iOS is promised soon. It is also available for the macOS command line using Homebrew or MacPorts.
An alternative to the official clients is TunSafe. This was developed as a commercial enterprise, and its software was originally closed course. TunSafe still offers a commercial VPN service using the WireGuard protocol, which is built-in to all of its clients (albeit one that is free at the present time).
The software itself, however, has now been made fully open source and can be setup using any third party configuration files.
As we shall see, the TunSafe software is often more fully featured than the official clients. It is available in full GUI form for Windows, Android and iOS.
It can also be run from the Linux, macOS, or FreeBSD command line. This requires compiling from source, but simple and easy-to-follow instructions are provided for this.
The official WireGuard Client
WireGuard was designed specifically for the Linux kernel. The official WireGuard client is command line only, running as a service inside Terminal.
Other than needing to fix some dependency issues ($ sudo apt install wireguard openresolv linux-headers-$(uname -r) wireguard-dkms wireguard-tools did the trick), installation and use is very straightforward.
The WireGuard protocol has full IPv4 and IPv6 routing inside the VPN tunnel. We detected no DNS leaks of any kind when using it on any platform, but it is reported that TunSafe for Windows can leak IPv6 through the Tun interface) more on this later).
There is no built-in kill switch as such, but one can be created by adding iptables commands to the configuration file.
A good example of how to do this manually, which should be applicable for any WireGuard config files, can be found on Mullvad’s WireGuard setup page. Or a VPN provider can simply add the commands to its standard config files.
As already noted, the basic WireGuard client can also be run in macOS using Homebrew or MacPorts.
To run TunSafe in Linux you must compile the source code yourself. Fortunately, this is nowhere near as scary as it sounds. Instructions on the website are very clear, and we had the command-line daemon up and running in just a few minutes.
It has to be said, though, that we can see no advantage of using TunSafe over the official Linux client. TunSafe can also be compiled from source for macOS and FreeBSD.
The Official WireGuard app
The official Android app is available through F-Droid website.
What the app lacks in features (it doesn’t really have any), it makes up for in ease of use. Using what we imagine will become the standard way to configure WireGuard settings, NordVPN supplied us with images containing QR codes for its experimental WireGuard servers.
All we had to do was scan this code for each server using our phone’s camera, and ta-da! Setup was complete. It is also possible to manually add setup files, or even create your own.
And that is all there really is to the app. Once set up, it connected instantly and worked exactly as it should.
The TunSafe VPN App
Now that it’s open source, TunSafe makes a good alternative to the official Android app. The core functionality of the app is almost identical to the open source official app on which it is based. As such, it can be configured to connect to any WireGuard servers via QR code, config files, or create from new.
The main difference is that TunSafe also runs a VPN service, so by default you have the option to connect to TunSafe’s VPN servers. Although ultimately a commercial enterprise, at this time TunSafe VPN is 100% free to use. After 30-days, however, bandwidth for TunSafe servers is limited to 1GB/day.
Unlike the official app, TunSafe for Android features a kill switch and split-tunneling (“excluded apps”). It can also display ping times to its own servers, but not third-party ones. For advanced users, it's possible to set up a WireGuard server yourself in Linux.
At the time of writing the only way to run WireGuard in Windows is using TunSafe. Like OpenVPN, TunSafe for Windows requires a TAP Ethernet Adapter in order to work.
The main problem with this is that the TAP adapter can leak IPv6 DNS requests outside the VPN interface. It is therefore strongly recommended to disable IPv6 in Windows when using TunSafe for Windows.
Another issue is that using a TAP adapter adds complexity to WireGuard’s simplicity. Which somewhat works against one of the major advantages of using WireGuard.
The client uses a simple GUI, which make importing a WireGuard .conf file very easy. There is no option to import files via QR code, but this is understandable as many Windows PC’s do not feature cameras.
It also offers a killswitch, which can use either (client-based) routing rules or (system) firewall rules to work. Or both. Which is very handy.
In May 2020 Edge Security announced the official pre-alpha of WireGuard for Windows It is still very early days, but GUI client shows the direction in which the project is headed.
The most important thing to note is that, unlike with the TunSafe client, no OpenVPN TAP adapter is required. The client instead uses Wintun, a minimal Layer 3 TUN Driver for Windows which was also developed by the WireGuard team.
Also noteworthy (and not immediately obvious from the GUI), is that the client features a built-in automatic "kill-switch" to block traffic outside the VPN tunnel.
In addition to this, we can confirm that switching between tunnels is a very smooth process. So everything is looking very promising!
In addition to simplicity for its own sake, one of the biggest advantages of WireGuard over OpenVPN is that the added simplicity should also make WireGuard much faster So we ran some tests...
We opted to use Mullvad for this because Mullvad fully supports Linux. It also supports WireGuard and OpenVPN on the same servers (or at least very similar server locations), allowing for a good like-for-like comparison.
Tests were performed using speedtest.net, as our own speed testing system requires OpenVPN files to work. All tests performed from the UK. Average ping (latency) rates are shown in brackets.
WireGuard should, in theory, be much faster than OpenVPN. But this is not borne out by these tests. It should be remembered, though, that this is still very early days for the actual implementation of WireGuard, and that Mullvad is blazing fast when it comes to OpenVPN performance.
WireGuard has not yet been sufficiently audited and penetration-tested to recommend as a serious alternative to secure VPN protocols such as OpenVPN and IKEv2 at the present time. But it looks very promising indeed.
It is easy to set up and use, and in our tests, it connected quickly and maintained a very stable connection.
On paper, WireGuard is much more functional than OpenVPN. Our test results may be because the full implementation is still at the prototype stage, or it may be due to the limitations of our test environment.
They were performed over WiFi, and the only WiFi connector we currently have that is compatible with Linux is (somewhat ironically) a very cheap 802.11g dongle that cost around $5.
So make what you will of our speed test results. Other than that, we were very impressed with how WireGuard is progressing, and can’t wait for it to undergo further improvement testing. For anyone sharing this enthusiasm, donations to the project are very welcome.