SonicWall Staff

WireGuard – A Modern-Day VPN Protocol

Exploring the pros and cons of the latest VPN protocol.

By

VPN protocols have been around for decades now; over 20 years when you consider IPsec and OpenVPN. But now there’s a new VPN protocol that’s lightweight, super fast and highly secure. It’s called WireGuard, and there are several reasons you’ll want to consider this modern VPN protocol.

WireGuard: The Newest VPN Protocol

WireGuard is still very nascent and hasn’t yet endured the stress testing that time provides. Nonetheless, WireGuard has already proved itself worthy. It was integrated into the Linux kernel in 2020 and the Windows kernel in 2021, and since that time, WireGuard has performed impressively and shown no signs of any security weaknesses.

This modern VPN protocol uses the latest in cryptography, including Noise Protocol key exchange, Poly1305 authentication and the latest encryption ciphers like ChaCha20. Moreover, WireGuard abandons TCP tunneling in favor of the UDP protocol for fast, stateless connections (more on this later) and also makes no bones about the fact that UDP is easily intercepted.

On their site, WireGuard indicates the protocol is designed for “solid crypto” and is not geared for obfuscation. This is an important distinction: WireGuard contends that their VPN protocol is focused on encryption, and that it’s up to you to add additional controls for privacy — something they contend should happen a layer above WireGuard.

WireGuard Works Great with Mobile

WireGuard has several features that make it unique. As mentioned previously, WireGuard makes a radical departure from TCP tunneling in favor of UDP for better performance. The gains are seen not only with lightning-fast network speeds, but with better performance when it comes to mobile connectivity. TCP-based tunnels struggle and sometimes even disconnect when users regularly move between networks; this is due to the stateful nature of these protocols as they maintain active connections. WireGuard is superior because its stateless nature (UDP) makes it capable of dealing with regular network changes, and thus more reliable.

Mobile connectivity is a major consideration due to the growing number of remote, hybrid and flexible work environments. There’s a large percentage of employees who are using mobile devices — whether BYOD or managed — and that number will continue to grow. As a result, it’s prudent for any organization to support the most widely used platforms and devices, including Windows, macOS, Android and iOS.

WireGuard is cross-platform and supports iOS — which, in my opinion, is a critical device platform to support. A VPN infrastructure that does not support iOS is probably not a modern-day remote networking solution.

Wait, there’s more…

The WireGuard protocol has several advantages that make it worthy of consideration:

  1. The codebase is small compared to legacy VPN protocols, which can exceed hundreds of thousands of lines of code (LOC). WireGuard sports around six thousand LOC, which makes auditing and maintenance a breeze. Additionally, the smaller footprint reduces the opportunities for hackers to exploit.
  2. The protocol is open source, making it less susceptible to vulnerabilities going unchecked. Reviews for readiness, benchmarking and assurance have been and continue to be carried out by professional researchers as well as the private sector.
  3. The lightweight design and reliance on UDP deliver faster throughput speeds and reduced latency when compared to any other VPN protocols.
  4. As WireGuard is stateless, active connections are not maintained. This prevents eavesdropping on the connection link and provides superior mobile device connectivity and reliability.
  5. Strict crypto settings make for easy implementation and remove the risk associated with complicated configuration settings, which can end up disrupting traffic and, ultimately, productivity.
  6. Auto-updating code! If a flaw is found in any cipher, all endpoints are forced to update to a new version ASAP.
  7. WireGuard supports iOS — a major platform for the modern work environment!

Not Without Limitations

WireGuard has its share of disadvantages and challenges, to be sure. In its current, out-of-the-box setup, the default state stores your IP address. This makes your server identifiable, a big no-no when it comes to no-log or “logless” VPN services.

As mentioned before, WireGuard is not about privacy or obfuscation, and is therefore also vulnerable to censorship. Layers of obfuscation must be built on top of WireGuard to provide better privacy. The good news is that WireGuard is already offered by several VPN vendors and service providers who have solved the zero-log-keeping policy and have built the layers of obfuscation necessary for privacy compliance.

All things considered, WireGuard has delivered on its core mission of “solid crypto” and does so at blazing speeds. With its excellent data encryption security, solid connectivity across all platforms including mobile (iOS can’t be overlooked), and super-fast speeds, WireGuard is a worthy modern-day VPN protocol.

SonicWall Staff
Recommended Cyber Security Stories
Mobile Security Checklist to Minimize Risk
Chocolate and Network Security: A Match Made in Heaven
Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity
The Future Looks Bright for Mobile Worker Productivity
Ransomware Can Cost You Millions; Is Your Network Secure?