I will explain how WireGuard works and what are the benefits compared to other VPN solutions. And if you have not heard yet about it, it will be very interesting for you! Let’s get started
1. What is WireGuard and how does it work?
WireGuard is a new VPN protocol that aims to be a full replacement of OpenVPN and IPSec. It is based on established technologies and follows a modern and simple principle. It is written in only 4.000 lines of code! That is really impressive. Therefore, it is very easy to maintain and use. Other VPN technologies have much more complexity in their design.
The encryption is done by a selection of modern and secure cryptography standards like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.
WireGuard uses an IP Interface (e.g. wg0, wg1, etc.) as a tunnel interface. The packets are encrypted and encapsulated within the UDP protocol. Each peer is identified via IP addresses and authenticated via a public key. That is similar to what we already have in OpenSSH. That makes it very easy because you don’t need a certificate or a preshared key.
2. Why should you use WireGuard instead of OpenVPN or IPSec?
Because of the simple and efficient design, WireGuard has some good arguments, why you should use it instead of other VPN solutions!
2.1. It is simple and easy to use
Compared to OpenVPN and IPSec, WireGuard is much more straight-forward and easy to set up. You don’t need any certificates to authenticate peers like in OpenVPN. And you don`t need to do some tricks in order to make it work with NAT routers like in IPSec.
2.2. Less attack vectors
Because it does away with offering choices to configure different cryptographic algorithms, it also has a minimal attack surface. Common VPN solutions like OpenVPN or IPSec support multiple cryptographic algorithms. In WireGuard you will always use secured algorithms by default. Therefore, you have fewer components that may have vulnerabilities.
That does not mean WireGuard is more secure than OpenVPN or IPSec! But the potential risk of being affected by security vulnerabilities is lower.
2.3. High performance
The combination of kernel modules and choosing high performant cryptographic algorithms make it extremely fast. OpenVPN is the slowest VPN solution compared to IPSec and WireGuard because it does not run in the Linux kernel. IPSec instead has a much better performance than OpenVPN, but also some overhead on the network layer. WireGuard outperforms both IPSec and OpenVPN in throughput and ping time by far.
Source: Benchmark from WireGuard’s official Website: https://www.wireguard.com/performance/
Do you want to KNOW how to install and configure wireguard on linux?
I’ve recently written an article and also created a YouTube video about how to install and configure WireGuard on Linux. You can check it out here.
4. Is it enterprise-ready?
So, is WireGuard the “Holy Grail” of VPN solutions? Probably, not. It usually takes much time to establish a common enterprise standard and that for good reasons. First, a new standard needs to be accepted by important instances in the IT industry. That means it needs to be reviewed, declared as stable and officially integrated into common systems. And second, it needs to be supported by known and representative vendors like Cisco, Juniper, etc.
Let us have a look at the problems from different points of view in a bit more detail.
4.1. Operating Systems
You can install and run WireGuard on most modern Operating Systems like Linux, Windows and Mac OS already. Because it is based on kernel modules, you will need to install them on Linux. That can be tricky for new Linux users, but you’ll find enough resources and tutorials about that.
However, the installation of kernel modules will be obsolete soon. WireGuard’s first stable release version will be part of the Linux kernel from version 5.6. onwards. This is an important signal, that WireGuard is officially accepted by important players in the IT industry.
Unfortunately, WireGuard has not yet been adopted by many vendors. Some VPN providers like Mullvad, AzireVPN, etc. support WireGuard. But if you’re searching for enterprise network vendors like Cisco, Juniper, etc. none of them yet supports WireGuard. And that for good reasons. Enterprise vendors tend to either use their own proprietary protocols or at least support well-proven industry standards like OpenVPN or IPSec.
WireGuard is not compatible with these because it’s a completely new protocol. Therefore, every device that is involved in the communication needs to support it. It is unlikely that within bigger companies these things change overnight. You will need to roll out new versions or even new devices to support this standard. This will produce a huge amount of cost to companies and vendors when they want to integrate WireGuard in their existing infrastructure.
5. The future of WireGuard
You can see, WireGuard is currently at step #1 of its journey. But don’t get me wrong, it is a great success! Having WireGuard as an official part of the Linux kernel is a huge step in the right direction. And it shows there is a high acceptance of WireGuard in the IT industry.
Although, we will need to wait a few years until WireGuard may be enterprise-ready. And it is even unclear if that will ever happen. But my personal opinion is that WireGuard will be the “Gold Standard” someday. Just because it’s much better than other VPN solutions.
Probably, we will see WireGuard much more often in start-ups, or smaller projects. When a company doesn’t have an IT division that specializes on specific vendors or systems, you can benefit from the simplicity of WireGuard.
6. Summary and additional thoughts
WireGuard is a very interesting and promising VPN solution. Although it might not be enterprise-ready yet, you should definitely have a look at it. From a technical point of view, WireGuard outperforms IPSec and OpenVPN both. And there is a good chance that it will become more popular in the future. You can even use it in smaller projects or new network infrastructures that don’t rely on vendor-specific devices.