Underground railway tunnel

WireGuard – A More Secure Tunnel?

What is WireGuard?

WireGuard is a secure layer 3 network tunnel protocol, which was introduced with the premise of outperforming long-established virtual private network (VPN) tools such as OpenVPN and IPSec in terms of: security, performance and ease of use.

These enhancements are achieved through various technical means, however, in essence they mirror the NIST concept of ‘least functionality’[1]. No superfluous code exists in the protocol. It is very much a case of ‘take it or leave it’. Excluding the cryptographic libraries required for the operation of WireGuard, its Linux client contains fewer than 4,000 lines of code [2]. IPSec and OpenVPN on the other hand offer more flexibility and customisation, reflected with the size of their code which weighs in at around 500,000 lines [3].

WireGuard first surfaced in 2016 as a project under the oversight of Jason Donenfeld. Since then it is now supported by the Linux kernel, Android kernel, available on iOS, Mac, Windows and pfSense. The WireGuard project is now under development by security research firm ‘Edge Security’. The project gained early funding from companies whom also share a passion for the development of universal privacy, Mullvad, AzireVPN, IVPN and crpyotstorm.

WireGuard Benefits

OpenVPN is ‘cipher agile’ meaning it can support a wide variety of cryptographic algorithms. WireGuard’s creator, Jason Donenfeld, chose a different approach. He decided to choose only one cryptographic component for each requirement, in order to reflect WireGuard’s goals of being: secure, performant and easy to use.

E.g., when performing hashing, OpenVPN allows for the use of: MD5, SHA1, SHA2, MDC2, BLAKE2s, whereas WireGuard chooses only to implement BLAKE2s.

E.g., when performing encryption, OpenVPN allows for the use of: DES, 3DES, AES, Blowfish, Poly1305 and others. WireGuard chose only to implement ChaCha20.

Keeping the code lean, lessens the attack surface. You cannot attack what doesn’t exist.

That being said however, should any serious vulnerabilities be discovered in any of the crypto used by WireGuard, this becomes a single point of failure as you could not simply switch to a different algorithm as a workaround. Your options would be either to continue, whilst using insecure technology or stop using it altogether.

The WireGuard whitepaper highlights three main benefits as follows:

  1. Security

The protocol purposefully lacks ‘cipher agility’, forces the developers to address any vulnerabilities which may be uncovered immediately. The logic being, if your product uses one technology which is found to be vulnerable, the incentive to switch to a different, safer, technology is high. This in theory could also prevent ‘downgrade attacks’, since there is no alternative to downgrade to. Whilst OpenVPN and IPSec can be configured securely, this is made challenging due to their complexity, which can lead to sub-par configuration. WireGuard’s intention was to be ‘secure out-of-the-box’.

  1. Performance

Again, owing largely to the lean code, lack of overhead and carefully chosen crypto algorithms means improved network performance.

WireGuard’s whitepaper shows it outperforms OpenVPN and IPSec with increased bandwidth and reduced ping times.

These performances increases are brought about due to operation in the ‘kernel space’ (closer to the CPU) rather than in the ‘user space’. It also uses UDP rather than TCP down at the transport layer, thus speeding up round trip time communication further.

I have seen these results corroborated in various blog posts [4] and my own personal testing saw download speeds 30% greater and upload speeds 15% greater compared to OpenVPN.

From a VPN provider’s point of view, WireGuard may look attractive as it is less CPU intensive than OpenVPN and IPSec, allowing for more customer connections to be handled per server, potentially reducing costs.

  1. Ease of Use

Much of the technical operation is handled transparently, with fewer configurations for the administrator or end user to worry about. IPSec can be especially finicky when configuring firewall rules and creating secure labeling. With WireGuard you only need to configure a virtual interface, which can be done with familiar tools such as ifconfig.

Adoption

Operating system adoption was solely by Linux. WireGuard was merged into the Linux kernel beginning with version 5.6 in March 30th 2020.

Below are the stances various VPN providers take when it comes to deciding if they should offer WireGuard to their customers:

  • ExpressVPN
    • No. “While we have a lot of respect for WireGuard, we felt it wasn’t really designed for a large VPN network with privacy and security as the first principle.”
  • NordVPN
    • Yes, but with a proprietary addition of their own called ‘NordLynx’ to address privacy concerns.
  • Mullvad
    • Yes, with additional steps taken to safeguard their customers privacy.
  • ProtonVPN
    • Yes, with additional steps taken to safeguard their customers privacy.
  • PIA (Private Internet Access)
    • Yes. Provided as is, with no mitigations as seen with other providers.

WireGuard Privacy Concerns

As is evident from the above list, there appears to be some concerns and confusion regarding privacy. What are these exactly?

Public WireGuard IP address – this is held temporarily in RAM until a WireGuard server is rebooted or interface is restarted.

Private WireGuard IP address – in the original WireGuard offering, a static (and therefore identifiable) connection between the VPN app and the VPN server is required. This problem is not unique to WireGuard, however, and is commonly leaked via WebRTC. WebRTC should be disabled to address this.

Final Thoughts

In short, the original version of WireGuard does have some mild privacy concerns. Any reputable (privacy respecting) VPN provider should acknowledge this and provide counter measures to address this. Commonly achieved through a ‘double NAT’ solution (e.g., ProtonVPN and NordVPN).

Interestingly, Mullvad does not appear to mention a ‘double NAT’ solution. Instead opting for the more direct recommendation of disabling WebRTC.

WireGuard (when used with a VPN provider that takes additional privacy enhancing measures) seem on par with OpenVPN in terms of privacy. In terms of performance and ease of use, it definitely outshines OpenVPN.

I believe being able to do more with less is a sign of progress, one of the reasons why WireGuard piqued my interest, so overall the project’s efforts should be applauded and I hope to see the ‘code minimisation’ approach adopted more widely.

References

[1] National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. [Online] Available at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf. [Accessed 29 Aug. 2021].
[2] Donenfeld, J. (2020). WireGuard: Next Generation Kernel Network Tunnel. [Online] Available at: https://www.wireguard.com/papers/wireguard.pdf. [Accessed 29 Aug. 2021].
[3] Salter, J. (2018). WireGuard VPN review: A new type of VPN offers serious advantages. [Online] Available at: https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/. [Accessed 29 Aug. 2021].
[4] Long, H. (2021). WireGuard vs OpenVPN. [Online] Available at: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/. [Accessed 29 Aug. 2021].

Photo by Redd on Unsplash

Privacy Notice: Before leaving a comment, you must read and agree to the terms of the Privacy Policy. Some personal information is collected during this process.

Leave a Comment

Your email address will not be published.