WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.
It is run as a module inside the Linux kernel and aims for better performance and more power saving than the IPsec and OpenVPN tunneling protocols.
It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2. The Linux version of the software has reached a stable production release and was incorporated into the Linux kernel release in late March 2020.
WireGuard aims to provide a VPN that is both simple and highly effective.
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
WireGuard is designed as a general-purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
A 2018 review by Ars Technica observed that popular VPN technologies such as OpenVPN and IPsec are often complex to set up, disconnect easily (in the absence of further configuration), take substantial time to negotiate reconnections, may use outdated ciphers, and have relatively massive codebases (over 400,000 and 600,000 lines of code, respectively, according to Ars Technica) which makes it harder to find bugs.
WireGuard’s design seeks to reduce these issues, making the tunnel more secure and easier to manage by default.
By using versioning of cryptography packages, it focuses on ciphers believed to be among the most secure current encryption methods, and at the time of the Ars Technica review had a codebase of around 4000 lines of pure kernel code, about 1% of either OpenVPN or IPsec, making security audits easier, and praised by the Linux kernel creator Linus Torvalds compared to OpenVPN and IPsec as a “work of art”.
Ars Technica reported that in testing, stable tunnels were easy to create with WireGuard, compared to alternatives, and commented that it would be “hard to go back” to long reconnection delays, compared to WireGuard’s “no-nonsense” instant reconnections.
Simple & Easy-to-use
WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what’s under the hood. WireGuard presents an extremely basic yet powerful interface.
WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.
Minimal Attack Surface
WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code and easily auditable for security vulnerabilities. Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals.
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
Well Defined & Thoroughly Considered
WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical whitepaper, an academic research paper that clearly defines the protocol and the intense considerations that went into each decision.
If you’d like a general conceptual overview of what WireGuard is about, read onward here. You then may progress to installation and reading the quickstart instructions on how to use it.
The future of WireGuard
WireGuard’s future is looking bright.
Many VPN services have adopted WireGuard into their infrastructure as it becomes more popular with VPN users worldwide. And with improved speeds, reliability, and upgraded encryption, we can expect WireGuard’s popularity to continue growing.
The VPN protocol itself, however, certainly has room for improvement. It remains flawed from a privacy standpoint with the issues we discussed above. However, many VPNs have already found good workarounds to ensure user privacy while still enjoying the benefits that WireGuard offers.
Now that WireGuard has been released under version 1.0 and incorporated into the Linux kernel, it is safe to say this VPN protocol is ready for mainstream use.