More and more employers are embracing remote work, which has increased the need for virtual private network (VPN) solutions. A recent report that forecasts a global VPN market growth of USD45 billion this year from USD38 billion in 2021 discusses this development. One particular VPN solution that’s been drawing a lot of attention lately is WireGuard VPN.
Even Linux’s creator, Linus Torvalds, showed a keen interest in this VPN protocol in the past. So what is WireGuard, and why would you want to use it over other VPNs? Allow me to give you a brief overview. What you do next is up to you.
What Is WireGuard VPN?
WireGuard is a fast, free, open-source VPN software. From a network standpoint, it operates at the network layer. From an operating system (OS) standpoint, it lives in kernel space. Because of this network layer association, WireGuard is often compared to IPsec, the most popular VPN.
WireGuard consists of only around 4,000 lines of code. That’s about one to two orders of magnitude smaller than other VPN types like OpenVPN and IPsec. An OpenVPN implementation, for instance, can have 70,000 to 600,000 lines of code. I’ll discuss the advantages of having a smaller code size shortly.
In the meantime, I’ll explain how WireGuard works.
How Does WireGuard Work?
You create a WireGuard VPN when two WireGuard-equipped endpoints establish an encrypted tunnel. These two endpoints must have WireGuard installed and configured to establish the tunnel. The tunnel allows data from one network to another, even if the two networks don’t use the same protocol. For instance, you’ll need a tunnel to connect from a LAN through telco lines through the internet to another LAN.
Since WireGuard VPN encrypts data, entities along your VPN’s path won’t be able to eavesdrop on your connection. Your ISP and threat actors won’t be able to retrieve information sent through that VPN. The orange segment labeled “WireGuard VPN” in the diagrams below illustrates where the VPN secures transmitted data. In addition, a WireGuard VPN can provide secure access to resources in an internal network.
Let me show you some typical WireGuard VPN setups to illustrate how WireGuard works.
Remote Access WireGuard VPN
A remote access VPN setup consists of one or more remote devices and a device that acts as a VPN gateway on your network. In WireGuard jargon, this setup is also called Peer-to-Site. Peer(s) refers to the remote device(s), and site refers to your network. You usually use peer-to-site to provide users with secure remote access to your internal network.
In this scenario, you’d install and configure WireGuard on a remote device and a device on your network. The remote device can be a PC, laptop, or mobile device. The device on your network, which acts as a VPN gateway, a.k.a. VPN server, can be a router, firewall, server, or any device reachable from the internet. Of course, all these devices have to support WireGuard.
Site-to-Site WireGuard VPN
A site-to-site VPN setup consists of two networks, a.k.a. sites. Each would have a device that acts as a VPN gateway. You usually use a site-to-site VPN if you want users or processes on both sites to access resources on the other site. For example, one site can be your HQ network, and the other can be a branch office network.
In this scenario, you would install and configure WireGuard on a network device such as a router, firewall, or server. That device would then serve as that network’s VPN gateway.
The previous two WireGuard VPN setups are normally self-managed. You’re completely responsible for deploying, managing, and maintaining the VPN in those scenarios. However, you may want to use certain WireGuard VPN features but not to deploy, manage, and maintain the infrastructure. You can use a different VPN service for this purpose.
WireGuard VPN Service
A WireGuard VPN service is usually a feature offered through an existing VPN service. Some VPN providers like NordVPN, CyberGhost, and SurfShark offer WireGuard as an option along with other VPN protocols. Remember that WireGuard VPNs offered through a VPN service usually only provide privacy between your device and the server.
You can use these WireGuard VPNs to secure certain portions of your network traffic from eavesdroppers. However, you usually can’t use them to access your private network as in the previous scenarios. A WireGuard VPN service can come in handy if you want privacy while connecting to the internet from a non-private location like a hotel or airport.
WireGuard is often compared with OpenVPN, another open-source VPN solution. But is WireGuard better than OpenVPN? Let’s find out.
Is WireGuard Better than OpenVPN?
I’ll review WireGuard and OpenVPN’s attributes in 3 areas and discuss why it matters:
- What transport protocols they support
- Where they live in an operating system
- How long their code is
UDP Only vs UDP and TCP
WireGuard supports UDP, while OpenVPN supports both UDP and TCP. TCP offers more features like error checking and delivery reliability. On the flip side, the added complexity can sometimes make TCP slower. OpenVPN’s support for TCP has one advantage, though.
When OpenVPN employs TCP, it uses port 443, the same port used by HTTPS, the protocol used by most websites. For this reason, most firewall deployments allow TCP 443. So, your OpenVPN connection should slip through most firewalls unless you’re dealing with an NGFW that does deep packet inspection. Your WireGuard VPN can’t.
Kernel Space vs User Space
WireGuard operates in kernel space, whereas OpenVPN operates in user space. This single attribute is a significant reason why WireGuard is faster than OpenVPN. OpenVPN has to send packet data between the user and kernel space for routing and encryption/decryption processes. OpenVPN is, however, introducing a new feature that could bring OpenVPN speeds at par with WireGuard’s.
In the still-to-be-released OpenVPN 2.6, OpenVPN will start supporting Data Channel Offload (DCO), a.k.a. openvpn-dco. Openvpn-dco eliminates the user space-kernel space packet exchanges described earlier. According to the folks at OpenVPN, the DCO module makes OpenVPN faster than previous versions by order of magnitude. If OpenVPN 2.6 gets released successfully, OpenVPN speeds should be comparable to WireGuard’s.
Shorter Code vs Longer Code
We already know WireGuard has substantially fewer lines of code than OpenVPN. Why does that give WireGuard an advantage? Well, for one, shorter code translates to a smaller attack surface. Also, even if a vulnerability does occur, a code audit can discover the issue much faster.
Of course, less code also means fewer features. For example, OpenVPN supports several different authentication options like username/password, 2-factor authentication, and certificate-based authentication. You can’t find these options in a WireGuard VPN, which only uses public key authentication.
Take a look at this table to highlight the differences between the two:
|Transport protocols supported||UDP only||UDP and TCP|
|Kernel space vs User space||Kernel space||User space|
|Auditability||Easier to audit||More difficult to audit|
|Speed||Currently faster||Currently slower|
|Feature set||Fewer features||More features|
While we’re at it, let’s discuss some of the benefits and drawbacks of using WireGuard in general, not just in comparison to OpenVPN.
Benefits of Using WireGuard
If you only need a VPN in its most basic form, WireGuard should suffice. Here are some of the key reasons why.
Secures Data in Transit
The main benefit of using a WireGuard VPN, regardless of setup, is that you can encrypt data in transit. Even if your data traverses an unsecured network, its confidentiality won’t be at risk.
Enables Secure Remote Access
For site-to-site and peer-to-site setups, you’ll be able to establish secure remote access to local area networks (LANs). This capability will allow you to securely send or retrieve data with those LANs, even in another city, country, or continent.
Is Faster than Other VPN Solutions
One of WireGuard’s strongest suits is its speed. It’s faster than other VPN solutions like IPsec and OpenVPN. This advantage can come in handy if you require a fast VPN connection. To give you an idea of just how fast WireGuard is, here’s a snapshot of benchmark test results comparing WireGuard, IPsec, and OpenVPN.
Provides More Security than Other VPN Protocols
Although this may be debatable, I would argue that WireGuard’s smaller attack surface is important from a security standpoint. Since it’s open source, cybersecurity experts can easily scrutinize the code to find vulnerabilities. Compared to other VPN protocols, you should find it easier to validate WireGuard’s resistance against various threats. Moreover, you’ll find it easier to apply a fix if you find a vulnerability.
While these benefits are certainly useful, you must also be aware of the disadvantages of using a WireGuard VPN.
Drawbacks of Using WireGuard
Like all VPN solutions out there, WireGuard isn’t perfect. It has certain flaws you must be aware of before considering deploying it in a business setting.
Doesn’t Support TCP
WireGuard doesn’t support TCP. Instead, it exclusively uses UDP to avoid performance issues prevalent in TCP-over-TCP tunnels. The use of UDP, which is inherently faster than TCP, is one of the reasons WireGuard is fast. In most cases, TCP is more accurate and has better error-checking, whereas UDP is focused on pure speed. You’ll have to employ a different solution if you need to tunnel using TCP for streaming content and data.
Lacks Advanced Features
WireGuard’s minimalistic code has its downsides. For one, it lacks some advanced features that other VPNs offer. We’ve already covered authentication options when we talked about OpenVPN. Other capabilities, like key distribution, push configurations, routing, etc., are also missing. Unfortunately for WireGuard, most large enterprises require these features for added security or integration purposes. You’ll have to perform additional modifications and integrations to meet these requirements. The extra steps can increase complexity and cost.
Doesn’t Outpace IPsec Enough
WireGuard creator Jason Donenfeld mentions in his whitepaper that WireGuard is intended to replace IPsec. Indeed, WireGuard is faster than IPsec. However, as you can see from the benchmark results posted earlier, it’s not insanely faster. It’s not a massive difference in speed — so, in many cases, replacing a functioning IPsec deployment wouldn’t be practical to gain a 10-30% throughput.
That said, does that mean WireGuard isn’t worth your time? The answer depends on how you’re going to use it.
Who Should Use WireGuard?
As you already know, WireGuard, by itself, lacks advanced features that are often required in enterprise settings. So if you’re looking for a VPN solution for your enterprise, even a self-managed WireGuard deployment might not be for you. At least until WireGuard matures further.
That said, WireGuard should be good if you’re an IT enthusiast looking for a VPN that’s fast, free, and extensible. Any organization or person with technical skills to deploy, manage, and maintain a VPN solution can use WireGuard. Again, just be sure you have someone who can integrate additional solutions for other required capabilities.
Alright, time to wrap things up.
This article talked about WireGuard, the fastest VPN protocol on the planet. WireGuard can be used in remote access VPN and site-to-site VPN setups, and you can also get it through a VPN service provider. Although often compared to OpenVPN, since both are open source, WireGuard has much shorter code. It also operates in the kernel instead of user space, where OpenVPN lives.
WireGuard isn’t perfect. It doesn’t support TCP. It also lacks the advanced features of other more established VPN protocols like IPsec and OpenVPN. Because of this, you might want to wait until the protocol matures further before considering it for enterprise use. However, for light personal use or remote workers, WireGuard is still a fine VPN solution.
Curious to learn more about WireGuard VPN and other protocols? Check out the FAQ and Resources sections below!
What is a No-Log VPN?
A no-log VPN doesn’t store traffic logs. This practice is done for privacy purposes. Some countries, like Switzerland, have laws that don’t allow servers to keep log traffic. A no-log VPN helps VPN-equipped businesses meet that mandate.
Is WARP or a VPN better for online security?
WARP is a cloud-based service offered by web performance and security company, Cloudflare. Like a VPN, WARP protects your privacy. However, it’s not as secure as a full-fledged VPN. WARP is more focused on speed than on privacy. Our article on WARP vs VPN has more details on the topic.
Why should I use a VPN if I’m working remotely?
A VPN can keep you safe when you’re connected to public Wi-Fi. It gives you secure remote access to files, applications, and other resources in your corporate network. You can learn more about this in our article about remote workers and using a VPN.
Do I need a VPN and a firewall?
Absolutely. VPNs and firewalls address different sets of threats. VPNs protect data in transit from network eavesdroppers. On the other hand, a firewall keeps threats from entering your network. It’s best to employ both security solutions to achieve a layered defense.
How can a VPN help secure your data center?
VPNs play an important role in data center security. You can use it to provide secure remote access to the resources hosted in your data center. A VPN can prevent eavesdroppers from obtaining information while you access resources in your data center.
TechGenix: Article on L2TP VPN
TechGenix: Article on remote access
Check out how you can get set up for remote network access so you’ll always have it at your fingertips.
TechGenix: Review on Kerio Control VPN
If you’re looking to step up your VPN game, check out our review on Kerio Control VPN.
TechGenix: Article on Self-hosted VPN vs VPN-as-a-Service
TechGenix: Article on Tor vs VPN
Not sure whether a VPN or Tor is the right solution for you? We’ve got a stellar comparison between them.