An Introductory Guide to WireGuard

A graphic depicting VPN security
IMAGE SOURCE: Canva
Enable secure remote access with a WireGuard VPN
IMAGE SOURCE: Canva

More and more employers are embracing remote work, which has increased the need for virtual private network (VPN) solutions. A recent report that forecasts a global VPN market growth of USD45 billion this year from USD38 billion in 2021 discusses this development. One particular VPN solution that’s been drawing a lot of attention lately is WireGuard VPN. 

Even Linux’s creator, Linus Torvalds, showed a keen interest in this VPN protocol in the past. So what is WireGuard, and why would you want to use it over other VPNs? Allow me to give you a brief overview. What you do next is up to you. 

What Is WireGuard VPN?

WireGuard is a fast, free, open-source VPN software. From a network standpoint, it operates at the network layer. From an operating system (OS) standpoint, it lives in kernel space. Because of this network layer association, WireGuard is often compared to IPsec, the most popular VPN. 

 A graphic showing the 4 layers of the TCP/IP model and labels indicating where various VPNs like WireGuard, OpenVPN, and IPsec operate in
WireGuard operates at the Network Layer of TCP/IP model
IMAGE SOURCE: Created using Canva

WireGuard consists of only around 4,000 lines of code. That’s about one to two orders of magnitude smaller than other VPN types like OpenVPN and IPsec. An OpenVPN implementation, for instance, can have 70,000 to 600,000 lines of code. I’ll discuss the advantages of having a smaller code size shortly.

In the meantime, I’ll explain how WireGuard works.

How Does WireGuard Work?

You create a WireGuard VPN when two WireGuard-equipped endpoints establish an encrypted tunnel. These two endpoints must have WireGuard installed and configured to establish the tunnel. The tunnel allows data from one network to another, even if the two networks don’t use the same protocol. For instance, you’ll need a tunnel to connect from a LAN through telco lines through the internet to another LAN.

Since WireGuard VPN encrypts data, entities along your VPN’s path won’t be able to eavesdrop on your connection. Your ISP and threat actors won’t be able to retrieve information sent through that VPN. The orange segment labeled “WireGuard VPN” in the diagrams below illustrates where the VPN secures transmitted data. In addition, a WireGuard VPN can provide secure access to resources in an internal network. 

Let me show you some typical WireGuard VPN setups to illustrate how WireGuard works.

Remote Access WireGuard VPN

A remote access VPN setup consists of one or more remote devices and a device that acts as a VPN gateway on your network. In WireGuard jargon, this setup is also called Peer-to-Site. Peer(s) refers to the remote device(s), and site refers to your network. You usually use peer-to-site to provide users with secure remote access to your internal network. 

In this scenario, you’d install and configure WireGuard on a remote device and a device on your network. The remote device can be a PC, laptop, or mobile device. The device on your network, which acts as a VPN gateway, a.k.a. VPN server, can be a router, firewall, server, or any device reachable from the internet. Of course, all these devices have to support WireGuard. 

 A diagram illustrating a WireGuard peer to site VPN. It shows a laptop connecting to a WireGuard VPN gateway
A WireGuard remote access VPN a.k.a. Peer-to-Site VPN
IMAGE SOURCE: Created using Canva

Site-to-Site WireGuard VPN

A site-to-site VPN setup consists of two networks, a.k.a. sites. Each would have a device that acts as a VPN gateway. You usually use a site-to-site VPN if you want users or processes on both sites to access resources on the other site. For example, one site can be your HQ network, and the other can be a branch office network. 

In this scenario, you would install and configure WireGuard on a network device such as a router, firewall, or server. That device would then serve as that network’s VPN gateway. 

A diagram illustrating a WireGuard site-to-site VPN. The VPN is connecting a branch office network with a HQ network
A WireGuard Site-to-Site VPN
IMAGE SOURCE: Created using Canva

The previous two WireGuard VPN setups are normally self-managed. You’re completely responsible for deploying, managing, and maintaining the VPN in those scenarios. However, you may want to use certain WireGuard VPN features but not to deploy, manage, and maintain the infrastructure. You can use a different VPN service for this purpose. 

WireGuard VPN Service

A WireGuard VPN service is usually a feature offered through an existing VPN service. Some VPN providers like NordVPN, CyberGhost, and SurfShark offer WireGuard as an option along with other VPN protocols. Remember that WireGuard VPNs offered through a VPN service usually only provide privacy between your device and the server. 

You can use these WireGuard VPNs to secure certain portions of your network traffic from eavesdroppers. However, you usually can’t use them to access your private network as in the previous scenarios. A WireGuard VPN service can come in handy if you want privacy while connecting to the internet from a non-private location like a hotel or airport. 

A diagram illustrating a remote user connecting to the internet through a WireGuard VPN service
A WireGuard VPN service
IMAGE SOURCE: Created using Canva

WireGuard is often compared with OpenVPN, another open-source VPN solution. But is WireGuard better than OpenVPN? Let’s find out. 

Is WireGuard Better than OpenVPN?

I’ll review WireGuard and OpenVPN’s attributes in 3 areas and discuss why it matters:

  1. What transport protocols they support
  2. Where they live in an operating system
  3. How long their code is

UDP Only vs UDP and TCP

WireGuard supports UDP, while OpenVPN supports both UDP and TCP. TCP offers more features like error checking and delivery reliability. On the flip side, the added complexity can sometimes make TCP slower. OpenVPN’s support for TCP has one advantage, though. 

When OpenVPN employs TCP, it uses port 443, the same port used by HTTPS, the protocol used by most websites. For this reason, most firewall deployments allow TCP 443. So, your OpenVPN connection should slip through most firewalls unless you’re dealing with an NGFW that does deep packet inspection. Your WireGuard VPN can’t.

Kernel Space vs User Space

WireGuard operates in kernel space, whereas OpenVPN operates in user space. This single attribute is a significant reason why WireGuard is faster than OpenVPN. OpenVPN has to send packet data between the user and kernel space for routing and encryption/decryption processes. OpenVPN is, however, introducing a new feature that could bring OpenVPN speeds at par with WireGuard’s.

In the still-to-be-released OpenVPN 2.6, OpenVPN will start supporting Data Channel Offload (DCO), a.k.a. openvpn-dco. Openvpn-dco eliminates the user space-kernel space packet exchanges described earlier. According to the folks at OpenVPN, the DCO module makes OpenVPN faster than previous versions by order of magnitude. If OpenVPN 2.6 gets released successfully, OpenVPN speeds should be comparable to WireGuard’s.

Shorter Code vs Longer Code

We already know WireGuard has substantially fewer lines of code than OpenVPN. Why does that give WireGuard an advantage? Well, for one, shorter code translates to a smaller attack surface. Also, even if a vulnerability does occur, a code audit can discover the issue much faster. 

Of course, less code also means fewer features. For example, OpenVPN supports several different authentication options like username/password, 2-factor authentication, and certificate-based authentication. You can’t find these options in a WireGuard VPN, which only uses public key authentication.

Take a look at this table to highlight the differences between the two:

ComparisonsWireGuardOpenVPN
Transport protocols supportedUDP onlyUDP and TCP
Firewall friendlyNoYes
Kernel space vs User spaceKernel spaceUser space
Attack surfaceSmallerLarger
AuditabilityEasier to auditMore difficult to audit
SpeedCurrently fasterCurrently slower
Feature setFewer featuresMore features
What’s the difference between WireGuard and OpenVPN?

While we’re at it, let’s discuss some of the benefits and drawbacks of using WireGuard in general, not just in comparison to OpenVPN.

Benefits of Using WireGuard

If you only need a VPN in its most basic form, WireGuard should suffice. Here are some of the key reasons why. 

Secures Data in Transit

The main benefit of using a WireGuard VPN, regardless of setup, is that you can encrypt data in transit. Even if your data traverses an unsecured network, its confidentiality won’t be at risk.

Enables Secure Remote Access

For site-to-site and peer-to-site setups, you’ll be able to establish secure remote access to local area networks (LANs). This capability will allow you to securely send or retrieve data with those LANs, even in another city, country, or continent.

Is Faster than Other VPN Solutions

One of WireGuard’s strongest suits is its speed. It’s faster than other VPN solutions like IPsec and OpenVPN. This advantage can come in handy if you require a fast VPN connection. To give you an idea of just how fast WireGuard is, here’s a snapshot of benchmark test results comparing WireGuard, IPsec, and OpenVPN.

A bar chart comparing throughputs of WireGuard, 2 different IPsec set ups, and OpenVPN
Benchmark results showing how fast WireGuard is compared to IPsec and OpenVPN
Image source: Wireguard

Provides More Security than Other VPN Protocols

Although this may be debatable, I would argue that WireGuard’s smaller attack surface is important from a security standpoint. Since it’s open source, cybersecurity experts can easily scrutinize the code to find vulnerabilities. Compared to other VPN protocols, you should find it easier to validate WireGuard’s resistance against various threats. Moreover, you’ll find it easier to apply a fix if you find a vulnerability.

While these benefits are certainly useful, you must also be aware of the disadvantages of using a WireGuard VPN.

Drawbacks of Using WireGuard 

Like all VPN solutions out there, WireGuard isn’t perfect. It has certain flaws you must be aware of before considering deploying it in a business setting. 

Doesn’t Support TCP

WireGuard doesn’t support TCP. Instead, it exclusively uses UDP to avoid performance issues prevalent in TCP-over-TCP tunnels. The use of UDP, which is inherently faster than TCP, is one of the reasons WireGuard is fast. In most cases, TCP is more accurate and has better error-checking, whereas UDP is focused on pure speed. You’ll have to employ a different solution if you need to tunnel using TCP for streaming content and data. 

Lacks Advanced Features

WireGuard’s minimalistic code has its downsides. For one, it lacks some advanced features that other VPNs offer. We’ve already covered authentication options when we talked about OpenVPN. Other capabilities, like key distribution, push configurations, routing, etc., are also missing. Unfortunately for WireGuard, most large enterprises require these features for added security or integration purposes. You’ll have to perform additional modifications and integrations to meet these requirements. The extra steps can increase complexity and cost. 

Doesn’t Outpace IPsec Enough

WireGuard creator Jason Donenfeld mentions in his whitepaper that WireGuard is intended to replace IPsec. Indeed, WireGuard is faster than IPsec. However, as you can see from the benchmark results posted earlier, it’s not insanely faster. It’s not a massive difference in speed — so, in many cases, replacing a functioning IPsec deployment wouldn’t be practical to gain a 10-30% throughput. 

That said, does that mean WireGuard isn’t worth your time? The answer depends on how you’re going to use it. 

Who Should Use WireGuard?

As you already know, WireGuard, by itself, lacks advanced features that are often required in enterprise settings. So if you’re looking for a VPN solution for your enterprise, even a self-managed WireGuard deployment might not be for you. At least until WireGuard matures further. 

That said, WireGuard should be good if you’re an IT enthusiast looking for a VPN that’s fast, free, and extensible. Any organization or person with technical skills to deploy, manage, and maintain a VPN solution can use WireGuard. Again, just be sure you have someone who can integrate additional solutions for other required capabilities. 

Alright, time to wrap things up. 

Final Words

This article talked about WireGuard, the fastest VPN protocol on the planet. WireGuard can be used in remote access VPN and site-to-site VPN setups, and you can also get it through a VPN service provider. Although often compared to OpenVPN, since both are open source, WireGuard has much shorter code. It also operates in the kernel instead of user space, where OpenVPN lives. 

WireGuard isn’t perfect. It doesn’t support TCP. It also lacks the advanced features of other more established VPN protocols like IPsec and OpenVPN. Because of this, you might want to wait until the protocol matures further before considering it for enterprise use. However, for light personal use or remote workers, WireGuard is still a fine VPN solution.

Curious to learn more about WireGuard VPN and other protocols? Check out the FAQ and Resources sections below!

FAQ

What is a No-Log VPN?

A no-log VPN doesn’t store traffic logs. This practice is done for privacy purposes. Some countries, like Switzerland, have laws that don’t allow servers to keep log traffic. A no-log VPN helps VPN-equipped businesses meet that mandate. 

Is WARP or a VPN better for online security?

WARP is a cloud-based service offered by web performance and security company, Cloudflare. Like a VPN, WARP protects your privacy. However, it’s not as secure as a full-fledged VPN. WARP is more focused on speed than on privacy. Our article on WARP vs VPN has more details on the topic. 

Why should I use a VPN if I’m working remotely?

A VPN can keep you safe when you’re connected to public Wi-Fi. It gives you secure remote access to files, applications, and other resources in your corporate network. You can learn more about this in our article about remote workers and using a VPN.

Do I need a VPN and a firewall?

Absolutely. VPNs and firewalls address different sets of threats. VPNs protect data in transit from network eavesdroppers. On the other hand, a firewall keeps threats from entering your network. It’s best to employ both security solutions to achieve a layered defense. 

How can a VPN help secure your data center?

VPNs play an important role in data center security. You can use it to provide secure remote access to the resources hosted in your data center. A VPN can prevent eavesdroppers from obtaining information while you access resources in your data center. 

Resources

TechGenix: Article on L2TP VPN

Learn about the concept of Layer 2 Tunneling and how it impacts VPNs and your security.

TechGenix: Article on remote access

Check out how you can get set up for remote network access so you’ll always have it at your fingertips.

TechGenix: Review on Kerio Control VPN

If you’re looking to step up your VPN game, check out our review on Kerio Control VPN.

TechGenix: Article on Self-hosted VPN vs VPN-as-a-Service

Discover the differences between VPN-as-a-service and self-hosted solutions

TechGenix: Article on Tor vs VPN

Not sure whether a VPN or Tor is the right solution for you? We’ve got a stellar comparison between them.

1 thought on “An Introductory Guide to WireGuard”

  1. “In this scenario, you would install and configure WireGuard on a network device such as a router, firewall, or server.”

    How the hell are you going to install WireGuard on router or firewall???? You are talking stupid nonsense! Firewall or router has its own firmware, and it’s imposible to install anything on it, it’s not like windows OS where you can install whatever you want….

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top