The WireGuard VPN protocol is relatively new in the VPN industry. It sought to give VPN users the best service by simultaneously improving speeds and encryption over the previously available VPN protocols. WireGuard was supposed to disrupt the VPN universe, turn it upside down, and do away with the “obsolete” technologies it would replace. Has it delivered on its promises so far?
As WireGuard appeared, the reviews were all about the significant improvements that it was supposed to bring along. But unfortunately, that’s almost always the case when a new technology arises to challenge the prevailing standard.
However, WireGuard has been around for a while, and we’ve had the time to see it in action. Undoubtedly, it has its strengths, but it’s far from perfect. Also, some weaknesses are pretty visible now than before when the protocol was new and untested at a practical level.
So now, it’s possible to review WireGuard more objectively, taking into account every pro and con, and see if it is the privacy, anonymity, and security silver bullet it was supposed to become.
This article provides you with such a comprehensive review as we take a closer look at the updated information about WireGuard and assess if it’s a good option for VPN users at present. You’ll know WireGuard’s benefits, the privacy problems it poses (and its potential solutions), the best VPNs using it, the protocol’s future, and a comparison with other VPN protocols.
Top 3 VPNs offering WireGuard protocol – Quick list
Want to test the WireGuard protocol yourself right now? Feel free to pick any of the three best VPNs listed here and start experimenting with WireGuard.
- NordVPN: The best WireGuard VPN offering fast speeds, tremendous anonymity with server obfuscation, huge server network spanning over 59+ countries, and 30-day money-back guarantee.
- Surfshark: An industry disruptor that quickly adopted WireGuard to offer fast speeds for the customers. It also has a widespread network offering servers from 65+ countries, and a 30-day money-back guarantee.
- VyprVPN: A privacy-oriented Swiss VPN service that has recently introduced WireGuard support to serve its customers with swift performance.
WireGuard vs OpenVPN — how the two protocols serve users
The privacy problems in WireGuard are not deal-breakers. Competent implementation of the protocol can prevent its problems from becoming a threat. NordVPN is a good example. Its VPN apps use WireGuard out-of-the-box in tandem with a Double NAT system. Both technologies combine to ensure no identifiable user data gets stored on any network server.
OpenVPN is an open-source project providing the best VPN protocol to the industry for years. Because of its open-source nature, the code is there for everybody to examine and test. As a result, OpenVPN is tested and audited all the time thoroughly as the developing community keeps updating it. So far, OpenVPN has passed every test successfully, thus becoming the industry’s highest standard in VPN protocols, warranting a near 100% guarantee regarding data security.
So, WireGuard has to beat OpenVPN substantially to make a difference in the VPN market.
Is it, though? Our tests found WireGuard 58% faster than OpenVPN on an average server and even quicker with nearby servers. So, the new protocol gets an extra point here.
The current WireGuard protocol suffers from some intrinsic limitations. These problems do not enhance the protocol’s ability to protect user privacy. In fact, they can undermine it. So before choosing WireGuard as your default VPN protocol, please find out your VPN provider’s implementation of the protocol and the privacy policies it holds. Remember that privacy (unlike anonymity or security) is not a simple matter of technology but also of good practices and company policies — in other words, the human component matters too.
The WireGuard protocol’s pros and cons at a glance
WireGuard is a modern VPN protocol bearing numerous impressive features. But is it a better option than the time-tested alternatives such as OpenVPN? Let’s look at the best and the worse it has to offer.
- Agility. WireGuard is quick to connect and reconnect even when you’re roaming around. It keeps connections online that other protocols would lose. So it’s light yet robust.
- Security. WireGuard comprises modern, secure, efficient, and carefully-picked components. Its minimal code size makes it easy to audit, while enabling the protocol to perform the tough job of ensuring security with relatively small effort.
- Speed. The mathematical code in WireGuard is very fast and efficient. Besides, some of its lowest-level technology is already within the Linux kernel. This combination of advantages will always keep it faster than any competitor.
- Deployment. Installing the client or the server software for WireGuard is easy. The difficulty level is like installing and configuring SSH, which any admin in the world can do.
- Baked-in support. WireGuard works out-of-the-box only in some Linux distros. If you want WireGuard’s speeds, you’ll need an app that brings it to your device or service. Otherwise, you’ll have to go with OpenVPN or another protocol.
- Obfuscation. The obfuscation technique is critical in evading censorship, the Great Firewall of China, and other internet problems. However, it’s not easy to bring obfuscation and WireGuard together because you have to build obfuscation layers on top of WireGuard.
WireGuard is the brainchild of Jason Donenfeld, a 33-year old hacker, security consultant, and software developer, whose concern with a more secure internet, became manifest as a new VPN protocol.
In several interviews, Donenfeld explains his problems with the OpenVPN and IPSec protocols, which he considers to be outdated. WireGuard’s idea is to come up with a more modern VPN tunnel by adopting advanced protocols and primitives as building blocks:
- Symmetric encryption is ChaCha20, with Poly1305 authentication and RFC7539 AEAD construction.
- ECDH through Curve 25519.
- Blake2s is in charge of hashing and keyed hashes.
- Additional hashable keys by SipHash24.
- HKDF for key derivation.
If you don’t follow the meaning of these terms, don’t worry. Those are some fairly advanced cryptographic concepts that even specialists can find challenging. The gist is: WireGuard is choosing a set of building blocks for its more modern protocol, supposedly more robust, than those previously found in any VPN protocol.
Minimal code base
The full WireGuard implementation is fewer than four thousand lines of code. This is a fantastic expression of efficiency than OpenVPN and OpenSSL, which are longer than half a million lines of code put together. IPSec is slightly shorter, at 400.000 lines.
But as long as things work, why care about the number of lines in a project? We hear you ask.
A shorter source code makes the program more transparent and easier to understand for those not involved in the developing process. In turn, it makes audits much easier, faster, and more conclusive.
Auditing OpenVPN is a daunting task that needs the combined efforts of numerous experts for several days. So the auditing process itself is bulky and full of friction points. In contrast, WireGuard’s code is so short that you can have a full audit on it done by a single competent expert in a day. This audit-friendly trait makes WireGuard much easier to detect and fix vulnerabilities and improve the protocol’s security.
Another significant advantage of shorter pieces of code is diversified compatibility; any computer or device can run it quickly with fewer resources.
Using a VPN always costs something in terms of performance. The encryption layer and the traffic routing through the VPN network will always slow things down a bit — even if the best VPNs make this loss negligible. Since speeds can become a limiting factor for VPN users, WireGuard has improvized its new protocol to ensure the highest possible speeds.
And how are those improvements achieved? By making some smart choices.
For instance, the cryptographic basic building blocks chosen for the new protocol (“primitives” in geek slang) are extremely fast themselves. But then, the WireGuard protocol works from inside the very Linux kernel (which is the thing that runs the VPN’s network servers, Linux desktop computers, some routers, and Android devices. So WireGuard is part of the machinery in Linux systems, making it faster because it runs within the operating system instead of “over” the operating system.
The improved performance in WireGuard should supposedly bring the following benefits for users:
- Better, faster speeds.
- Increased battery life because of improved energy efficiency.
- Better roaming support for mobile devices.
- Increased reliability.
- Faster authentications.
So evidently, mobile VPN users will benefit the most from the new protocol’s features. This is crucial because public WiFi connections are the most dangerous regarding security, their popularity notwithstanding.
The fastest protocol we’ve seen so far in the year 2022
WireGuard is still not the standard protocol in commercial VPNs. Since even OpenVPN is not available in every service, this isn’t surprising. However, NordVPN does support WireGuard, and because it’s our favorite VPN, we’ve tested it thoroughly. Besides, some other VPNs also include WireGuard as an option, and we used them too.
NordVPN calls its implementation of the WireGuard protocol NordLynx, and it’s the fastest option on offer.
As we tested NordLynx, we noticed our VPN speeds as high as 93% of our ISP’s theoretical speeds. These high speeds show that WireGuard is the fastest VPN protocol so far, even faster than OpenVPN.
WireGuard’s full implementation across platforms wasn’t the quickest, but it’s completed as we write this. It’s available for deployment in Linux, iOS, Android, macOS, and Windows. So by now, the option is there, and it works in every primary operating system.
WireGuard uses public keys in the identification and encryption process, unlike OpenVPN, which uses certificates for the same tasks. However, the use of public keys creates a complication for the VPN client, requiring it to generate and manage keys.
So far, Mullvad, Surfshark, and of course, NordVPN include WireGuard in their service with full integration.
Kernel integration in Windows and Linux
The WireGuard code has been an integral part of the Linux kernel since version 5.6, as we learned on March 29, 2020, from Linus Torvalds himself. So it was big news in terms of endorsement and adoption for the WireGuard team and privacy enthusiasts. Then, in August 2021, it also made it into the Windows kernel.
Inclusion has since kept advancing to the point that the beta versions of every major operating system in the industry will incorporate WireGuard v 1.0+. The WireGuard official website includes the complete list of the operating systems integrating it under the hood.
When trying to establish a new industry standard, adoption is everything. At present, WireGuard has made enough progress regarding adoption to consider it stable and ready for widespread distribution. Until last year, its website displayed a warning sign about WireGuard being “not yet complete.” But that warning isn’t there anymore.
So WireGuard is faster than any other tunneling option out there. It’s ultra-modern and is available in every meaningful operating system, at least, optionally.
Privacy problems in WireGuard
Despite all the pros, not everything is perfect in WireGuard. For example, the protocol’s design looks deficient regarding privacy, drawing concerns from many VPN providers.
IVPN comments that WireGuard’s design wasn’t tailored towards commercial VPN vendors with privacy concerns. NordVPN had similar issues, explaining that adopting WireGuard out-of-the-box would be a privacy hazard for users. And so, the protocol is there, but in an optional capacity.
Fortunately, things have moved forward, and these privacy problems have been met with some reasonable solutions. In 2022 WireGuard is already a stable protocol, and many VPNs are deploying it without endangering user privacy.
Privacy and security are not the same things at all. The differences can be subtle, but crucial to know to understand why privacy is an issue with WireGuard.
A protocol’s security is about protecting the data within your encryption tunnel from adversarial access. Whereas privacy is not about acquiring the data itself, but about what you do with that data. So a privacy problem arises if somebody can tell, for example, with whom you’re communicating online even if it can’t decrypt the messages. So ultimately, privacy is about protecting your metadata as much as the data itself.
That means you can have perfect security and still have your privacy breached. Using the same example, if somebody finds out you’re exchanging emails with your brother, your privacy is off, even if that external observer doesn’t know the subject in your exchanges. Of course, privacy becomes even harder to preserve if security is weak. So, undeniably, both are interrelated but still not the same.
Now that those basic notions are clarified, let’s see the privacy problems with WireGuard.
IP address storage in WireGuard
There are reasons why WireGuard isn’t the ideal protocol for privacy protection. One specific reason is that privacy wasn’t a goal for the developing team. Instead, the focus was on increased speeds and security.
The first problem with WireGuard is that it saves a list of the connected IP addresses on the server. The list stays saved on the server until it’s rebooted, which means it can remain there indefinitely.
Unfortunately, since IP addresses are personally identifiable pieces of user data, and WireGuard creates a log of them, this means that any VPN using WireGuard out-of-the-box can’t comply with a zero-log keeping policy.
So how can any VPN adopt WireGuard and still protect user privacy? First, let’s see how some VPNs are solving this issue.
NordVPN: double NAT system with WireGuard
NordVPN’s approach to the WireGuard privacy problem is unique. Their implementation, called NordLynx, deploys something they call a “double NAT.”
Here’s is how it works:
- A VPN tunnel comes online.
- The second network interface comes online. It uses a dynamic NAT system.
- The system gives an IP number to each tunnel. This allows the traffic between users and their target sites to flow uniquely.
- Double NAT establishes a VPN connection using dynamic local IP addresses that are alive only while the session is online. This is how they manage to avoid the storage of any IP addresses into the server.
OVPN and Mullvad: Delete IP logs after each VPN session
If the problem with a log is that it exists, why can’t you just delete it and be done with it? This logical and straightforward approach is the solution for VPNs like OVPN and Mullvad. They simply configure their servers so that the data logs go away after the end of each session.
So, for example, OVPN removes any user who hasn’t had a key exchange within the last three minutes from the log. Mullvad does the same when no handshake happens within 180 seconds.
This solution is nowhere near as technologically sophisticated as NordVPN’s approach. And that is a good thing! Every VPN could imitate one of those two server configurations and adopt WireGuard without privacy issues.
No dynamic IP address assignation in Wireguard
IP address assignation is another concern with VPN providers since it’s a core VPN service for every VPN provider, besides traffic encryption.
We’ll try to explain this problem quickly here. First static IP addresses for each device are not the best policy, even internally. Internal WebRTC leaks can become external because of the static assignation. That is just one example, but any app running on a device that can figure out your internal IP address can leak it to the exterior if it’s malicious.
Some VPNs out there also share concerns about this feature in WireGuard for a different reason: static address assignation is efficient in small networks, but it gets exponentially complicated when you have thousands of users, as you do in a commercial VPN. There is development underway for “wg-dynamic,” a new model meant to solve this issue, but it’s not ready for deployment.
IP address rotation. Some VPNs have managed to generate keys securely to manage IP addresses. OVPN and Mullvad are two fine examples of such providers. The capability to regenerate keys allows users to rotate IP addresses in each network. The IP number rotation helps minimize the problem with the static assignations.
Blocking or disabling WebRTC. WebRTC is a nightmare when it comes to IP leaks. And it’s worse in a network with statically assigned IP addresses. In the standard scenario, the web browser can leak your IP address through WebRTC. The following measures are helpful here:
- Disable or block WebRTC.
- If you’re using Mozilla Firefox, disable WebRTC for the browser.
- Choose a web browser with good security and privacy features.
The best VPNs with WireGuard
So the promise of high speeds is too much for you to resist, and you want to try a VPN with WireGuard? First, you’ll need to know which among the best VPN vendors can give it to you. And that’s what we will tell you in this section.
Remember that WireGuard is a relatively new protocol undergoing gradual adoption. So, while this list will tell you the best VPNs using WireGuard, the number of VPNs adopting the new protocol keeps growing.
NordVPN is the best VPN with WireGuard in 2022, handling any activities you wish to do using a VPN. Its way of adopting WireGuard is called NordLynx, which solves the protocol’s privacy problems with a double NAT system.
NordVPN is also one of the best VPNs for OpenVPN connections as it offers the highest speeds. Still, we consistently found our transfer speeds much higher with NordLynx.
This VPN is based in Panama, a very privacy-friendly jurisdiction. In addition, NordVPN combines excellent performance with equally fantastic privacy and security features. One of the best things about NordVPN is that two independent audits have confirmed so far that it doesn’t keep any logs on user activity.
The security audits on this VPN have also been successful (in cooperation with Versprite). As a result, the network is good against penetration and other attacks.
An additional feature in NordVPN is that, since 2020, every server in the network runs in RAM-disk mode. That means the servers have no hard drives and can’t store data. Therefore, all the data stored in each computer is volatile and disappears when the system restarts.
Using NordLynx in the NordVPN network is as simple as selecting it as your preferred protocol in the app right before you connect to a server. The app manages IP addresses and key generation, so you don’t need to think about it.
Full WireGuard support in the NordVPN apps is seamlessly integrated into the user experience, and it’s available in every operating system.
Further, besides supporting WireGuard, this market leader has more to offer:
- Double server connection. Redirects traffic through two servers in the network to add an extra encryption layer.
- Tor over VPN servers. Some selected servers in the VPN go directly to the Tor network for browsing anonymity.
- CyberSec. It is an adblocker that also protects you from trackers and malware.
- Obfuscated traffic. Some servers provide obfuscation, making all your traffic look like HTTPS to get around VPN blocks and censorship.
Surfshark is a relatively new VPN. However, it’s earned an excellent reputation quickly by offering top-notch service at low prices. In addition, the policy in Surfshark emphasizes privacy –and it’s based in the British Virgin Islands, which is a privacy-friendly jurisdiction. It keeps no logs on user activity and, the most relevant factor for this list: it adopted WireGuard during 2020.
While Surfshark hasn’t developed its own flavor of WireGuard, as NordVPN has, it’s still straightforward to choose. All you need to do is to enable it in the app’s settings area, and that’s it. The apps are available for every major operating system (except Linux), and they will deal with the keys and certificates for you.
Surfshark also deals with the privacy loopholes in WireGuard with a double NAT system so that user IP addresses do not remain stored at the network’s servers.
As expected, using WireGuard increases speeds greatly, up to 79% of your ISP’s capability, which is high for the VPN average.
Other excellent features in Surfshark include:
- Multi-hop connections to add extra encryption layers.
- NoBorders to help you bypass geolocation blocks.
- Camouflage mode, the same as traffic obfuscation. It disguises all the traffic as HTTPS to get around blocks, censorship, and other traffic limitations.
- CleanWeb is an ad and track blocker.
A use case for VPNs that’s exploded recently is in the video streaming niche. Good VPNs allow you to unblock the most popular video streaming platforms and see content otherwise blocked for your country. Surfshark excels at this task.
Last but not least, Surfshark is the most accessible top-notch VPN because of its price –you can enjoy its services to an unlimited number of devices simultaneously for as low as 2.49 USD monthly.
VyprVPN comes next in our list of WireGuard-enabled VPNs. Its no-logs policy is beyond any doubt (there are audits), and it is based in Switzerland, which is probably the most privacy-friendly country in Western Europe.
The VyprVPN apps include support for WireGuard since 2020, and the speeds we found are impressive indeed. Incorporating the new protocol into the network is seamless, and speed rates can reach 310 Mbps.
The business model in VyprVPN is unique in that the company owns every server in the network. It means that VyprVPN has complete control over every piece of hardware in the network. That means no third-party interference is possible, which adds to the network’s security. In addition, Leviathan Security certified this VPN’s no-logs policy with an audit.
The VPN’s software includes WireGuard for every operating system except Linux, which happens with Surfshark too. So picking WireGuard as your default VPN tunneling protocol is straightforward, anyway.
VyprVPN also had to tinker around a little with WireGuard to make it fit into its zero-logs policy. The company is transparent about this: their implementation comes up with a WireGuard configuration on demand for each user in the network. As a result, the servers record nothing because there is no static configuration to log.
Like our previous two VPNs, VyprVPN excels at unlocking video streaming platforms, which interests many prospective VPN users.
Then there’s the small matter of the price. Switzerland is legendary among tourists for being an expensive destination, and VyprVPN has decided to go with the flow. The prices went significantly up as the new year began, and the cheapest plan will cost you 8.33 USD monthly.
Mullvad is a big name in VPNs, and it was one of the first ones to incorporate WireGuard into its technology. This VPN promotes both security and privacy, it keeps no logs, and every app in the platform supports WireGuard.
Mullvad keeps transitory IP address logs (unlike NordVPN), but those records go away when each VPN session finishes. Also, the network replaces the protocol’s keys weekly and automatically in the VPN’s apps. But if you like to keep close control of things, you can regenerate your WireGuard keys manually in the user settings area.
Selecting WireGuard from the Mullvad apps is easy. It’s the default protocol on the VPN’s mobile apps, so you don’t even need to choose it.
This Swedish VPN is also secure, and it doesn’t keep any logs either.
AzireVPN was a pioneer in WireGuard adoption. It started supporting the protocol in 2017, three years earlier than anybody else!
The server network in AzireVPN is much smaller than the other ones on our list. But the size enables it to keep closer control on stricter standards. In addition, every server is premium and has the highest-capacity bandwidth.
AzireVPN doesn’t directly support the WireGuard protocol. As it happens with OVPN, you’ll need to install the WireGuard client on your device and then download, import, and install all the configuration files.
It’s another WireGuard option for expert users.
The Swedish OVPN network is a secure VPN that keeps a no-logs policy. It adopted WireGuard in the second half of 2020.
The VPN’s network for WireGuard is the official stance. Yet, not every client includes it. Therefore, taking advantage of the WireGuard protocol’s high transfer speeds is not as easy in OVPN as with the previous providers. For that, you need to get the official WireGuard client and then download, import, and install the configuration files.
As we write this, if you want to have automatic access to WireGuard on OVPN, your only options are the Android and iOS apps. Support for WireGuard will spread to the rest of the VPN’s software in the months to come.
Other VPN services with WireGuard support
Several other VPNs support OpenVPN. The difference between the following VPNs and those already listed is that we haven’t had the time to test them thoroughly. However, you can feel free to try them and see if their service fits your needs because they all have a refund option.
- ProtonVPN. This Swiss VPN added WireGuard support recently. It works great, but is not for everyone because it has drawbacks like limited features and a relatively high price. And the performance wasn’t outstanding either.
- TorGuard. It’s a VPN from the US (not the best jurisdiction to have a VPN), and supports WireGuard in full. You’ll need the WireGuard clients, though.
- Private Internet Access. Known as PIA, it’s based in the US, and it features WireGuard support in every app. However, we found PIA’s WireGuard implementation to be relatively slow compared to NordVPN, which is entirely beside the point of WireGuard adoption.
- CyberGhost. Another implementation that fails in the velocity department compared to our top options.
- IPVanish. Yes, it supports WireGuard. But this is still the VPN that kept user logs for the FBI’s benefit.
- IVPN. The provider has a good reputation in the VPN market. This option from Gibraltar hasn’t got the biggest name in the industry, but it’s still well respected. Its VPN clients have the WireGuard protocol integrated in full, like Mullvad or NordVPN. This is probably one of the most expensive VPNs with WireGuard support, but the extraordinary focus it keeps on privacy could make the price worth it for the most jealous users.
- VPN.ac. This is a Romanian VPN with full WireGuard support using WireGuard clients.
- TrustZone. Hails from Seychelles, and it’s focused on privacy. Their VPN apps are rather basic, so they don’t support WireGuard directly. However, some third-party clients will work with TrustZone.
Why is ExpressVPN missed in the list?
If you know the basics about the VPN market, you’re probably wondering why we didn’t mention ExpressVPN so far. It’s a fair question, as ExpressVPN is one of the best VPNs of today.
There are several problems with Lightway. First, it’s a proprietary protocol, making audits and external analysis hard. For the same reason, it’s unlikely for many other VPNs to adopt it. If those two reasons weren’t wrong enough, Lightway can’t match WireGuard’s speeds, so it’s already lost that battle.
Configuring WireGuard VPN clients quickly
Configuring a WireGuard client is unbelievably easy.
Forget about copying and pasting certificates. You won’t need to type any detail. It’s much simpler than that; just follow these steps:
- Your VPN vendor provides you with a QR to scan.
- Open the WireGuard app and hit the plus sign.
- Choose “Create from QR code.”
It’s that simple.
WireGuard and the Future
OpenVPN is the dominating protocol in the VPN industry, followed by IPSec. Both are secure, relatively efficient, versatile, and have supported the VPN’s industry growth from the beginning. Time has tested them both, and they’ve aced the test.
However, both protocols now look dated, having bulky codes with inefficient math, traditional cryptographic elements, and it takes a bit of work to keep them secure.
That is the opportunity that WireGuard is seizing to disrupt the VPN protocol world. WireGuard is a young protocol, but its future already looks bright.
Many VPN networks already incorporate WireGuard into their core software and functionality, and the list includes some of the industry leaders. VPN users love the high speeds, stability, and advanced encryption. Hence, it seems WireGuard adoption will only grow more in the future.
Nonetheless, the protocol itself still needs attention. The privacy issues are still there, potentially becoming deal-breakers for other VPN services as correcting them requires a lot of extra work into the implementation. However, some of the best VPNs have found ways around those privacy flaws to offer WireGuard’s advantages to their users without suffering from its problems.
And let’s not forget that WireGuard is now an integral part of both the Windows and the Linux kernels. This fact alone gives it a privileged place in the race for mainstream adoption. It’s just a matter of time.
Today, WireGuard is the cutting edge of VPN technology — too advanced for the regular user, still something of a geeky toy. It’s the protocol for the next generation, but that next generation is not too far away from the present. And you could join it right now.