About
Get NymVPN
Privacy

What is Wireguard VPN & how does it work?

How the fastest VPN encryption protocol available works

Author: Nym
11 mins read
VPN-2.svg

Getting privacy and data security from a Virtual Private Network (VPN) might seem simple: turn it on, wait for a connection, and within seconds your IP address is hidden and data encrypted. Online anonymity, however, is far from magical. The technology under the hood of a VPN is a complex and multi-step process.

VPNs are primarily networks. But they run on communication protocols that take care of the multiple encryption stages so user data is secure in transit. WireGuard is a relatively new VPN encryption protocol, but it is by far the fastest available.

WireGuard’s speed comes from carefully chosen and efficient protocols for each step of the encryption process, and from its highly concise code-base. While it might not be the protocol being used by the majority of traditional VPNs, it has become the protocol of choice for new decentralized VPNs (dVPNs). Many VPNs are now quickly following suit.

This article walks through the stages of WireGuard’s encryption process, its advantages and disadvantages, and how it uniquely powers the superior privacy features of dVPNs.

What is WireGuard VPN?

WireGuard is an open-source communications protocol which provides the encrypted routing procedures through which many modern VPNs protect users’ data and privacy. It uses state-of-art protocols for each stage of the public key cryptographic process, making it by far the fastest VPN protocol available.

WireGuard was launched in 2015 before being released for Linux in 2020. It is now compatible with all major operating systems and devices, and has been increasingly adopted by new VPN services. Due to its high speed, open-source auditability, and low data overhead, it is expected that WireGuard may soon surmount more widely adopted communication protocols being used by mainstream VPNs.

Learn more about how data encryption works with Nym’s comprehensive guide.

How does the WireGuard VPN work?

WireGuard is a software client that runs on the user’s machine as well as the VPN or proxy server, allowing encrypted traffic to pass quickly and securely between them. So when you connect to a VPN server using the WireGuard protocol, here’s an idea of what’s going on in the background:

Handshake

Before any exchange of keys or data, the client sends a request to the server, initiating what’s known as a handshake. The server responds by sending its public key to the client. WireGuard uses the Noise_IK handshake from Noise, which has a number of security and privacy benefits, such as avoiding key-compromise impersonation and replay attacks, obscuring the identities of handshakers, and perfect forward secrecy.

Key exchange & derivation

The server and client then exchange public keys in order to verify each other’s identities. For key exchange, Wireguard uses Curve25519, a state-of-the-art elliptic curve cryptography based on the Diffie-Hellman public cryptography function.

The server and client use the exchanged keys to create a unique key known only to them. This is done through a Key Derivation Function (KDF). For the key derivation stage, WireGuard uses HKDF (or HMAC-based KDF) which is advantageous in VPN routing for its highly secure two-stage process and flexibility regarding key lengths. The derived key is used for symmetric encryption between the client and VPN server.

Encryption & authentication

For the encryption and authentication stages, WireGuard uses ChaCha20-Poly1305 which is a combination of the ChaCha20 stream cipher and the Poly1305 message authentication code. This algorithm is highly performative and is generally faster than AES-GCM.

Hashing

Hashing refers to the process in encrypted routing in which input data of any size is converted into a fixed-size string of characters. Once converted, the output date or “hash value” can be used to determine if the data packet has been manipulated or changed during transit. If so, the hash value will be different to the recipient than it was for the sender. WireGuard uses Blake2 for its hashing function, which is faster and more optimal than previous standards (e.g., Sha-1 and -2), and is considered to be as secure as advanced standards like Sha-3.

Transport

The Transport Layer is responsible for turning the data of your traffic into encrypted packets to be sent over the web. WireGuard wraps the encrypted data using the User Datagram Protocol (UDP). This communications protocol allows for fast and secure data travel. It does not use TCP because it is less efficient on VPN networks, due to a larger data overhead and known problems (“TCP meltdowns”).

Routing

Once your data has gone through this complex but highly efficient process of VPN encryption with WireGuard on your device, ensuring the authenticity of the intended recipient and the security of the data packets, it is then routed to the VPN server. There the IP address of your traffic is replaced with the VPN server’s own public IP.

Decryption

Since it is the VPN server that provides the encryption for your data to their server, once there that layer of encryption is removed or decrypted using the above keys). However, assuming that the original connection from your device and intended recipient on the web is secured through HTTPS, one layer of encryption should remain, preventing the VPN from seeing your cleartext data. Once the VPN encryption is removed, the VPN will be able to see the final destination of where to send your data. With HTTPS encryption in place by default, your traffic will be encrypted from end-to-end by using a WireGuard powered VPN.

WireGuard compatibility

WireGuard is sometimes criticized for its more limited compatibility compared with other protocols. But this is largely exaggerated, referring to specific hardware compatibility (such as routers) and not operating systems.

  • Operating systems: WireGuard is compatible with most major operating systems and devices: Windows, Mac OS, Linux, Android, iOS, and modern versions of BSD.
  • Routers: One hardware issue with WireGuard is that it is not as widely compatible with many VPN routers as something like OpenVPN currently is. This is not unexpected since WireGuard has been on the market for only four years. As newer router hardware is released in coming years, Nym expects this compatibility gap to quickly close.

WireGuard VPN advantages

Speed

WireGuard is very fast as far as VPN communication protocols go, upwards of 50% faster than OpenVPN, which has been the industry standard for two decades.

Minimal codebase

WireGuard’s code is remarkably slim, amounting to only 4,000 lines. For comparison, versions of OpenVPN have around 100,000 lines of code. This makes WireGuard’s performance extremely streamlined and efficient.

High security

WireGuard uses state-of-the art encryption algorithms and public key cryptography for key exchanges. These encryption standards are at present unbreakable. Moreover, this concise and light code-base makes for a much smaller footprint for possible attacks, whereas unseen configuration errors with the more complex OpenVPN can lead to leaks or bigger attack vulnerabilities.

Rapid reconnection

WireGuard is built to be stateless, meaning it doesn’t rely on maintaining a continuous connection state between peers. This design allows for seamless handling of disruptions because there’s no need to re-establish a session or connection state. As soon as packets start flowing again, WireGuard can pick up where it left off.

Open source

WireGuard’s code is open source and thus available for anyone to audit. However, whether an open-source code is easily auditable depends on how large it is. In this regard, WireGuard is remarkable for the small and concise size of its codebase. This not only makes the protocol extremely streamlined, but allows for easier public audits.

WireGuard VPN disadvantages

Lack of obfuscation

WireGuard lacks built-in obfuscation. Designed as a simple, fast, and secure VPN protocol, it focuses on simplicity and performance. However, it does not include features for obfuscating traffic to hide the fact that a VPN is being used. This means that WireGuard traffic can be identified by network monitoring tools or by entities performing deep packet inspection (DPI).

Other tools can be used in conjunction with WireGuard, such as Obfsproxy, Shadowsocks, or Stunnel to add obfuscation to the VPN routing procedure.

Not integrated into all VPNs

The majority of mainstream VPNs on the market are not yet using WireGuard, and have been using OpenVPN for decades. This simply means that WireGuard is comparatively less battle tested on the VPN front. However, this is rapidly changing as more and more VPNs are integrating with WireGuard.

Lack of router support

WireGuard currently is not supported by nearly as many VPN routers as something like OpenVPN, mainly because these hardwares were designed and programmed before WireGuard’s emergence. Nym thus expects a shift in router compatibility for WireGuard in the coming years.

WireGuard protocol vs. other VPN protocols

WireGuard is not the only communications protocol being used by VPNs on the market, and the differences between them can be significant for the VPN’s performance as well as user privacy.

WireGuard vs. OpenVPN

OpenVPN is the communications protocol that is used by the large majority of VPNs on the market. It was introduced in 2001, making it the tried-and-tested industry standard for VPN encrypted routing. However, there are significant differences in performance between WireGuard and OpenVPN. Read Nym’s detailed comparison of the two protocols.

  • OpenVPN: Has the advantage of flexible configuration for users and programers, with a wide selection of encryption ciphers to use. It also has a much wider compatibility with VPN routers and is more common in enterprise setups.
  • WireGuard: Is much faster than OpenVPN, with a significantly smaller data overhead and equal security.

WireGuard vs. IPSec/IKEv2

IPSec (Internet Protocol Security) and IKEv2 (Internet Key Exchange version 2) are protocols used to secure internet communications. They are often used together (IPSec/IKEv2).

  • IpSec/IKEv2: Like OpenVPN, it supports a wide range of cryptographic protocols, but it also has an extremely large data overhead, with a codebase in the hundreds of thousands of lines. This can make it prone to error and misconfiguration, as well as more difficult to audit.
  • WireGuard: Is simpler and efficient, but without the choice of encryption ciphers for users.

WireGuard vs. PPTP

The Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN encryption protocols. It was introduced in the mid-1990s by Microsoft and is still used by some legacy platforms.

  • PPTP: Uses MPPE (Microsoft Point-to-Point Encryption) with the RC4 cipher, which is considered weak by modern standards. However, it is relatively fast and easy to set up, so it might be useful in contexts where speed is a bigger concern than protection.
  • WireGuard: Is not only extremely fast, but uses state-of-the-art encryption algorithms, making PPTP’s speed vs. security trade off completely unnecessary.

WireGuard vs. L2TP

L2TP (Layer 2 Tunneling Protocol) is an extension of PPTP and L2F (Layer 2 Forwarding Protocol).

  • L2TP: L2TP itself does not provide encryption and so is often combined with IPsec to provide encryption and secure the data being transmitted (L2TP/IPsec).
  • WireGuard: Since L2TP doesn’t encrypt user data, comparing it with WireGuard isn’t useful.

WireGuard: Expediting decentralized networks

When it comes to online privacy, what makes WireGuard such an exciting and important technology is its ability to provide fast and secure routing for privacy-focused decentralized VPNs (dVPNs).

The centralized and single-server architectures of traditional VPNs, on the one hand, have never been adequate privacy protections for users. They are vulnerable to data breaches, cooperation with mass surveillance requests, backdoors for advertisers, and data sales to brokers. On the other hand, dVPNs are promising, but speed is a problem. The more servers your data has to pass through to obscure your traffic, the slower everything is going to be. This might not be much of any issue for sending a confidential email, but it will be for comprehensive network routing.

WireGuard is a game-changing solution for privacy: it provides an extremely fast, efficient, and streamlined routing protocol so that users can profit from advanced privacy protections of a multi-hop dVPN without compromising too much on speed.

NymVPN has chosen to give users the choice. They can easily toggle to use a 2-hop dVPN mode powered by WireGuard for very fast and private day-to-day protections. Or, for highly sensitive use-cases (such as messaging and crypto-transactions), users can opt for the unparalleled 5-hop mixnet mode powered by the Sphinx protocol, which is specifically designed to handle mixnet traffic.

In choosing the best VPN for your privacy needs, consider how a decentralized network with WireGuard can make it so you don’t need to sacrifice your privacy to experience the internet easily and quickly.

Share

Table of Contents

Keep Reading...

VPN-2.svg
Announcements

NymVPN Fast Mode now powered by WireGuard

Advanced privacy with top speed

6 mins read
Privacy-1.svg
Privacy

WireGuard vs. OpenVPN

What makes them different, and which encryption protocol is the best?

14 mins read
Tutorials-1.svg
Privacy

Encryption & data protection (all you need to know)

Explore how different types of VPNs use encryption to protect your data and privacy

15 mins read
Privacy-1.svg
Privacy

What is encryption? (A comprehensive guide)

Explaining the technology behind online data security, and its limits for privacy

17 mins read
VPN-screen.svg

INTRODUCING NYMVPN

Advanced privacy built for the age of AI

TRY FREE FOR 30 DAYS
Artboard 1.svg