Why WireGuard?
WireGuard uses state-of-the-art cryptography, which makes it faster, more secure, and more friendly to mobile and IoT (Internet of Things) devices than other VPN (Virtual Private Network) technologies like OpenVPN or IPsec.
WireGuard was developed in the last decade, using modern cryptographic primitives and protocols like ChaCha20/Poly1305, Curve25519, BLAKE2, SipHash24, HKDF, and the Noise protocol. Because this crypto is (relatively) easy to implement and understand, the standard C WireGuard implementation is only about 6,000 lines of code. For comparison, that’s around 100 times smaller than other VPN implementations that are saddled with 90s-era cryptography, like OpenVPN (OpenSSL) or strongSwan (IPsec).
High Performance
WireGuard’s modern crypto means that it’s faster than other VPN technologies at establishing connections (and re-establishing connections on flaky networks). And it’s very light weight, adding minimal overhead when encrypting and decrypting network traffic. Plus, WireGuard has been built into the Linux kernel since March 2020, and has had an in-kernel Windows driver since October 2021, allowing it to run even faster on those operating systems.
While speed tests may vary from network to network and implementation to implementation, numerous comparisons of WireGuard to OpenVPN and IPsec show WireGuard to be the clear performance champion:
- Restore Privacy (April 2022)
- R4ven Blog (April 2022)
- Protectli (August 2021)
- Vlad Talks Tech! (May 2021)
- SpaceRex (July 2020)
- An Undulating Space (December 2018)
Maximum Security
WireGuard’s modern crypto also makes it more secure. Instead of offering system administrators a million different cryptographic configuration combinations, like OpenVPN or IPsec do, WireGuard has just one. This means that WireGuard is always secured with the industry’s best practices, right out-of-the-box — you can’t shoot yourself in the foot with the infamous null cipher suite (or a million other configuration pitfalls) like you can with OpenVPN or IPsec.
This straightforward cryptographic design also leads to a much smaller attack surface. Without a million cryptographic options, and with a small, readable code-base, it’s easy for a defender to audit the WireGuard source code — and difficult for an attacker to find any hidden issues to exploit.
Great on All Devices
WireGuard offers cross-platform support for a wide range of devices and operating systems, including:
- Windows
- macOS
- iOS
- Android
- Linux
- OpenBSD/FreeBSD
And WireGuard is especially suited to mobile and IoT devices. Many of its cryptographic primitives were designed specifically with the smaller processors of mobile and IoT devices in mind — allowing WireGuard to run faster and use much less battery power than other VPN technologies.
Plus, WireGuard really shines on Wi-Fi and cellular networks. Not only does its lightweight crypto mean that connecting and re-connecting require almost no overhead, but roaming is built into the WireGuard protocol. WireGuard can tolerate changes to the network addresses on either side of a connection without skipping a beat (which can happen constantly if you walk around with a mobile device on a cell network).
Free Beer & Free Speech
WireGuard is open source (and free software — the standard C implementation is GPLv2), so everyone is free to download the source code, audit it, tinker with it, and deploy it to any number of servers or endpoints, completely free of charge. And because the source code is open, it has been audited, probed, and formally verified by a number of teams and techniques.
Easy Management
With Pro Custodibus, managing a small, large, or even enterprise-size WireGuard network is a breeze. Pro Custodibus makes it easy to provision new devices with WireGuard (and revoke access to old devices), as well as to keep all of your existing devices in sync whenever you make network or other configuration changes.
Plus, with Pro Custodibus, you get real-time displays of who’s currently using your network and for what; as well as comprehensive audit logging, so you can review suspicious network activity or spot problematic usage patterns at a later date.