WireGuard - VPN underdog?
Most of us have used a VPN for one reason or another. More recently, due to a heightened increase in "work from home" initiatives, companies have taken advantage of VPNs to keep employees 'inside' their networks, virtually. Not to mention the huge take up in VPN subscriptions for private use in recent years.
For the most part, OpenVPN is the go-to option for this. It's well supported, free and has been around for years - you could even refer to it as the "golden standard" of the VPN world. If it's not broken, don't fix it - right?
So, what's all the fuss about?
Equally, you could ask, "what makes a good VPN?". Apart from stating the obvious, and offering a secure virtual private network, it's usually assessed in the following aspects:
- Speed Retention (Upload & Download)
- Encryption (Encryption Algorithms Used/Supported)
- Security/Privacy (What level of security/privacy is offered?)
- Auditability (Mostly organisation focused)
If WireGuard beat OpenVPN in every single one of those categories, would you consider looking into it? Then I suggest reading on!
I'm lucky enough to have a fast broadband connection to my home (FTTP), with a download speed ranging between 600-900Mbps most days. The only reason I don't use a VPN frequently is because I lose large majority of bandwidth connecting to my VPN provider via OpenVPN. I'd be lucky to maintain 300Mbps maximum on a good day. With WireGuard, this changes significantly.
The options I had were;
- a) Reduced bandwidth by 50-60%, but maintain a secure and reliable connection.
- b) 100% bandwidth but my ISP can judge my Google searches
Of course a lot of the bandwidth responsibility can sit in the hands of the VPN provider, but let's assume this isn't an issue. What causes this huge degradation in bandwidth?
Without getting hugely technical, you're passing all of your traffic through an extra tunnel before it reaches the destination. A lot of factors go into the speed of the tunnel, such as the processing power at the host side, uplink/downlink providers, etc. However, a large majority of this lies on the protocols in use.
By default, OpenVPN shoves all data through a TCP tunnel. If you send or receive a packet, a response is required from either end. Whilst you can use OpenVPN over UDP to speed up your connection and modify fixed buffer values, this can make your connection unstable.
This is where the magic of WireGuard comes in. WireGuard also runs over the UDP protocol, however it has the qualities of a TCP connection, except all the data verification is done at application layer level. This offers significantly increased network transfer speeds and still implements the level of reliability that a standard OpenVPN TCP connection would provide.
How much quicker, you ask? In many tests I have personally done, I am still able to retain around 90% of my original broadband speeds, compared to 50% with OpenVPN!
This is another sector in which WireGuard differs quite a lot from OpenVPN.
Whilst OpenVPN uses, you guessed it, OpenSSL libraries to provide their encryption methods (to the likes of AES, DES, SM4, Poly1305, etc), as well as MD5 and SHA hashing algorithms, WireGuard uses its own fixed sets.
- ChaCha20 for symmetric encryption
- Poly1305 for authentication using RFC7539’s AEAD construction
- Curve25519 for Elliptic-curve Diffie–Hellman (ECDH) anonymous key agreements
- BLAKE2s for hashing (RFC7693)
- SipHash24 for hashtable keys
- HKDF for key derivation (RFC5869)
OpenVPN also uses certificates for identification/encryption. WireGuard use public key encryption for those purposes. Both protocols use PFS, however.
You can look at these differences in two different ways. Whilst OpenVPN supports a lot more encryption methods and hashing algorithms, this gives potential hackers a larger attack surface, which could make you or your organisation susceptible to downgrade attacks.
As WireGuard runs a singular set of ciphers and protocols, there is far less complexity, a much smaller attack surface and immunity to the so-called downgrade attacks. Although, this comes with much more intimate endpoint management with consistent upgrades if any issues are discovered.
It's a question over compatibility or security.
There's a reason why OpenVPN is still running today since the day it was launched in 2001, the software itself is secure and has no known vulnerabilities. Countless security experts and penetration testers are always analysing it for exploits.
Whilst WireGuard is newer, it is also very secure. The encryption algorithms used are secure and narrow the attack surface for anyone attempting to break in.
Direct from a WireGuard paper;
"It intentionally lacks cipher and protocol agility. If holes are found in the underlying primitives, all endpoints will be required to update. As shown by the continuing torrent of SSL/TLS vulnerabilities, cipher agility increases complexity monumentally"
"It has built-in protection against denial of service attacks, using a new crypto-cookie mechanism for IP address attributability" — Jason A. Donenfeld, Developer of WireGuard
OpenVPN has been around much longer and has been audited much more, although there are no known flaws in either protocol (at the time of writing). WireGuard is maturing and its new state-of-the-art protocols are making it a more appealing option.
Just because an application is Open Source does not always equal "easy to audit".
Would you rather audit around 400,000 lines of code or 6,000 (just 1.5% size)? If you chose 6,000, you've selected WireGuard. This is worlds apart in comparison, both in time and money for businesses to audit. It's the difference between a single developer spending a day reviewing it vs a whole team over weeks. Time is money!
Whilst you could make the argument that OpenVPN has been around and trusted by so many businesses that it wouldn't require an entire audit, it would still take very minimal time and effort to review WireGuard as a standalone application in comparison.
When it comes to audibility, I have to give it to WireGuard here. I'm very impressed.
Why isn't everyone using WireGuard, then?
OpenVPN was a game changer when it was initially released in 2001, boasting its flexibility, reliability, and firewalling support.
As with all new technology, adoption of it takes time. For companies with low data transfer, it may not seem like a huge benefit given that OpenVPN offers sufficient encryption protocols, for now.
Whilst all the platforms are available to all endpoint devices, such as mobile phones and desktops on most Operating Systems, it will take a little while longer for major networking equipment manufacturers to support the WireGuard protocol.
However, we've seen WireGuard taken up by some major VPN providers, with NordVPN's "NordLynx" and CyberGhost to name a few.
With the landscape for networks constantly changing and evolving, it's inevitable that we will see an increase in demand for newer communication protocols to keep up with the demand. OpenVPN will continue to work for years to come, and, being an open-source project, will continue to receive updates to keep it running.
OpenVPN is far from the end of its line, but it's great to see newer and better solutions changing the landscape for the future of VPN technology in the years to come - and WireGuard is doing just that.