Wireguard VPN Protocol

WireGuard is one of the latest open-source communications protocols that has been designed to replace IPSec and OpenVPN by simplifying the installation and configuration process while also offering reduced latency and better reliability. The application is published under the GPLv2 license, the same license as the Linux kernel, to promote more widespread adoption.

Wireguard VPN Protocol

Overview

It is important to note that WireGuard has been developed as an encrypted communications protocol that does not implement older VPN protocols’ privacy features. VPN service providers who have adopted WireGuard as an option have been required to implement additional controls to deliver privacy as a service.

Description

WireGuard has been developed as an open-source project with the goal of delivering a secure VPN protocol that is simpler to configure, using more secure encryption algorithms, and maintains more stable connections than currently available protocols.

The critical feature of WireGuard is that it has been developed as a lightweight application to deliver improved performance and reduce the risk of implementation flaws. The application contains approximately 4,000 lines of code, compared with OpenVPN and OpenSSL, which has more than 600,000 lines of code, or IPSec, which has more than 400,000 lines of code.

WireGuard has improved security over other protocols such as OpenVPN by restricting the options for implementing cryptographic controls, limiting the choices for key exchange processes, and hashing algorithms to a small subset of modern cryptographic primitives. In the event that a flaw is uncovered in one of the primitives, a new version of the protocol can be released that resolves the issue. Users cannot modify or change configurations that could adversely affect the security of the overall application.

The significantly smaller codebase makes the implemented protocol quicker and simpler to review and audit, reducing the risk of vulnerabilities remaining undetected and unpatched. The small codebase also reduces the opportunities for attackers to find flaws to exploit. An additional benefit is that this reduced size makes the application ideal for mobile devices such as smartphones and tablets, which have less available processing power than traditional computing devices. These instructions for configuring WireGuard to run on a Raspberry Pi offer an insight into its capabilities.

WireGuard uses public keys for identification and encryption purposes instead of the use of SSL certificates by OpenVPN. This poses challenges in implementing efficient key generation and management functions in a VPN client. WireGuard addresses this by using the ChaCha20 stream cipher for symmetric encryption and the Poly1305 cryptographic message authentication code (MAC) to verify the integrity and the authenticity of data. This offers significant performance advantages over the traditionally used AES algorithm. The logic includes built-in protection against Denial-of-Service (DoS) and replay attacks along with resistance to Key Compromise Impersonation (KCI) attacks. WireGuard has produced a white paper with additional details of the protocol implementation.

However, the WireGuard protocol does rely on the use of static user IP addresses stored indefinitely on connected servers to identify which public keys are assigned to each peer connected to the VPN tunnel to implement crypto key routing. The public keys are used to uniquely identify each authenticated peer.

Advantages

The lightweight nature of the WireGuard application delivers faster throughput speeds and reduced latency compared with OpenVPN.

WireGuard is an open-source protocol with a small codebase making it quicker and simpler to review and audit than OpenVPN, reducing the risk of vulnerabilities remaining undetected and unpatched. Reviews have been carried out by teams from the private sector and academic researchers, providing assurance of the implementation’s integrity.

The WireGuard protocol has been specifically developed to resist attacks by design, including features such as total transparency to network scanning and not responding to messages from unrecognized sources to hide the fact WireGuard is being used from would-be attackers. Messages flows are also halted when there is no data being transferred across the connection, preventing monitoring of the link being used to gather information useful to an eavesdropper.

Disadvantages and Vulnerabilities

WireGuard is not available as a pre-installed service and is still currently being developed for Linux platforms. Oracle has produced useful setup instructions that provide an indication of how easy it is to configure in a Linux environment over other protocols. Although there are implementations available for Windows, macOS, OpenBSD, Android, and iOS, it is presently not thought stable enough to protect sensitive information.

WireGuard, in its current implementation, is focused on robust data security with high bandwidths rather than anonymity and privacy. Robust encryption protects data in transit from interception and deciphering or from man-in-the-middle attacks. However, WireGuard does not assign dynamic IP addresses and stores its IP addresses indefinitely on the connected server.  On its own, WireGuard as a protocol does not fully support anonymity and privacy and is vulnerable to IP Leaks. Implementation of WireGuard by VPN service providers rely on additional controls to provide the required anonymity and confidentiality. However, these added controls are not subject to the same scrutiny and verification as the WireGuard protocol.

Summary

WireGuard is an emerging open-source protocol that is starting to be offered by VPN service providers. It offers fast and secure communications, promising more secure encryption security than the older protocols it seeks to replace at much quicker speeds. However, it is currently immature and has significant issues concerning anonymity and privacy protection.