Posted on Sep 5, 2018 by Derek Zimmer

The Current Status of WireGuard VPNs – Are We There Yet?

Share Tweet Plus

Wireguard logo

In security circles, WireGuard is an exciting proposition. It is a modern, open-source VPN client and server system that is highly streamlined, lean, and easy to review due to its simplicity.

Conceptually, this is something we have been seeing a hard push for in both cryptography and security circles. Code needs to be simple, have a clear purpose, be uncluttered, and be well documented. This makes the process of peer review straightforward and it sets an environment for strong security principles to flourish.

Daniel J Bernstein has been doing excellent work that focuses on these principles. An example on the cryptography side is the ChaCha20 cipher with Poly1305 authentication. The crypto is very simple, with a full implementation possible with a few hundred lines of code with easy ways to test your implementation and ensure everything is working as it should be.

WireGuard builds on these principles of simplicity and straightforward code that is well documented, and it brings it to VPNs. The goal of the project is be a simple VPN service that can be readily integrated directly into operating systems, with the aim of being faster and safer than current solutions.

This is great! When can we use WireGuard?

There’s still a lot of work to be done before WireGuard is ready for professional use. It is still in development and the project recommends not using in production environments yet:

The Windows client is even more problematic, as it is created by a 3rd party group and the source code is closed. From WireGuards Installation page:

Even worse, the current Windows client relies on OpenVPN’s TUN/TAP driver, which is the root cause of most of the Windows performance problems in OpenVPN and doesn’t follow any of the principles of simple, clear, and concise code. The OpenVPN TAP driver is larger than all of WireGuard combined.

It is crucial to understand that while WireGuard is very promising conceptually and the principles behind its development are sound, it needs to be feature complete and have independent review of all “final” components before it is safe to use in production.

Some VPN companies have jumped the gun with WireGuard and are running WireGuard VPNs now. This is not prudent and could present serious risks if security flaws in this early code are discovered.

We are very excited about WireGuard at Private Internet Access, and are sponsoring development.

Keep an eye on WireGuard as a project! I’ll be the first to take the leap when it is ready!

About Derek Zimmer

Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.

VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *

8 Comments

  1. David K.

    Maybe WireGuard could be offered on a test basis, i.e., “use at your own risk”. Azire and Mullvad are doing this now, with Azire offering it free for a limited time period.

    2 months ago
    Reply
    1. Derek Zimmer

      The problem is that the Windows WireGuard client can’t even be reviewed for backdoors at this point. The code is a binary blob that we can’t trust at all.

      1 month ago
      Reply
      1. David K.

        Agreed. What I had in mind was access through a Linux client. Jason provides a bash script which takes a configuration file as an argument and then sets up the routing and makes the connection.

        1 month ago
        Reply
        1. Derek Zimmer

          This is great if it is a real implementation that works. There’s very little information about who the developer is and this appears to be a source code dump rather than something being actively developed with pull requests and changes.

          1 month ago
          Reply
  2. Ryan Cavitt

    Why not make it an optional feature for people who want to use it, sort of like beta testing as Wireguard matures and develops?

    2 months ago
    Reply
  3. Rdm

    Super excited about this. Keep us updated!

    2 months ago
    Reply