In security circles, WireGuard is an exciting proposition. It is a modern, open-source VPN client and server system that is highly streamlined, lean, and easy to review due to its simplicity.
Conceptually, this is something we have been seeing a hard push for in both cryptography and security circles. Code needs to be simple, have a clear purpose, be uncluttered, and be well documented. This makes the process of peer review straightforward and it sets an environment for strong security principles to flourish.
Daniel J Bernstein has been doing excellent work that focuses on these principles. An example on the cryptography side is the ChaCha20 cipher with Poly1305 authentication. The crypto is very simple, with a full implementation possible with a few hundred lines of code with easy ways to test your implementation and ensure everything is working as it should be.
WireGuard builds on these principles of simplicity and straightforward code that is well documented, and it brings it to VPNs. The goal of the project is be a simple VPN service that can be readily integrated directly into operating systems, with the aim of being faster and safer than current solutions.
This is great! When can we use WireGuard?
There’s still a lot of work to be done before WireGuard is ready for professional use. It is still in development and the project recommends not using in production environments yet:
The Windows client is even more problematic, as it is created by a 3rd party group and the source code is closed. From WireGuards Installation page:
Even worse, the current Windows client relies on OpenVPN’s TUN/TAP driver, which is the root cause of most of the Windows performance problems in OpenVPN and doesn’t follow any of the principles of simple, clear, and concise code. The OpenVPN TAP driver is larger than all of WireGuard combined.
It is crucial to understand that while WireGuard is very promising conceptually and the principles behind its development are sound, it needs to be feature complete and have independent review of all “final” components before it is safe to use in production.
Some VPN companies have jumped the gun with WireGuard and are running WireGuard VPNs now. This is not prudent and could present serious risks if security flaws in this early code are discovered.
We are very excited about WireGuard at Private Internet Access, and are sponsoring development.
Keep an eye on WireGuard as a project! I’ll be the first to take the leap when it is ready!