WireGuard is a promising new type of VPN technology that intends to eclipse all previous VPN protocols. The advantages of WireGuard lie primarily in its performance and speed, which is why it is well received by users and industry. We have examined whether and how we can use this new VPN protocol in our infrastructure. The result: Unfortunately, the software is not yet mature enough for us to be able to offer it to our users in good conscience at the present time, but we are eagerly awaiting future developments.
First of all, WireGuard has some impressive advantages that speak in favor of its use:
WireGuard is supposed to provide more performance and bandwidth than the widely used IPsec and OpenVPN VPN protocols and software solutions. WireGuard uses the latest high-performance cryptography algorithms, such as the Noise Protocol Framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24 or HKDF. And WireGuard gets even better performance from the fact that the software is executed as a Linux kernel module on the server side. There are also special optimizations for the MIPS processor architecture, which makes WireGuard particularly interesting for less powerful devices such as home routers or other embedded systems.
One of the WireGuard goals is to make the software particularly easy to configure, such as SSH. WireGuard uses only public keys for identification and encryption and can therefore dispense with a certificate infrastructure. The VPN protocol can be used in a wide variety of applications, as there are cross-platform software solutions. Besides the Linux implementation there are ports for Android, macOS, FreeBSD, OpenBSD and Windows.
WireGuard manages with very few lines of code. This is a great security advantage for two reasons: First, less code contains potentially fewer errors. On the other hand, less code is easier for security experts to verify. WireGuard currently contains about 4,000 lines of code. For comparison: Previous solutions such as OpenVPN and IPsec require several hundred thousand lines.
These promising advantages are offset by some serious disadvantages, which unfortunately do not make WireGuard suitable for with Perfect Privacy at the moment
Even though WireGuard is already usable, the development of a stable version is not yet finished. The developer himself notes on the website that the code should not be trusted at this time. The software still has to go through IT security audits in which security experts check the code quality. And it is not even ruled out that the protocol could change. Special care should be taken because WireGuard runs in the Linux kernel and thus has access to all the server’s resources. Code errors and security holes would have serious implications here, which is why good code quality and independent checks by security experts are particularly important.
WireGuard has is no dynamic address management, the client addresses are fixed. That means we would have to register every active device of our customers and assign the static IP addresses on each of our VPN servers. In addition, we would have to store the last login timestamp for each device in order to reclaim unused IP addresses. Our users would then not be able to connect your devices after a few weeks because the addresses would have been reassigned.
It is particularly important to us that we do not create or store any connection logs at all. Therefore, we cannot store the above registration and login data that would currently be required for WireGuard to operate.
When a user establishes a VPN connection to our VPN network, we make user-specific settings on the server side in the background to activate random outgoing IP addresses, NeuroRouting and TrackStop. Since WireGuard runs in a kernel module, there are no user space hooks that would allow us to make these settings. So for WireGuard we would have to deactivate NeuroRouting, TrackStop etc., which does not allow a wide use of WireGuard.
WireGuard is an interesting technology that is experiencing a certain hype for a good reason. Even a US senator has already suggested to the National Institute of Standards and Technology (NIST) that WireGuard be evaluated as a replacement for IPsec and OpenVPN. WireGuard could also soon be included in the standard Linux kernel.[1] Above all, the advantages in speed and minimum code length make WireGuard a promising VPN solution for the future.
However, we fear that the widespread use of WireGuard in our VPN infrastructure would jeopardize the security of our users, as it is not yet intended for productive use and we would have to create connection logs. In addition, important security features such as NeuroRouting and TrackStop would not be usable with WireGuard.
For this reason we cannot yet offer the WireGuard protocol to our users. However, we are eagerly following further developments and hope that we will be able to offer WireGuard support in the future.
[1]: https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-Senator-Recommends