WireGuard is the "new kid on the block" in the world of VPNs.
Protocol adoption in the VPN world is a very slow process. Yet a relatively recent upstart is garnering a lot of attention: WireGuard. Does it live up to the hype? Or is it Science Fiction?
It may be quite some time until many providers adopt WireGuard (if at all). Some people have criticized OpenVPN, claiming its code base is bloated, pointing to an Ars Technica article that claimed OpenVPN has 400,000+ lines of code and its use of OpenSSL is an outdated concept.1 Yet, both OpenVPN and OpenSSL are veterans within the VPN world, and at the very least this fact should give one pause to ask why. OpenVPN published a rebuttal to these claims on its blog.2
It is apparent to me the author of the Ars Technica article didn't do their homework and would perhaps benefit from brushing up on their fact checking skills. Aside from failing to reach out to the OpenVPN developers prior to publishing his claim, if the author had dug around a little bit he should have found a 2017 presentation to Inria - the French national research institute for the digital sciences - given by none other than Jason Donenfeld (the creator of WireGuard), which claims OpenVPN had (at that time) ~116,000 lines of code.3 That's quite a far cry from Salter's claim of 400,000 LoC ("Lines of Code"). I'm just saying if someone is going to make a point of accusing a developer (or group of developers) of having a bloated codebase, at least get your facts straight on how large it is (not to mention your argument for why number X is a magic number where suddenly a program has code bloat to begin with).
Initially released in 2001, OpenVPN consistently ranks at the top of the heap of VPN protocols for security, integrity, and speed. An open source platform, it is maintained by a very loyal and active community of developers. OpenVPN has withstood the test of time and remains the indisputable king of tunneling VPN protocols in particular. It continues to dominate the VPN market (for now) in terms of speed, security, flexibility, and reliability.
Fast forward to today, and WireGuard has gradually evolved into a promising potential replacement to OpenVPN for some users. The key takeaway here is that WireGuard is shaping up to be a very valuable tool for certain types of users, but it is so far failing to live up to expectations it would unseat OpenVPN. The biggest disadvantage to WireGuard pertains to the sacrifices it makes in order to cater to its strong suit. While this does increase the possibility of WireGuard carving out a reasonable niche it the market for itself, it seems increasingly likely this move will come at the expense of alienating some die-hard OpenVPN users, for which OpenVPN is more likely to continue serving as a superior protocol when it comes to achieving an overall balance in features. To illustrate my point, let's take at look at WireGuard's current pros and cons.
Let's begin by taking a look at how WireGuard improves on its incumbent rivals:
- Mobile device support: One of WireGuard's signature benefits is the promise of reduced/optimized power consumption for mobile devices. There's no question there is a market for this, and the fact is OpenVPN has been built from Day One with an eye toward fixed wire systems. To wit, OpenVPN's origin predates the iPhone by six (6) years, just to put that in perspective.
- Encryption: Modern and cutting edge cryptographic methods. Wider selection of choices. Again, this is largely a nod to mobile platforms (reduced battery power for various crytpo functions).
- Concise code: OpenVPN is known for a bloated, complex, and clunky code base. It is difficult to troubleshoot and audit. WireGuard's code base is only about 3-5% the size of OpenVPN's (exact ratio varies depending on information source). Less code = less time spent dealing with it. Anyone who has been a software developer will appreciate how much easier that makes reverse engineering, adding new code, and finding/fixing bugs. This is actually a big plus.
- Performance: WireGuard claims (and early testing confirms) greater average throughput speeds, less overhead, and superior reliability compared with OpenVPN. However, it is unproven at scale (for now). One area where it does shine consistently is in the time to establish initial connections and re-establish dropped connections. WireGuard excels in this area due to its alternate philosophy on cryptographic protections (fewer options to the user; fewer options period) as compared with OpenVPN. Regardless of why, it IS considerably quicker than most if not all OpenVPN handshakes.
- Stronger security: Less code means fewer potential security holes, and fewer potential mistakes in coding that can be exploited by hackers.
WireGuard is worth watching, but it's not quite ready for prime time. It has some very interesting characteristics and is ostensibly optimized for speed and security moreso than OpenVPN, though that remains to be proven (e.g. independent security audits). It also has some significant drawbacks that a number of VPN users are likely to balk at.
While it may become a favored platform for mobile users in particular, WireGuard does have some drawbacks that will be significant to some people. It's going to be important for users to take these trade-offs into consideration.
Known WireGuard downsides to consider:
- Untested on a large scale
- Weaker privacy controls (compared with OpenVPN)
- "No-log" servers are not possible (a big blow to privacy activists)
- Mandatory logging and a minimum 24-hour holding period of user's true IP address are currently required
- No dynamic address management - fixed IPs only
- No Security Audits. WireGuard has never been audited (and doesn't look as if it will be anytime soon). Auditing OpenVPN is a bear due to its size and complexity. WireGuard aims to make security audits easier and more regular thanks to its simplistic architectural design. OpenVPN's arguably bloated codebase makes security audits expensive and time consuming. However, to date WireGuard has never been audited, while OpenVPN has been several times (most recently in December 2018).
The Bottom Line
WireGuard is worth paying attention to and holds promise, particularly for VPN users on mobile devices. Curious end users should stay tuned and monitor WireGuard's status as it matures, but retain a healthy dose of skepticism until proven otherwise. Of concern is the program appears to be in some sort of vague limbo status. Not in Beta, but not production ready. Users are encouraged to adopt it and test it, yet its developers are making no promises on when it will be "finished."
From a marketing perspective, there doesn't seem to be a clear message to prospective users. And from a technical perspective, it's a bit dicey (especially from a product support and compatibility perspective, as the question of whether some of its purported features work or not seems to shift randomly). Although I am intrigued, I plan on sticking with OpenVPN for the foreseeable future. Proceed with caution.
Footnotes
1 Salter, Jim. (26 August 2018). WireGuard VPN review: A new type of VPN offers serious advantages. ArsTechnica. https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen
2 The New Cloudflare VPN: What It Is And Is Not. (n.d.). OpenVPN Blog. OpenVPN. https://openvpn.net/what-is-cloudflare-vpn
3 Donenfeld, Jason A. (February 2017). WireGuard: Fast, Modern, Secure VPN Tunnel. Inventeurs du Monde Numerique. https://www.wireguard.com/talks/inria2017-slides.pdf