What is a WireGuard?

Lean, modern code could make WireGuard the next standard for securing VPN networks

WireGuard is a modern network tunneling protocol that could become the new standard for creating virtual private network (VPN) connections. The protocol’s clean, simple approach stands in stark contrast to the bloated complexity of the IPsec and OpenVPN protocols that traditionally underpin VPNs. Shunning these legacy systems’ deep configurability, WireGuard promises an easier, more secure, and more performant way to create VPN connections.

What is WireGuard?

Security researcher Jason A. Donenfeld began developing WireGuard in 2015. His work helping companies find vulnerabilities in their networks had made Donenfeld realize that the VPN protocols everyone has been using for the past two decades had become security risks in their own right.

Most VPNs rely on IPsec to create secure tunnels through the public internet. But IPsec is extremely difficult to implement correctly. The complexity of OpenVPN and other user-space solutions impose considerable performance penalties. In both cases, supporting many encryption protocols, key distribution methods, and other features results in enormous codebases for these legacy protocols. As a result, VPN security systems are subject to exploitation across a large attack surface.

WireGuard takes a much leaner approach to the creation of secure network tunnels. Rather than pursuing cipher and protocol agility, WireGuard is cryptographically opinionated. Using specific protocols for each function — ChaCha20 encryption and BLAKE2s hashing for example — makes WireGuard more focused and performant.

Due to this focus, WireGuard has about 4,000 lines of code compared to the hundreds of thousands in an IPsec or OpenVPN implementation. This leaner codebase is much easier to audit which improves security and makes WireGuard more reliable.

In March 2020, WireGuard was incorporated into the Linux 5.6 kernel. None other than Linus Torvalds was impressed by the quality of WireGuard’s code:

“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”

Over time, Linux distributions will support WireGuard natively and could lead to widespread adoption of WireGuard-based VPN solutions for consumers and enterprises.

What are the benefits of WireGuard?

The insight Donenfeld drew from his vulnerability research experience was that, by trying to be comprehensive, IPsec and OpenVPN became too complex to secure or manage. Starting from a clean sheet, the WireGuard Project could take a fresh approach and deliver clear benefits for network security:

Simple

As easy to configure and deploy as SSH, WireGuard eliminates the overhead that comes with managing IPsec or OpenVPN connections. WireGuard handles everything transparently once the simple key exchange is complete.

Secure

WireGuard’s smaller codebase is easier to audit and provides a smaller attack surface. Additionally, the protocol takes advantage of new developments in encryption such as the Noise Protocol Framework.

Performant

Having a small codebase based on modern cryptographic primitives, WireGuard outperforms traditional VPN protocols. The performance boost does not depend on hardware acceleration, making WireGuard a good choice for smartphones and embedded devices.

What are the challenges with WireGuard?

WireGuard is a relatively new protocol which may not be widely adopted right away. Although it is now part of the Linux kernel, it takes time for new features to propagate through the Linux ecosystem. WireGuard will be available soon for servers and enterprise desktops as Linux distributions incorporate new kernel releases. By contrast, embedded devices are often based on much older kernels and may never get updated. Whether Windows, macOS and mobile operating systems ever support WireGuard natively remains to be seen.

Although the WireGuard Project has developed client apps for multiple platforms, they are not complete security solutions. The new protocol achieves its simplicity, in part, by leaving features like obfuscation to higher layers. This leaves it to security vendors to integrate WireGuard into feature-complete security solutions.

How Twingate benefits your business

Twingate’s security solution removes the friction from migrating to software-defined perimeters and quickly delivers benefits for administrators, users, and the overall business.

Benefits for administrators

Twingate frees administrators by eliminating the costs, maintenance burdens, and security risks of VPN gateways.

  • Easy, rapid deployment
    • Compatible with multi- and hybrid-cloud environments
    • Works with existing network and VPN
  • More security, less overhead
    • No public endpoints
    • Extensive logging
    • Integrates with existing security stack
  • Better performance and reliability
    • Lower latency with direct user-to-resource connections
    • Reduced network burden with split tunneling and intelligent routing
    • 100% software-based with no hardware to patch

Benefits for users

Remote access security is no longer something users must suffer — or try to bypass. Twingate makes security transparent while maintaining performant connections to essential resources.

  • Better performance
    • No backhaul to slow access to resources
    • No competition for network bandwidth
  • Better experience
    • Frictionless client provides transparent security
    • Enables seamless remote access

Benefits for business

The security of your business data improves with Twingate’s flexible and scalable security infrastructure.

  • Minimized security risks
    • Users’ security compliance increases
    • Per-resource perimeters reduce the attack surface
  • Future-proof scalability
    • Designed for the work-from-anywhere workforce
    • Capex-free infrastructure grows with the business

Redefining security with

Changing the way your business protects critical resources is essential in today’s network environment. Twingate’s security solution based on software-defined perimeters offers a flexible and scalable path to modern network security. Whatever blend of on-premises systems, cloud-hosted applications, and X-as-a-Service solutions drive your business, a Twingate makes your  critical resources less vulnerable to attack and more accessible to users.

Contact Twingate to learn more about securing your remote workforce.

"In the age of COVID-19, having an efficient and secure IT infrastructure is more important than ever. We used Twingate to replace a VPN that was bursting at the seams after our business transitioned to remote work. I’m extremely happy to have Twingate."
Paul Mason
CTO at Human Interest

Get set up in minutes

Try Twingate today and give your team access to private applications in minutes