Safe and fast, but bad for privacy?
👨💻
A lot has changed since we first looked at the WireGuard VPN protocol. In this new and updated WireGuard VPN guide, we examine the strengths and weaknesses of this protocol, as well as the best WireGuard VPN services.
WireGuard is a relatively new VPN protocol that is already being brought in big changes For the VPN industry. But is it trustworthy and safe?
While many people discuss the benefits of WireGuard – that is, faster speeds and improved encryption – the disadvantages of WireGuard are often overlooked. So is WireGuard ready for widespread adoption – or do lingering privacy concerns outweigh the potential benefits?
We will answer all these questions and more in our updated WireGuard VPN guide.
warning: Now, WireGuard has some inherent problems can undermine user privacy If it is not taken enough. Before using the WireGuard VPN protocol, be sure to check how your VPN provider ensures user privacy through their WireGuard app.
Some VPNs have effectively addressed all privacy concerns. for example, NordVPN supports WireGuard directly into their VPN apps using a file Dual NAT system. This guarantees There is no identifiable user data (IP addresses) are ever Stored on VPN server. We’ll examine different VPNs that support WireGuard more below.
Here’s what we’ll cover in our updated WireGuard VPN guide:
- WireGuard Benefits
- WireGuard Privacy Issues (and Solutions)
- Best WireGuard VPN Services
- The future of WireGuard
- WireGuard VPN comparison table
OpenVPN vs WireGuard OpenVPN is considered the gold standard for VPN protocols by many – but things are changing. To compare these two protocols, we’ve put together a WireGuard vs. OpenVPN guide, which examines the speeds, security, encryption, privacy, and background of each VPN protocol. We found WireGuard to be around 58% faster than OpenVPN on average, and even faster with nearby servers (450Mbps).
Now let’s start with the benefits of WireGuard VPN protocol.
WireGuard VPN Benefits
Here are some of the “pros” that WireGuard offers:
Updated encryption
As he explained in several interviews, Jason Donenfeld wanted to upgrade what he considered “legacy” protocols with OpenVPN and IPSec. WireGuard uses the following protocols and primitives, as described on its website:
You can learn more about WireGuard’s modern encryption on the official website or in the technical document [PDF].
WireGuard minimal code base
WireGuard really stands out in terms of its code base, which is currently around 3800 lines. This is in stark contrast to OpenVPN and OpenSSL, which together contain around 600,000 lines. IPSec is also huge at around 400,000 lines total with XFRM and StrongSwan together.
What are the advantages of a smaller code base?
- That’s a lot Easier to check. OpenVPN can take a large team several days to proofread. One person can read through WireGuard’s database within a few hours.
- Easier to audit = easier to find vulnerabilities, which helps keep WireGuard safe
- Much Smaller attack surface Compared to OpenVPN and IPSec
- better performance
While a smaller code base is indeed an advantage, it also reflects some limitations, as we will discuss below.
Significant performance improvements
Speeds can be a limiting factor with VPNs – for many different reasons. WireGuard is designed to deliver significant performance improvements:
The combination of the basics of high-speed encryption and the fact that WireGuard lives inside the Linux kernel means that secure networks can be high-speed. It is suitable for both compact small devices such as smartphones and fully loaded basic routers.
In theory, WireGuard should offer improved performance in the following areas:
- higher speeds
- Better battery life with phones/tablets
- Better roaming support (for mobile devices)
- More reliability
- Faster making connections/reconnecting (faster handshakes)
WireGuard should come in handy for mobile VPN users. With WireGuard, if your mobile device changes network interfaces, such as switching from WiFi to mobile/cell data, the connection will remain as long as the VPN client continues to send authenticated data to the VPN server.
Fastest VPN we tested (a lot)
We have now tested WireGuard extensively with NordVPN and some other VPN services that support it. We’ve found that NordVPN’s WireGuard VPN app, which they call NordLynx, provides the fastest speeds.
Here we are using NordVPN with WireGuard VPN (NordLynx) protocol with a server in Seattle (USA). We reached speeds 445 Mbps On a 500Mbps connection:
WireGuard is the fastest VPN protocol we tested – much faster than OpenVPN.
This makes WireGuard the fastest VPN protocol we tested (when used with NordVPN on a nearby server).
Ease of use across platforms
Although the full implementation has been somewhat delayed, WireGuard now works well across all major platforms. WireGuard supports Windows, Mac OS, Android, iOS, and Linux operating systems.
Another interesting feature with WireGuard is that it uses public keys for identification and encryption, while OpenVPN uses certificates. This creates some issues for using WireGuard in a VPN client, however, such as creating and managing keys.
A few VPNs have already incorporated full WireGuard support into their suite of VPN clients. See for example with NordVPN and Surfshark as well as Mullvad.
It is integrated into the Linux and Windows kernels; It has been completely released from the beta version
On March 29, 2020, it was announced that WireGuard will be Officially included in 5.6 Linux kernel. This is important news that many privacy enthusiasts have been waiting for. In August 2021, WireGuard was switched over to the Windows kernel.
Additionally, WireGuard is now out of beta with version 1.0+ released for almost every major operating system. You can get more information about WireGuard for different operating systems here.
With these two developments, WireGuard is now being considered Stable and ready for widespread use. The old warning on the official website that WireGuard “is not yet complete” has been removed.
WireGuard Privacy Issues (and Solutions)
While WireGuard may offer advantages in terms of performance and security, By design, it is not ideal for privacy. Many VPN providers have expressed concerns about WireGuard and its impact on privacy.
IVPN noted that WireGuard “was not designed with commercial VPN providers offering privacy services in mind.” Similarly, NordVPN has also expressed its concerns about the privacy issues inherent in WireGuard:
By implementing the ready-made WireGuard protocol in our service, we would have put your privacy at risk. We will never do this again.
Fortunately, the dust settled and today there are some Good solutions to these problems. WireGuard in 2020 is now a stable VPN protocol and few VPNs have found effective solutions to deploy it while ensuring user privacy.
To understand the trade-off between privacy and security with WireGuard, IVPN has done a good job of distinguishing between the two as follows:
the Safety From the protocol is concerned with protecting the data in the tunnel from being accessed by adversaries: either by breaking encryption, MITM attacks, or by any other means, however complex.
Privacy He is interested in whether the opponent can find out anything about you, your connections, or anyone you have contacted. It’s more about metadata than actual data.
Privacy can be violated, even when security is solid. For example, when the fact that the communication between the two parties can be determined. Or when certain information about one of the parties becomes known after the communication has taken place. However, it should be noted that if security is poor, privacy cannot be guaranteed at all.
Now that we’ve covered the basics, let’s examine some of the privacy issues with WireGuard.
By default, WireGuard stores user IP addresses on the VPN server indefinitely
As others have pointed out, WireGuard . was It is not created for anonymity and privacyBut rather safety and speed.
by default, WireGuard saves connected IP addresses on the server . Users’ IP addresses are saved indefinitely on the server, or until the server is rebooted. This makes WireGuard ready version incompatible with no-logs VPN services.
So how do VPN services deploy WireGuard while ensuring user privacy?
Solution
Based on our research, the solution to this privacy issue varies by VPN provider. We’ll examine a few below.
NordVPN Dual NAT System with WireGuard
NordVPN takes a unique approach to privacy issues with what they call the “dual NAT system” deployed with NordLynx:
The first interface assigns a local IP address to all users connected to the server. Unlike the original WireGuard protocol, every user gets the same IP address.
Once the VPN tunnel is created, the second network interface starts with the dynamic NAT system. The system assigns a unique IP address to each tunnel. In this way, Internet packets can travel between the user and his desired destination without getting confused.
Dual NAT allows us to establish a secure VPN connection without storing any identifiable data on the server. Dynamic local IP addresses remain assigned only when the session is active.
This is NordVPN’s unique solution to WireGuard’s privacy flaws, and they refer to it as Nordlinks.
NordVPN effectively resolves the privacy flaws of WireGuard by using the dual NAT system. This prevents your IP address from being saved on the VPN server.
You can get more information about NordLynx and NordVPN on their website here.
Mullvad and OVPN clear IP address logs after VPN session ends
Another way VPN providers have addressed the logs issue is by configuring their servers to Clear data records when session ends.
Two examples are with Mullvad and OVPN, both of which are Sweden-based secure VPN services.
OVPN Explain:
We have programmed our VPN servers so that user information is not stored forever in the VPN server’s memory. Users who have not had a key exchange for the past 3 minutes are removed, which means we have as little information as possible.
Mulvad It follows a similar approach:
We added our solution in that if no handshake occurs within 180 seconds, the peer is removed and reapplied. Doing so removes your public IP address and any information about the last time you had a handshake.
Now let’s take a look at another issue/defect in WireGuard.
WireGuard does not assign dynamic IP addresses
VPN providers have also expressed concerns about how IP addresses are assigned using WireGuard.
Mullvad said this in a blog post:
We acknowledge that keeping a static IP address for each device, even internally, is not ideal.
why? Because if the user encounters WebRTC leaks, this internal static IP address may leak externally. As another example, apps running on your device can detect your internal IP address, and if you install malware, it can also leak this information.
Likewise, OVPN also acknowledges these drawbacks:
Nowadays, WireGuard requires that each key pair (which can be seen as a device) be assigned a static internal IP address. This works without problems with smaller installations, but can quickly become complex when tens of thousands of customers need to be connected. A model called wg-dynamic is being developed, but is not finished yet.
Additionally, there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks.
Solution
OVPN and Mullvad have both come up with ways to securely generate keys and manage IP addresses. Each service allows you key renewal And therefore Rotate IP addresses, which helps neutralize this…
[ad_1]
Don’t forget to share this post with friends !
