WireGuard is a great OpenVPN alternative, developed with security and simplicity in mind by Jason Donenfeld, a security professional. I am using WireGuard since it has been launched across different devices and so far I am very pleased with its performance.
This Q&A article is meant to answer some of the most common questions about this new VPN technology.
Is WireGuard safe?
Yes, absolutely. WireGuard uses secure encryption algorithms, it doesn’t rely on libraries that have been affected by serious vulnerabilities in the past such as OpenSSL. WireGuard can no longer be considered just some personal project, but a solid technology trusted by cryptographers, cyber security professionals and developers. Since May 2020, WireGuard is included into the Linux kernel by default. WireGuard code is opensource and it has been audited.
Is WireGuard faster than OpenVPN?
Yes, is most scenarios WireGuard is faster and overall better than OpenVPN, for both speed and stability. The biggest speed difference can be seen on routers. For example, a router with a 800 MHz CPU would experience up to 20 Mbps max speed with OpenVPN but around 100 Mbps using WireGuard.
Is WireGuard easy to use?
It depends on what platform you are using.
On Windows, Mac and mobiles it may not be as easy as using a OS native VPN connection like IPsec, PPTP because WireGuard requires a client app to connect. Setting up the WireGuard client app is relatively easy.
On Linux it doesn’t require to install additional apps and can be set either in terminal or in Network Manager. The configuration file is very simple and includes only a few settings: public/private key, endpoint addresses, DNS server and optionally MTU and a pre-shared key.
Does WireGuard work against censorship/DPI?
WireGuard doesn’t support a traffic obfuscation layer by design and it works over UDP protocol only. For this reason, it is relatively easy to be blocked in restricted networks and countries that are censoring the Internet like China, UAE. To by-pass censorship and DPI filtering, OpenVPN is a better option since it supports multiple obfuscation types / plug-ins and can be stealthier by working over common TCP ports (443, 80, 25 etc.)
Does WireGuard work in China?
At the time of writing, it isn’t blocked entirely. VPN blocking in China is imposed by ISPs using the so-called “Great Firewall of China” (or “GFW”) based on traffic patterns and protocol signatures. The VPN restrictions are different depending on various factors such as location/town, time of the year (e.g. tighter restrictions during key political events). Basically, the blocking measures may vary from one user to another.
What port does WireGuard use?
By default, WireGuard uses UDP port 51820. The port can be changed to any other UDP port on server and client side. As already mentioned, WireGuard doesn’t support the TCP protocol.
What routers are compatible with WireGuard?
Currently there aren’t many routers supporting WireGuard out-of-the-box and may require to be flashed with a 3rd party ROM. The following options are available to run WireGuard on a router:
– routers running OpenWRT, DD-WRT
– MikroTik routers running the latest beta firmware v7
– firewalls running the OPNsense platform
Enterprise grade routers like Cisco, Juniper, Huawei and others are not compatible.
Does WireGuard work well on mobiles?
Yes, it works very well. Since it doesn’t need to re-establish a key exchange periodically, it is less resource intensive than other VPN protocols, which may reduce the battery consumption significantly and improve reliability.
Does WireGuard work with user & pass authentication?
No, WireGuard doesn’t support user/pass authentication. WireGuard uses key-based authentication exclusively (public keys need to be shared between endpoints).
More questions and answers may be added later.
To find out more about WireGuard, visit the official project site at wireguard.com.