WireGuard is a still very young technology to realize secure and powerful virtual private networks (VPNs) with little effort. It is an open-source protocol and software that is intended to provide an alternative to established VPN solutions such as OpenVPN or IPsec.
WireGuard was developed with the goal of making VPNs easier and providing an alternative to existing VPN solutions. The open-source software and protocol compete with VPN technologies such as IPsec or OpenVPN. Compared to existing solutions, the configuration of VPN connections is said to be easier and faster.
What is WireGuard?
WireGuard operates with high performance on layer 3 of the OSI layer model and supports both IPv4 and IPv6. The software is deliberately kept simple and straightforward. It consists of only about 4,000 lines of programming code. Other VPN solutions sometimes have several hundred thousand lines of source code.
The new VPN alternative was developed by Jason A. Donenfeld. The solution, which is still very young, is not yet completely mature and is still partly in experimental status. It is available for different platforms such as various Linux distributions, macOS, Android, or iOS. On Linux systems, the code runs as a module in the kernel and achieves high performance.
Since 2018, VPN providers such as Mullvad and AzireVPN have been offering initial services based on the new VPN solution.
Design principles of WireGuard
The following goals were pursued in the design of the VPN alternative:
- Ease of use
- High performance
- High security through the use of current cryptographic methods
- Manageable code with minimal attack surface
- Carefully thought-out overall concept
WireGuard is characterized by its simplicity compared to existing VPN solutions, which are usually very complex. The software offers fewer configuration options and is limited to the bare essentials. This makes the solution easy to use and its security easy to check. Possible vulnerabilities are easy to find in the manageable code.
To achieve a high level of security when encrypting data, WireGuard uses modern cryptographic methods. Identities of VPN participants are linked to their public keys. Connections are established similarly to SSH by exchanging the public keys. The architecture is based on the peer-to-peer model.
Protocols used
WireGuard makes use of various protocols to establish VPN connections and exchange data. The most important protocols are:
- Curve25519 (ECDHE) for the exchange of keys.
- ChaCha20 and Poly1305 for the exchange and encryption of data
- BLAKE2s for hashing
- Ed25519 for the public key authentication procedure
The VPN solution is deliberately limited to the three basic functions for encrypted connections. The key exchange takes place in the handshake via Curve25519 with Elliptic Curve Diffie-Hellman (ECDHE). BLAKE2s serves as a universal hash function and generates, for example, Keyed-Hash Message Authentication Codes (HMAC) or derives keys with HMAC-based Key Derivation Function (HKDF).
ChaCha20 and Poly1305 are responsible for symmetric encryption of the exchanged data. In addition to native support for IPv4 and IPv6, it is possible to encapsulate IPv4 in IPv6 and vice versa.
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.
