WireGuard VPN/Protocol: What’s It & How to Use It? WireGuard vs OpenVPN Comparison

Author Vic Knott
Publish date 2021.12.16
Author Vic Knott
Publish date 2021.12.16
WireGuard VPN Protocol

Since many take WireGuard as the next standard of VPN (protocol), if you are still ignorant about it, do finish this easy article to learn everything you need to know about it.

VPN has become a smash-hit in recent years, especially in areas with increasingly heavier internet censorship to limit and even ban worldwide internet access. Also, since with the increasing number of data leakage cases exposed and cybercrimes around in recent years, the general users also start to keep their eyes on the internet privacy and security greatly. So they tend to get quality VPNs to conceal their web identity, to shield their behaviors and data from ISPs, governments, ads agencies, hackers etc. (especially with public Wi-Fi connection), and also to remove various bandwidth throttlings and geo-blocking without hassle.

Why VPN is so reliable to do so many types of things? It mainly lies in its unique workflow. Firstly, when using a VPN, the web request will be routed through the private server from VPN provider, then directed to the internet destination. Secondly, VPN does build an encrypted tunnel based on VPN protocol during the whole routing process so that the data transmitted is untraceable and unbreakable.

Obviously, VPN protocol plays a vital role here because it not only decides how the data is routed but also determines how safe the data-locking is. Previously, we’ve rounded up top 10 VPN protocols you may come across during the VPN usage. And now, time and efforts are taken for an in-depth review on the big splash protocol in the most recent two years – WireGuard.

A Brief Introduction of WireGuard

Since the birth of VPN tech in 1996, when the very first VPN protocol from Microsoft called PPTP was developed, in the coming two decades, there came out a dozen of VPN protocols from time to time, say L2TP, IPSec, IKEv2, OpenVPN, and WireGuard, easy or sophisticated, less or more secure, slower or faster, open source or closed source.

Among these protocol names, open-sourced OpenVPN just stands out and gains its fame thanks to the reliability and good balance between speed, encryption, and stability. More often, it’s been regarded as the “gold standard” of VPN protocol, until the advent of WireGuard, another free and open source VPN software and protocol created by Jason A. Donenfeld, whose code base snapshots were initially taken and seen by people in June 2016. To some degree, WireGuard is now more known than OpenVPN by virtue of its extreme simplicity (less than 4,000 lines of code), state-of-the-art cryptography (e.g. Curve25519, ChaCha20, Poly1305, SipHash, BLAKE2s etc.), and blazing-fast speed. Therefore, although it’s still under development, many take it as the next standard or say the future of VPN technology.

WireGuard Logo

WireGuard aims to be a “Fast, Modern, Secure VPN Tunnel”. Actually, compared to widely-used IPsec, it’s truly “faster, simpler, leaner, and more useful”, and compared to OpenVPN, it tends to be more performant too. As to the platform compatibility, WireGuard was originally only available in Linux. But afterwards, it’s turned into a cross-platform one and moved to Android, iOS, OpenBSD, Windows, Mac, and so on one by one. That makes it quite a powerful competitor of OpenVPN still. WireGuard project is a non-profit open-source project, and it has received donations from many companies and individuals including Private Internet Access, IVPN, NordVPN, and many more.

To gain the benefit of WireGuard VPN or protocol, you have two ways to go:
1. Setting up a WireGuard VPN by oneself →suitable for techie users
2. Employing WireGuard-protocol-available VPN software developed by VPN provider →suitable for new beginners

How Do I Set Up a WireGuard VPN on My Machine?

If you are a tech nerd, skilled at basic Linux command lines, and willing to try something new, such as here establishing a WireGuard VPN, try the steps below.

Step 1. Prepare a new local or cloud-based server/VPS

More users prefer to choose the cloud server, like that from Digital Ocean, Cloudways, Vultr and Microsoft Azure, for simplicity and convenience. Usually, when you pay for such a VPS, you will often need to choose a target server location, a plan (with fixed CPU, RAM and Disk space), operation system, configuration, SSH key, server hostname, description and deploy. When this part is done successfully, go ahead to the next step.

Prepare VPS

Step 2. Download and install the WireGuard client

Go to WireGuard’s install page to find the right download link, from local or store, to download and have the most recent WireGuard installed on your device fast. Also, please make sure your system is up-to-date too, in case there’s any unexpected error. Windows users are strongly recommended to download WireGuard package from the official site, but nowhere else because there are too many downloads containing viruses or malware.

Step 3. Enable IP forwarding & have firewall rules configured well
Next, you need to enable the packet/IP forwarding on the WireGuard server. Then to get all unwanted connections off the connection and protect the server’s safety, you’d better install a firewall on the server and configure its rules properly, for instance, the popular pfSense, OPNsense. If you have no idea on how to do it, the simplest way is to import a set of ready-made rules meeting your use case.

Step 4. Generate public- and private-key, finish server config etc.

To have server and client connected through a safeguarded tunnel, cryptographic keys are essential. So server and client will generate their own key pair and then exchange the public & private keys accordingly. Yep, each key pair is only responsible for the one-way messaging. That said, if multiple devices need to be connected, then each will generate a key pair respectively.

Step 5. Do WiareGuard server & client configuration

What comes next is the server configuration. You need to create a new “wg0.conf” (other customized name is also OK) configuration file and place it in the right folder location – /etc/wireguard/, with all parameters like PrivateKey, Address, AllowedIPs and ListenPort number the right ones. After that, You can also start WireGuard server, check its configurations and enable it at the system boot.

WG0.conf file

Similarly, create another wg0 file on the device you’d like to connect to and use WireGuard VPN, fill in the necessary content like PrivateKey/DNS address in Interface section and PublicKey/Endpoint/AllowedIPs in the Peer part, and place it in the same /etc/wireguard/ directory to go into effect. If AllowedIP is set as 0.0.0.0/0, ::/0, then all traffic will be routed through the homemade VPN on WireGuard.

Step 6. Test and use the WireGuard VPN
Since all preparation work is done, you are able to start up or disconnect the VPN connection with related system commands.

External resource: [WireGuard’s OFFICIAL] QuickStart Guide

What VPNs Have Support for WireGuard Protocol?

If you just knit your brows when going through the brief setup tutorial above, maybe it’s not the appropriate time to try this method. Instead of taking so much of time to learn many things new and challenging, employing a WireGuard VPN off the rack seems to be a wiser choice.

Let’s begin with some VPN names that has already added or has plan to add WireGuard into their VPN protocol library.
• IPVanish
• PIA/Private Internet Access
• CyberGhost
• Hotspot Shield
• ProtonVPN
• Surfshark
• PandaVPN (will support WireGuard soon)

It’s a little bit disappointing that some big VPN providers like ExpressVPN and NordVPN don’t embrace this new efficient and safe VPN protocol, right? Actually, from their official posts we can learn that ExpressVPN takes WireGuard not suitable for its large VPN network hence it worked out its own Lightway protocol for “a superior VPN experience” while NordVPN also produced a new protocol called NordLynx since it’s not confident in WireGuard, a protocol that’s still under development.

Is WireGuard safe to use? This consideration sounds reasonable. However the truth is, until now, there’s no evidence showing that WireGuard is unsafe. WireGuard is light with about 4,000 code lines, which makes it easily auditable for security vulnerabilities, and we also found a WireGuard security analysis report (from courses.csail.mit.edu) online, with a conclusion of “Overall, we found that WireGuard generally functions as it should… We did not identify any critical bugs…” Hopefully, in the near future, some more audits can be operated to prove the reliability of WireGuard.

WireGuard vs. OpenVPN (Protocol), Whos Better?

WireGuard and OpenVPN rank many top spots in numerous “best VPN protocol lists”, and the discussion about who is superior to the other one never stops.

wireguard vs openvpn

In short, WireGuard’s main goal is to be an easier, faster and more secure protocol, and replace IPsec and OpenVPN “in most use cases” (1:1 copied from the WireGuard’s Whitepaper).

Firstly, we have to admit that, 4,000 vs. 70,000 code lines, WireGuard is really lighter than OpenVPN owing to its much fewer lines than OpenVPN, which surely lays the foundation of its better performance, ease of deployment and wide support of platforms. How fast is WireGuard-based connection, compared to OpenVPN at the same/similar hardware, server location, and internet environment? Although there’s no official data, many people tested out the exact percentages like 50% faster, 58(.8)% faster, 3X faster, and so forth. That being said, it’s commonly acknowledged that WireGuard delivers much faster speed than OpenVPN. Below is a screenshot from the Whitepaper still.

WireGuard Whitepater’s performance test

WireGuard only encapsulates IP packets over UDP whereas OpenVPN supports both UDP and TCP. This helps OpenVPN outperforms WireGuard in bypassing content censorship at the TCP mode.

How about the security comparison? It looks like WireGuard has adopted many encryption methods to accomplish all-around data encryption and decryption. The more, the better? The answer is NO. Even OpenVPN doesn’t conclude BLAKE2, from the points of some tech geeks, it’s not a big deal because the HMAC a VPN use can guarantee the data integrity perfectly. Anyway, both of them are highly safe protocols, and you can trust them equally.

Ending

It’s no exaggeration to say that WireGuard has a shinning birth and bright future. But since it’s still under development and many improvements could be done to put it even more practical, like adding dynamic IP address management, pushing routes and DHCP options to clients from server, etc. Another but, all of these won’t affect individual usage greatly and the best-in-class open source VPN solution and protocol should be a standby choice for all VPN users because other “competitors” will always have chances to disappoint you.

PandaVPN will soon join the crowd to provide users the WireGuard VPN Protocol option for faster speed or other cases. Now if you are seeking a WireGuard VPN, you can download and install PandaVPN to enjoy its already-accelerated internet connection, without bandwidth limit at all. 3000+ servers, 80 countries, 170+ locations, and the number is still growing.

Get PandaVPN

Supported Platforms: Windows, Mac, Linux, iOS, Android, and Android TV

Vic Knott

A senior tech editor whose focus is diving into everything related to cybersecurity.

Time-limited sale of PandaVPN Time-limited sale of PandaVPN