Why WireGuard? (2024)

This article answers some typical questions we receive about why we use and recommend WireGuard®.

But first, what is WireGuard?

In short, WireGuard® is a new VPN protocol that utilizes state-of-the-art cryptography. It aims to be simpler than IPsec and OpenVPN. In fact, it even performs better. Here's why we love WireGuard.

I already use Mullvad. Can I use WireGuard too?

You bet. Depending on your operating system, WireGuard might already be enabled:

  • Windows users, you can easily turn on WireGuard in the Mullvad app.
  • Android and iOS users, WireGuard is always used so you don’t need to do anything.
  • macOS and Linux users, WireGuard is the default protocol.

How many devices can I use WireGuard on?

You can have up to 5 WireGuard keys at a time, each one for a different device, so 5 devices.

What is the development status of WireGuard?

WireGuard is considered stable by its own team and many security experts (including us). This was the case well before its initial implementation into Linux kernel 5.6 in March 2020.

We believe that the security of WireGuard as a protocol and its Linux kernel implementation are superior to all alternatives. Code audits and the project age function as signals for decision makers, but if you look deeper, there are other, stronger signals. The simplicity of the protocol state machine; the fact that it can be implemented without dynamic memory allocation; and the cryptographic primitives used are all arguably equally or more useful.

Even the attack surface is much smaller: WireGuard is written with less than 7,000 lines of code whereas IPSec contains 400,000 lines (OpenVPN is of similar complexity). The more code used, the greater the chance of a vulnerability being present in those lines. With a background in kernel exploit development, we don't expect the creator of WireGuard to have written code that contains 100 times more vulnerabilities than IPSec or OpenVPN.

Is it true that a user's public IP must be logged in order for WireGuard to work?

No. When using WireGuard, your public WireGuard IP address is temporarily left in memory (RAM) during connection. By default, WireGuard deletes this information if this server has been rebooted or if the WireGuard interface has restarted.

For us this wasn't enough, so we added our own solution in that if no handshake has occurred within 600 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.

If you want to hide your public IP even more, use multihopping.

Is logging of any user activity required in order for WireGuard to work?

No. There is never a need to log user activity no matter if you're using OpenVPN or WireGuard.

Does using WireGuard put me at greater risk for leaks?

No, not more than if you're not using WireGuard. Whatever protocol you use for connecting to Mullvad, you should perform a leak test. If you're not safe from WebRTC, take necessary action.

What are your thoughts on the internal WireGuard IP address being static?

We acknowledge that keeping a static IP for each device, even internally, is not ideal.

Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you've installed software that is malicious, it can also leak that information.

And theoretically, a static internal IP that is leaked, together with obtaining a payment record, could help to identify a user. (Dive into the payment info we handle for a fascinating read.)

Having said that, we still believe that WireGuard overall is in a better state than OpenVPN.

Solutions to the problem

You as a user can mitigate this issue in two ways:

The Mullvad VPN app automatically replaces the WireGuard keys once every other week.

We also want to see the WireGuard protocol itself improved, which is why we're taking part in the development of WG-dynamic. This implementation will give the ability to dynamically assign a new internal IP every time a connection is made.

Which cryptography is used in WireGuard?

WireGuard utilizes the following protocols and primitives:

  • ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
  • Curve25519 for ECDH
  • BLAKE2s for hashing and keyed hashing, as described in RFC7693
  • SipHash24 for hashtable keys
  • HKDF for key derivation, as described in RFC5869
  • Noise_IK handshake from Noise, building on the work of CurveCP, NaCL, KEA+, SIGMA, FHMQV, and HOMQV.

With WireGuard, all packets are sent over UDP.

The WireGuard website goes into detail on protocol and cryptography.

"WireGuard" is a registered trademark of Jason A. Donenfeld.

Why WireGuard? (2024)
Top Articles
Vanguard vs. Charles Schwab: Which Should You Pick? | The Motley Fool
Does Copying or Adapting Another's Terms & Conditions Violate Copyright Law? - TermsFeed
Skyward Sinton
Www.craigslist Virginia
Live Basketball Scores Flashscore
Unblocked Games Premium Worlds Hardest Game
Stadium Seats Near Me
Blackstone Launchpad Ucf
St Als Elm Clinic
How to Type German letters ä, ö, ü and the ß on your Keyboard
Edgar And Herschel Trivia Questions
Items/Tm/Hm cheats for Pokemon FireRed on GBA
Wordle auf Deutsch - Wordle mit Deutschen Wörtern Spielen
C Spire Express Pay
More Apt To Complain Crossword
Busted Newspaper S Randolph County Dirt The Press As Pawns
Ts Lillydoll
Gem City Surgeons Miami Valley South
Union Ironworkers Job Hotline
Ruben van Bommel: diepgang en doelgerichtheid als wapens, maar (nog) te weinig rendement
Libinick
Curry Ford Accident Today
Empire Visionworks The Crossings Clifton Park Photos
Walmart Near South Lake Tahoe Ca
25 Best Things to Do in Palermo, Sicily (Italy)
Hellraiser 3 Parents Guide
Unity Webgl Car Tag
Rgb Bird Flop
Ewg Eucerin
Purdue Timeforge
Redbox Walmart Near Me
Pixel Combat Unblocked
1475 Akron Way Forney Tx 75126
Teenbeautyfitness
Goodwill Thrift Store & Donation Center Marietta Photos
Prima Healthcare Columbiana Ohio
Elgin Il Building Department
Bitchinbubba Face
Troy Gamefarm Prices
Qlima© Petroleumofen Elektronischer Laserofen SRE 9046 TC mit 4,7 KW CO2 Wächter • EUR 425,95
Pathfinder Wrath Of The Righteous Tiefling Traitor
Tinfoil Unable To Start Software 2022
Strange World Showtimes Near Century Stadium 25 And Xd
War Room Pandemic Rumble
Keci News
Steam Input Per Game Setting
Who Is Nina Yankovic? Daughter of Musician Weird Al Yankovic
53 Atms Near Me
Samantha Lyne Wikipedia
Pilot Travel Center Portersville Photos
Ubg98.Github.io Unblocked
Ranking 134 college football teams after Week 1, from Georgia to Temple
Latest Posts
Article information

Author: Trent Wehner

Last Updated:

Views: 5965

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.