WireGuard is the latest VPN protocol, a game-changer that offers numerous advantages, is easy to use, and is faster than the previously available connection protocols. Its primary subjects are security and connection speeds, and it has employed several technologies to achieve these goals.
However, it is still not an ideal protocol due to some intrinsic limitations undermining the protocol’s ability to protect users’ privacy. Thankfully, the top-notch VPNs have incorporated WireGuard VPN protocol with some adopted features to minimize the privacy issues in the protocol.
This article provides a comprehensive review, examining the updated information about WireGuard to assess whether it’s a good option for VPN users.
Top 3 VPNs offering WireGuard protocol – Quick list
Want to test the WireGuard protocol yourself right now? Feel free to pick any of the three best VPNs listed here and experiment with WireGuard.
- NordVPN: The best WireGuard VPN offering fast speeds, tremendous anonymity with server obfuscation, huge server network spanning over 59+ countries, and 30-day money-back guarantee.
- Surfshark: An industry disruptor that quickly adopted WireGuard to offer fast speeds for the customers. It also has a widespread network offering servers from 65+ countries, and a 30-day money-back guarantee.
- VyprVPN: A privacy-oriented Swiss VPN service that has recently introduced WireGuard support to serve its customers with swift performance.
The WireGuard protocol’s pros and cons at a glance
WireGuard is a modern VPN protocol bearing numerous impressive features. But is it a better option than the time-tested alternatives such as OpenVPN? Let’s look at the best and the worst it has to offer.
Pros
- Agility. WireGuard is quick to connect and reconnect even when you’re roaming around. It keeps connections online that other protocols would lose. So it’s light yet robust.
- Security. WireGuard comprises modern, secure, efficient, and carefully-picked components. Its minimal code size makes it easy to audit while enabling the protocol to ensure security with a relatively small effort.
- Speed. The mathematical code in WireGuard is very fast and efficient. Besides, some of its lowest-level technology is already within the Linux kernel. This combination of advantages will always keep it faster than any competitor.
- Deployment. Installing the client or the server software for WireGuard is easy. The difficulty level is like installing and configuring SSH, which any admin in the world can do.
Cons
- Baked-in support. WireGuard works out-of-the-box only in some Linux distros. If you want WireGuard’s speeds, you’ll need an app that brings it to your device or service. Otherwise, you’ll have to go with OpenVPN or another protocol.
- Obfuscation. The obfuscation technique is critical in evading censorship, the Great Firewall of China, and other internet problems. However, it’s not easy to bring obfuscation and WireGuard together because you have to build obfuscation layers on top of WireGuard.
WireGuard’s benefits
Improved encryption
WireGuard is the brainchild of Jason Donenfeld, a 33-year-old hacker, security consultant, and software developer, whose concern with a more secure internet became manifest as a new VPN protocol.
In several interviews, Donenfeld explains his problems with the OpenVPN and IPSec protocols, which he considers outdated. WireGuard’s idea is to come up with a more modern VPN tunnel by adopting advanced protocols and primitives as building blocks:
- Symmetric encryption is ChaCha20, with Poly1305 authentication and RFC7539 AEAD construction.
- ECDH through Curve 25519.
- Blake2s is in charge of hashing and keyed hashes.
- Additional hashable keys by SipHash24.
- HKDF for key derivation.
If you don’t follow the meaning of these terms, don’t worry. Those are some fairly advanced cryptographic concepts that even specialists can find challenging. The gist is that WireGuard is choosing a set of building blocks for its more modern protocol, supposedly more robust than those previously found in any VPN protocol.
Minimal code base
The full WireGuard implementation is fewer than four thousand lines of code. This is a fantastic efficiency expression than OpenVPN and OpenSSL, which are longer than half a million lines of code. IPSec is slightly shorter, at 400,000 lines.
But as long as things work, why care about the number of lines in a project? We hear you ask.
A shorter source code makes the program more transparent and easier to understand for those not involved in the developing process. It makes audits much easier, faster, and more conclusive.
Auditing OpenVPN is a daunting task that requires numerous experts’ combined efforts for several days. So, the auditing process itself is bulky and full of friction points. In contrast, WireGuard’s code is so short that you can have a full audit done by a single competent expert in a day. This audit-friendly trait makes WireGuard much easier to detect and fix vulnerabilities and improve the protocol’s security.
Another significant advantage of shorter pieces of code is diversified compatibility; any computer or device can run it quickly with fewer resources.
Improved performance
Using a VPN always costs something in terms of performance. The encryption layer and the traffic routing through the VPN network will always slow things down a bit — even if the best VPNs make this loss negligible. Since speeds can become a limiting factor for VPN users, WireGuard has improved its new protocol to ensure the highest possible speeds.
And how are those improvements achieved? By making some smart choices.
For instance, the cryptographic basic building blocks chosen for the new protocol (“primitives” in geek slang) are extremely fast. But then, the WireGuard protocol works from inside the very Linux kernel (which is the thing that runs the VPN’s network servers, Linux desktop computers, some routers, and Android devices. So WireGuard is part of the machinery in Linux systems, making it faster because it runs within the operating system instead of “over” the operating system.
The improved performance in WireGuard should supposedly bring the following benefits for users:
- Better, faster speeds.
- Increased battery life because of improved energy efficiency.
- Better roaming support for mobile devices.
- Increased reliability.
- Faster authentications.
So, evidently, mobile VPN users will benefit the most from the new protocol’s features. This is crucial because public WiFi connections are the most dangerous regarding security, their popularity notwithstanding.
The fastest protocol we’ve seen so far in the year 2024
WireGuard is still not the standard protocol in commercial VPNs. This isn’t surprising since even OpenVPN is not available in every service. However, NordVPN does support WireGuard, and because it’s our favorite VPN, we’ve tested it thoroughly. Besides, some other VPNs also include WireGuard as an option, and we used them too.
NordVPN calls its implementation of the WireGuard protocol NordLynx, and it’s the fastest option on offer.
As we tested NordLynx, we noticed our VPN speeds were as high as 93% of our ISP’s theoretical speeds. These high speeds show that WireGuard is the fastest VPN protocol, even faster than OpenVPN.
Cross-platform convenience
WireGuard’s full implementation across platforms wasn’t quick, but it’s completed as we write this. It’s available for deployment in Linux, iOS, Android, macOS, and Windows. So, the option is there and works in every primary operating system.
Unlike OpenVPN, which uses certificates for the same tasks, WireGuard uses public keys to identify and encrypt. However, using public keys complicates the VPN client, requiring it to generate and manage keys.
So far, Mullvad, Surfshark, and NordVPN have included WireGuard in their service with full integration.
Kernel integration in Windows and Linux
The WireGuard code has been an integral part of the Linux kernel since version 5.6, as we learned on March 29, 2020, from Linus Torvalds. So, it was big news regarding endorsement and adoption for the WireGuard team and privacy enthusiasts. Then, in August 2021, it also became the Windows kernel.
Inclusion has since kept advancing to the point that every major operating system’s beta versions will incorporate WireGuard v 1.0+. The WireGuard official website includes the complete list of the operating systems integrated under the hood.
When trying to establish a new industry standard, adoption is everything. WireGuard has made enough progress regarding adoption to consider it stable and ready for widespread distribution. Until last year, its website displayed a warning sign about WireGuard being “not yet complete.” But that warning isn’t there anymore.
So WireGuard is faster than any other tunneling option out there. It’s ultra-modern and is available in every meaningful operating system, at least optionally.
WireGuard vs. OpenVPN – How the two protocols serve users
The privacy problems in WireGuard are not deal-breakers. Competent implementation of the protocol can prevent its problems from becoming a threat. NordVPN is a good example. Its VPN apps use WireGuard out-of-the-box in tandem with a Double NAT system. Both technologies combine to ensure no identifiable user data gets stored on any network server.
OpenVPN is an open-source project that has been providing the best VPN protocol to the industry for years. Because of its open-source nature, the code is there for everybody to examine and test. As a result, OpenVPN is tested and audited all the time thoroughly as the developing community keeps updating it. So far, OpenVPN has passed every test successfully, thus becoming the industry’s highest standard in VPN protocols, warranting a near 100% guarantee regarding data security.
So, WireGuard has to beat OpenVPN substantially to make a difference in the VPN market.
Is it, though? Our tests found WireGuard 58% faster than OpenVPN on an average server and even quicker with nearby servers. So, the new protocol gets an extra point here.
Caution:
The current WireGuard protocol suffers from some intrinsic limitations. These problems do not enhance the protocol’s ability to protect user privacy. In fact, they can undermine it. So before choosing WireGuard as your default VPN protocol, please find out your VPN provider’s implementation of the protocol and the privacy policies it holds. Remember that privacy (unlike anonymity or security) is not a simple matter of technology but also of good practices and company policies — in other words, the human component matters too.
Privacy problems in WireGuard
Despite all the pros, not everything is perfect in WireGuard. For example, the protocol’s design looks deficient regarding privacy, drawing concerns from many VPN providers.
IVPN comments that WireGuard’s design wasn’t tailored to commercial VPN vendors with privacy concerns. NordVPN had similar issues, explaining that adopting WireGuard out-of-the-box would be a privacy hazard for users. And so, the protocol is there, but in an optional capacity.
Fortunately, things have moved forward, and these privacy problems have been met with reasonable solutions. In 2024, WireGuard is already a stable protocol, and many VPNs are deploying it without endangering user privacy.
Privacy and security are not the same things at all. The differences can be subtle, but it is crucial to understand why privacy is an issue with WireGuard.
A protocol’s security is about protecting the data within your encryption tunnel from adversarial access. Whereas privacy is not about acquiring the data but what you do with it. So a privacy problem arises if somebody can tell, for example, with whom you’re communicating online, even if it can’t decrypt the messages. So, ultimately, privacy is about protecting your metadata as much as the data itself.
That means you can have perfect security and still have your privacy breached. Using the same example, if somebody finds out you’re exchanging emails with your brother, your privacy is off, even if that external observer doesn’t know the subject of your exchanges. Of course, privacy becomes even harder to preserve if security is weak. So, undeniably, both are interrelated but still not the same.
Now that those basic notions are clarified, let’s see the privacy problems with WireGuard.
IP address storage in WireGuard
There are reasons why WireGuard isn’t the ideal protocol for privacy protection. One specific reason is that privacy wasn’t a goal for the developing team. Instead, the focus was on increased speeds and security.
The first problem with WireGuard is that it saves a list of the connected IP addresses on the server. The list stays saved on the server until it’s rebooted, which means it can remain there indefinitely.
Unfortunately, since IP addresses are personally identifiable pieces of user data, and WireGuard creates a log of them, this means that any VPN using WireGuard out-of-the-box can’t comply with a zero-log keeping policy.
So how can any VPN adopt WireGuard and still protect user privacy? First, let’s see how some VPNs are solving this issue.
NordVPN: double NAT system with WireGuard
NordVPN’s approach to the WireGuard privacy problem is unique. Their implementation, called NordLynx, deploys something they call a “double NAT.”
Here’s how it works:
- A VPN tunnel comes online.
- The second network interface comes online. It uses a dynamic NAT system.
- The system gives an IP number to each tunnel. This allows the traffic between users and their target sites to flow uniquely.
- Double NAT establishes a VPN connection using dynamic local IP addresses that are alive only while the session is online. This is how they manage to avoid the storage of any IP addresses on the server.
OVPN and Mullvad: Delete IP logs after each VPN session
If the problem with a log is that it exists, why can’t you just delete it and be done with it? This logical and straightforward approach is the solution for VPNs like OVPN and Mullvad. They simply configure their servers so that the data logs go away after the end of each session.
So, for example, OVPN removes any user who hasn’t had a key exchange within the last three minutes from the log. Mullvad does the same when no handshake happens within 180 seconds.
This solution is nowhere near as technologically sophisticated as NordVPN’s approach. And that is a good thing! Every VPN could imitate one of those server configurations and adopt WireGuard without privacy issues.
No dynamic IP address assignation in Wireguard
IP address assignation is another concern with VPN providers since it’s a core VPN service for every VPN provider, besides traffic encryption.
We’ll try to explain this problem quickly here. First, static IP addresses for each device are not the best policy, even internally. Internal WebRTC leaks can become external because of the static assignation. That is just one example, but any app running on a device that can figure out your internal IP address can leak it to the exterior if it’s malicious.
Some VPNs out there also share concerns about this feature in WireGuard for a different reason: static address assignation is efficient in small networks, but it gets exponentially complicated when you have thousands of users, as you do in a commercial VPN. Development is underway for “wg-dynamic,” a new model meant to solve this issue, but it’s not ready for deployment.
Solutions
IP address rotation. Some VPNs have managed to generate keys securely to manage IP addresses. OVPN and Mullvad are two fine examples of such providers. The capability to regenerate keys allows users to rotate IP addresses in each network. The IP number rotation helps minimize the problem with the static assignations.
Blocking or disabling WebRTC. WebRTC is a nightmare when it comes to IP leaks. And it’s worse in a network with statically assigned IP addresses. In the standard scenario, the web browser can leak your IP address through WebRTC. The following measures are helpful here:
- Disable or block WebRTC.
- If you’re using Mozilla Firefox, disable WebRTC for the browser.
- Choose a web browser with good security and privacy features.
The best VPNs with WireGuard
So the promise of high speeds is too much for you to resist, and you want to try a VPN with WireGuard? First, you’ll need to know which of the best VPN vendors can give it to you. And that’s what we will tell you in this section.
Remember that WireGuard is a relatively new protocol undergoing gradual adoption. So, while this list will tell you the best VPNs using WireGuard, the number of VPNs adopting the new protocol keeps growing.
1. NordVPN
Best VPN service supporting WireGuard. It has better version of WireGuard “NordLynx” that makes it faster VPN.
Pros
- Vast number of servers
- User-friendly interface
- Great customer support
Cons
- Outdated desktop app
NordVPN is the best VPN with WireGuard in 2024, handling any activities you wish to do using a VPN. Its way of adopting WireGuard is called NordLynx, which solves the protocol’s privacy problems with a double NAT system.
NordVPN is also one of the best VPNs for OpenVPN connections, offering the highest speeds. Still, we consistently found our transfer speeds much higher with NordLynx.
This VPN is based in Panama, a very privacy-friendly jurisdiction. In addition, NordVPN combines excellent performance with equally fantastic privacy and security features. One of the best things about NordVPN is that two independent audits have confirmed that it doesn’t keep any logs of user activity.
The security audits on this VPN have also been successful (in cooperation with Versprite). As a result, the network is good against penetration and other attacks.
An additional feature in NordVPN is that, since 2020, every server in the network has run in RAM disk mode. That means the servers have no hard drives and can’t store data. Therefore, all the data stored in each computer is volatile and disappears when the system restarts.
Using NordLynx in the NordVPN network is as simple as selecting your preferred protocol in the app before connecting to a server. The app manages IP addresses and key generation, so you don’t need to consider it.
Full WireGuard support in the NordVPN apps is seamlessly integrated into the user experience and is available in every operating system.
Further, besides supporting WireGuard, this market leader has more to offer:
- Double server connection. Redirects traffic through two servers in the network to add an extra encryption layer.
- Tor over VPN servers. Some selected servers in the VPN go directly to the Tor network for browsing anonymity.
- CyberSec. It is an ad blocker that also protects you from trackers and malware.
- Obfuscated traffic. Some servers provide obfuscation, making all your traffic look like HTTPS to get around VPN blocks and censorship.
2. Surfshark
Best cost-effective VPN works perfectly well with WireGuard.
Pros
- Affordable long-term packages
- Strong security
- User-friendly
Cons
- Speed lags with distant servers
Surfshark is a relatively new VPN. However, it’s earned an excellent reputation quickly by offering top-notch service at low prices. In addition, the policy in Surfshark emphasizes privacy — and it’s based in the British Virgin Islands, which is a privacy-friendly jurisdiction. It keeps no logs of user activity, and the most relevant factor for this list: it adopted WireGuard in 2020.
While Surfshark hasn’t developed its own flavor of WireGuard, as NordVPN has, it’s still straightforward to choose. All you need to do is to enable it in the app’s settings area, and that’s it. The apps are available for every major operating system (except Linux), and they will deal with the keys and certificates for you.
Surfshark also deals with the privacy loopholes in WireGuard with a double NAT system so that user IP addresses do not remain stored on the network’s servers.
As expected, using WireGuard increases speeds significantly, up to 79% of your ISP’s capability, which is high for the VPN average.
Other excellent features of Surfshark include:
- Multi-hop connections add extra encryption layers.
- NoBorders to help you bypass geolocation blocks.
- Camouflage mode; is the same as traffic obfuscation. It disguises all the traffic as HTTPS to get around blocks, censorship, and other traffic limitations.
- CleanWeb is an ad and tracking blocker.
A use case for VPNs that’s exploded recently is in the video streaming niche. Good VPNs allow you to unblock the most popular video streaming platforms and see content otherwise blocked for your country. Surfshark excels at this task.
Last, but not least, Surfshark is the most accessible top-notch VPN because of its price –you can enjoy its services to an unlimited number of devices simultaneously for as low as 2.49 USD monthly.
3. VyprVPN
Decent VPN service which is highly popular these days. It has WireGuard in all apps.
Pros
- Great at bypassing geo-restrictions
- Owns its servers
- Highly responsive and well-trained customer agents
Cons
- Mediocre Speeds
VyprVPN comes next in our list of WireGuard-enabled VPNs. Its no-logs policy is beyond any doubt (there are audits), and it is based in Switzerland, which is probably the most privacy-friendly country in Western Europe.
The VyprVPN apps have included support for WireGuard since 2020, and the speeds we found are impressive indeed. Incorporating the new protocol into the network is seamless, and speed rates can reach 310 Mbps.
The business model in VyprVPN is unique in that the company owns every server in the network. It means that VyprVPN has complete control over every piece of hardware in the network. That means no third-party interference is possible, which adds to the network’s security. In addition, Leviathan Security certified this VPN’s no-logs policy with an audit.
The VPN’s software includes WireGuard for every operating system except Linux, which happens with Surfshark too. So picking WireGuard as your default VPN tunneling protocol is straightforward, anyway.
VyprVPN also had to tinker around a little with WireGuard to make it fit into its zero-logs policy. The company is transparent about this: their implementation comes up with a WireGuard configuration on demand for each user in the network. As a result, the servers record nothing because there is no static configuration to log.
Like our previous two VPNs, VyprVPN excels at unlocking video streaming platforms, which interests many prospective VPN users.
Then there’s the small matter of the price. Switzerland is legendary among tourists for being an expensive destination, and VyprVPN has decided to go with the flow. The prices increased significantly as the new year began, and the cheapest plan will cost you 8.33 USD monthly.
4. Mullvad
Probably the best VPN service for WireGuard protocol. WireGuard is enabled by default for android users.
Pros
- Good speed
- Affordable pricing
- Strong security and privacy features
Cons
- Customer service isn’t good at all
Mullvad is a big name in VPNs and was one of the first to incorporate WireGuard into its technology. This VPN promotes security and privacy, keeps no logs, and every app on the platform supports WireGuard.
Mullvad keeps transitory IP address logs (unlike NordVPN), but those records go away when each VPN session finishes. Also, the network replaces the protocol’s keys weekly and automatically in the VPN’s apps. But if you like to control things closely, you can regenerate your WireGuard keys manually in the user settings area.
Selecting WireGuard from the Mullvad apps is easy. It’s the default protocol on the VPN’s mobile apps, so you don’t need to choose it.
5. AzireVPN
Swedish VPN service that support WireGuard and prioritize privacy.
Pros
- Strong no-logs policy
- Works in China
- Good for torrenting
Cons
- Leaks DNS on macOS
This Swedish VPN is also secure and doesn’t keep any logs.
AzireVPN was a pioneer in WireGuard adoption. It started supporting the protocol in 2017, three years earlier than anybody else!
The server network in AzireVPN is much smaller than the others on our list. But the size enables it to keep closer control on stricter standards. In addition, every server is premium and has the highest-capacity bandwidth.
AzireVPN doesn’t directly support the WireGuard protocol. As it happens with OVPN, you’ll need to install the WireGuard client on your device and then download, import, and install all the configuration files.
6. OVPN
Another secure Swedish VPN service. It is currently working on implementing WireGuard on VPN clients.
Pros
- Strong encryption
- Easy to install
- Very transparent
Cons
- No 24/7 live chat
It’s another WireGuard option for expert users.
The Swedish OVPN network is a secure VPN that keeps a no-logs policy. It adopted WireGuard in the second half of 2020.
The VPN’s network for WireGuard is the official stance. Yet, not every client includes it. Therefore, taking advantage of the WireGuard protocol’s high transfer speeds is not as easy in OVPN as in previous providers. You need to get the official WireGuard client and then download, import, and install the configuration files.
As we write this, if you want automatic access to WireGuard on OVPN, your only options are the Android and iOS apps. Support for WireGuard will spread to the rest of the VPN’s software in the coming months.
Other VPN services with WireGuard support
Several other VPNs support OpenVPN. The difference between the following VPNs and those already listed is that we haven’t had the time to test them thoroughly. However, you can feel free to try them and see if their service fits your needs because they all have a refund option.
- ProtonVPN. This Swiss VPN added WireGuard support recently. It works great but is not for everyone because it has drawbacks like limited features and a relatively high price. And the performance wasn’t outstanding either.
- TorGuard. It’s a VPN from the US (not the best VPN jurisdiction to have a VPN) and fully supports WireGuard. You’ll need the WireGuard clients, though.
- Private Internet Access. Known as PIA, it’s based in the US and features WireGuard support in every app. However, we found PIA’s WireGuard implementation relatively slow compared to NordVPN, which is entirely beside the point of WireGuard adoption.
- CyberGhost. Another implementation that fails in the velocity department compared to our top options.
- IPVanish. Yes, it supports WireGuard. But this is still the VPN that kept user logs for the FBI’s benefit.
- IVPN. The provider has a good reputation in the VPN market. This option from Gibraltar hasn’t got the biggest name in the industry, but it’s still well respected. Its VPN clients have the WireGuard protocol integrated into full, like Mullvad or NordVPN. This is probably one of the most expensive VPNs with WireGuard support, but its extraordinary focus on privacy could make the price worth it for the most jealous users.
- VPN.ac. This is a Romanian VPN with full WireGuard support using WireGuard clients.
- TrustZone. Hails from Seychelles, and it’s focused on privacy. Their VPN apps are rather basic, so they don’t support WireGuard directly. However, some third-party clients will work with TrustZone.
Why is ExpressVPN missed from the list?
If you know the basics about the VPN market, you’re probably wondering why we didn’t mention ExpressVPN so far. It’s a fair question, as ExpressVPN is one of the best VPNs of today.
The thing about ExpressVPN is that it’s consistently rejected WireGuard in favor of Lightway, a homemade protocol that looks very much like a WireGuard imitation.
There are several problems with Lightway. First, it’s a proprietary protocol, making audits and external analysis hard. For the same reason, it’s unlikely for many other VPNs to adopt it. If those two reasons weren’t wrong enough, Lightway can’t match WireGuard’s speeds, so it’s already lost that battle.
Configuring WireGuard VPN clients quickly
Configuring a WireGuard client is unbelievably easy.
Forget about copying and pasting certificates. You won’t need to type any detail. It’s much simpler than that; just follow these steps:
- Your VPN vendor provides you with a QR to scan.
- Open the WireGuard app and hit the plus sign.
- Choose “Create from QR code.”
It’s that simple.
WireGuard and the future
OpenVPN is the dominating protocol in the VPN industry, followed by IPSec. Both are secure, relatively efficient, and versatile and have initially supported the VPN’s industry growth. Time has tested them both, and they’ve aced the test.
However, both protocols now look dated, having bulky codes with inefficient math and traditional cryptographic elements, and keeping them secure takes a bit of work.
That is the opportunity that WireGuard is seizing to disrupt the VPN protocol world. WireGuard is a young protocol, but its future already looks bright.
Many VPN networks already incorporate WireGuard into their core software and functionality, and the list includes some of the industry leaders. VPN users love the high speeds, stability, and advanced encryption. Hence, it seems WireGuard’s adoption will only grow more in the future.
Nonetheless, the protocol itself still needs attention. The privacy issues are still there, potentially becoming deal-breakers for other VPN services, as correcting them requires much extra work in the implementation. However, some of the best VPNs have found ways around those privacy flaws to offer WireGuard’s advantages to their users without suffering from its problems.
And let’s not forget that WireGuard is now an integral part of both the Windows and the Linux kernels. This fact alone gives it a privileged place in the race for mainstream adoption. It’s just a matter of time.
Today, WireGuard is the cutting edge of VPN technology — too advanced for the regular user, still something of a geeky toy. It’s the protocol for the next generation, but that next generation is not too far away from the present. And you could join it right now.