A hand touching a lock that has a ribbon wrapped around it and WireGuard written on the ribbon.

WireGuard® is a fast and modern VPN protocol that uses advanced cryptography. It’s simpler and more versatile than IPsec and OpenVPN, making it suitable for a wide range of uses. As the newest addition to the VPN protocol roster, does it change what a VPN can do? And how does it impact you, the user? Let’s take a look.

Table of contents

    Stay safe online
    Crush viruses, data leaks, and online threats with a single subscription
    Get Surfshark One
    Feature Element
    Secure your device with malware, spyware & virus protection
    Feature Element
    Get real-time email, credit card, & ID breach alerts
    Feature Element
    Change your IP address & stay safe online with a VPN
    Get Surfshark One

    What is WireGuard?

    A hand holding a lock that has a ribbon with WireGuard written on it and a question mark placed next to it.

    WireGuard is an extremely fast yet secure VPN protocol that can also be used as a standalone VPN. In fact, it’s considered the fastest VPN protocol available today, making it a better option than IPsec/IKEv2 or OpenVPN when you’re looking for speed and performance.

    Wireguard was built as a lean tunneling protocol, operating in under 4,000 lines of code compared to OpenVPN’s 100,000, but more on that later. The shorter code base makes WireGuard easier to use, provides better speeds and performance, and a low attack surface.

    WireGuard aims to replace IKEv2/IPSec and OpenVPN as a more efficient solution for VPNs. It tries to incorporate the best bits used by other protocols.

    What does WireGuard use?

    The working parts and fundamental elements that make up software are generally called primitives, which simply mean operations.

    The protocols and primitives used by WireGuard are:

    Mini glossary:

    • ChaCha20 — a stream cipher and a refined version of the Salsa20 algorithm that uses a 256-bit key;
    • Poly1305-AES — a secret-key message-authentication code;
    • AEAD — Authenticated Encryption with Associated Data;
    • Curve25519 — an elliptic curve used in elliptic-curve cryptography (ECC);
    • ECDH — Elliptic-curve Diffie–Hellman key agreement protocol;
    • Hashing — verifying that the sender of the data is who they say they are;
    • BLAKE2 — a cryptographic hash function;
    • SipHash24 — a block cipher that’s an ARX (add–rotate–XOR) algorithm;
    • HKDF — HMAC-based Key Derivation Function;
    • HMAC — Hash-Based Message Authentication Code.

    WireGuard pros and cons

    Pros
    Cons
    It’s light: 4000 lines of code (vs. OpenVPN’s 100,000) makes it easy to test and work with, including covering up any weaknesses it has.
    It doesn't obfuscate: the protocol is prone to deep packet inspection and often relies on the VPN provider to have obfuscated servers.
    It has a smaller attack surface: fewer lines of code — fewer places for security vulnerabilities.
    It doesn’t offer a dynamic IP: WireGuard currently uses static addresses everywhere, and those seeking dynamic configuration have to look at other options (e.g., DNS servers).
    It’s fast: WireGuard uses predefined configurations and fewer resources when receiving data. This should allow it to perform faster than other protocols.
    It’s not used by every VPN: if you want to use the protocol and stay private, you'll have to use a provider that supports it.

    To read in finer detail, visit WireGuard’s piece on the protocol’s Known Limitations.

    How does the WireGuard protocol work?

    WireGuard uses a combination of advanced cryptographic operations to encrypt exchanged data. The protocol utilizes state-of-the-art cryptography called cryptokey routing, which works by associating public keys with a list of IP addresses used explicitly for tunneling.

    Public keys are used by peers to authenticate each other. The key can be passed around by any method outside of the primary communication channel. Similar to how one might send their secure shell (SSH) public key to a friend for access to a shell server.

    When using WireGuard, security configurations between your client and the server come predefined. This makes it faster because you don’t need to connect or reconnect to the server. That’s why the WireGuard connection is connectionless.

    All you need to have is your and the server’s keys. The key exchange in the WireGuard protocol is based on NoiseIK — a single round-trip key exchange. The protocols do that automatically under the hood. You just choose the server you want, and the app handles the rest.

    Try the WireGuard protocol
    Simple, fast, and secure
    Surfshark

    WireGuard and manual configuration

    Since the WireGuard protocol is relatively new to the VPN market, not all VPN providers have it. But we do, and we’re really happy that we can offer it to you. And even more so, we offer app AND manual configuration.

    Manual WireGuard setup is great news for anyone who:

    • Is located in a country where VPN usage is restricted;
    • Wants to use their VPN via their router;
    • Has devices not compatible with our app that would benefit from encryption;
    • Wishes to protect many devices without experiencing drops in speed.

    Is WireGuard better than OpenVPN and IKEv2?

    Three locks standing on podiums with WireGuard written on each of them.

    WireGuard is built to be more efficient than OpenVPN and IKEv2. But that doesn’t necessarily mean it will perform better than other VPN protocols.

    Since people love to compare VPN protocols, they often put WireGuard against OpenVPN and IKEv2. And so did we.

    Before we begin, we’d like to acknowledge that we know some like to compare the protocols’ battery usage. We’ve asked our experts, and they said the difference is so minimal it’s almost pointless to compare.

    WireGuard vs. OpenVPN

    WireGuard
    OpenVPN
    Speed
    Faster
    Slower
    Reliability
    Great, but not as reliable on unstable networks
    Good, better on unstable networks
    Open-source
    Yes
    Yes
    Accessibility
    Offered by fewer VPN providers
    Offered by most VPN providers

    OpenVPN claims its protocol has around 70,000 lines of code. Since OpenVPN is an open-sourced service, it’s easy to check if that’s true by looking at the GitHub repository (it’s a place where you can store your code). We took a look and counted that their code consists of 112k lines of code.

    Two reasons why lines of code matter: 1) the more lines of code there are, the bigger the chance of error, and 2) the fewer lines of code you need to achieve the same result, the better.

    Methodology: We downloaded OpenVPN’s code in Zip format from their GitHub repository. The original file includes lines of documentation, tests, and other files. There are 112k lines in the source code.

    WireGuard vs. IKEv2

    WireGuard
    IKEv2
    Speed
    Faster
    Slower, but not by much
    Reliability
    Better reliability on unstable networks
    Not as reliable
    Open-source
    Yes
    No
    Accessibility
    Offered by fewer VPN providers
    Offered by more VPN providers

    However, as convenient as the tables above are, protocol comparisons aren’t extremely accurate. See, the performance of VPN protocols depends on too many factors:

    • How fast your internet connection is;
    • How occupied the VPN servers are;
    • How VPN-compatible your device is;
    • How close you are to the VPN server.

    In theory, the WireGuard protocol does certain things better than OpenVPN and IKEv2. Does it mean it will work better for you? There is no solid answer here. Try each protocol and use the one that gives you the smoothest experience.

    Is WireGuard VPN secure?

    WireGuard is considered one of today’s safest and most secure VPN protocols. Simplified protocol architecture with less code translate into fewer bugs and fewer security vulnerabilities. WireGuard also boasts faster and safer cryptography, called cryptokey routing.

    As the creators stated themselves, there are some trade-offs that come in the form of voiced concerns during WireGuard’s initial hype phase. Let’s address them:

    • WireGuard stores connected IP (Internet Protocol) addresses; 
    • WireGuard doesn’t obfuscate the user’s connection;
    • WireGuard doesn’t assign dynamic IP addresses.

    These issues aren’t relevant to most VPN service providers because they configure the protocol themselves.

    At Surfshark, we don’t store your connected IP address. At the same time, we assign dynamic IP addresses to all our users and obfuscate their connection as a layer on top.

    So whatever issues WireGuard has as a VPN protocol, as a VPN provider, we fix them on our end.

    What platforms can you use WireGuard on?

    As a standalone, WireGuard is available on many different platforms — Windows, macOS, Ubuntu, Android, and iOS platforms.

    The full list of software that can run WireGuard or integrate it: Debian, Fedora, Mageia, Arch, OpenSUSE/SLE, Slackware, Alpine, Gentoo, Exherbo, NixOS, Nix on Darwin, OpenWRT, Oracle Linux 8, Red Hat Enterprise Linux 8, CentOS 8, Oracle Linux 7, Red Hat Enterprise Linux 7, CentOS 7, FreeBSD, OpenBSD, Termux, Void, Adélie Linux, Source Mage, Buildroot, EdgeOS, AstLinux, Milis, and macOS Homebrew and MacPorts.

    To find the finer details on installation, follow WireGuard’s install page.

    Connections leading from WireGuard to Android, macOS, iOS, Windows, and Linux.

    Whether WireGuard is supported or not as a VPN protocol depends on what devices your provider configures it on.

    The Surfshark VPN app currently supports WireGuard on these operating systems: Windows, Android, macOS, iOS, and Linux.

    Try out Wireguard at your own speed

    Overall, WireGuard is great — it’s fast, lightweight, secure, and easy to scale. And it only gets better as a VPN protocol.

    If you want to experience it in action — try Surfshark. Our service runs amazingly with WireGuard!

    “WireGuard” is a registered trademark of Jason A. Donenfeld

    Experience prime protocol protection
    With WireGuard
    Surfshark

    FAQ

    Is WireGuard a VPN?

    Since it’s designed as a general-purpose VPN, Wireguard can be used as a protocol (part of a VPN) and a VPN, especially for those who want to build a private network themselves using state-of-the-art cryptography.

    Is WireGuard free?

    Yes, WireGuard is free and open-source. It’s been designed with the intention to be freely implemented and used by VPN developers or tech-savvy privacy enthusiasts.

    Does WireGuard mask your IP?

    For those setting up their own home VPNs using WireGuard (WireGuard VPN server), it doesn’t mask your IP — it displays your public IP address and location. WireGuard also logs user data and assigns the same IP address each time.

    If you want to hide your public IP, route your outgoing WireGuard VPN traffic through another VPN to hide your home public IP. Just to be clear, this is not an issue for those with a subscription to a premium VPN provider.

    Can WireGuard be hacked? 

    VPN services can be hacked, but it’s exceptionally challenging. WireGuard protocol combined with AES or ChaCha encryption is almost impossible to decrypt using the most common hacking technique — brute force attacks.

    In the current state, a hacker would need to spend hundreds of years trying to crack WireGuard to get anywhere. 

    Is WireGuard a good VPN protocol?

    WireGuard is one of today’s safest, most secure VPN protocol options. Simplified design, modern cryptography, and superior default security settings make WireGuard stand out.

    What port does WireGuard use?

    WireGuard’s default port is 51820. If you wish to use additional tunnels, you must use a different port. The GUI (Graphical User Interface) will automatically suggest the next highest available port.

    Does Surfshark work with WireGuard?

    Yes! Surfshark has implemented WireGuard on all apps and platforms.

    Why is WireGuard important?

    WireGuard is simpler to configure, debug, and deploy, thanks to fewer lines of code, which is around 4000 lines. Other protocols like IPSec and OpenVPN have larger codebases, which may pose a risk of security vulnerabilities lurking below the larger attack surface area.

    It’s built to provide the same level (if not better) of security with less hassle. WireGuard was created to simplify complex and not-so-efficient VPN protocol architecture. It aimed to provide a streamlined and secure VPN protocol that outperforms its competitors.