Defining the WireGuard protocol

WireGuard is a relatively new, open-source VPN protocol that was first launched for the Linux kernel. Since then, it has been adapted for widely-used platforms: Android, Windows, iOS, and macOS. Its strength lies in easily auditable, lightweight code, and strong cryptographic primitives.

WireGuard presents an extremely basic yet powerful interface.

How WireGuard differs from other popular tunneling protocols

Getting rid of enormous code bases. Where OpenVPN utilizes about 400,000 lines of code, WireGuard has under 4,000. The code base of this size is less susceptible to security vulnerabilities as it’s easier to manage and configure properly.

Using high-speed cryptographic primitives. In hopes to outperform established VPN protocols, WireGuard encrypts your data using thoroughly tested, modern protocols and primitives:

  • ChaCha20 for symmetric encryption, authenticated with Poly1305
  • Curve25519 for ECDH
  • BLAKE2s for hashing and keyed hashing
  • SipHash24 for hashtable keys
  • HKDF for key derivation

Connection handshakes taking place every few minutes. It provides rotating keys for perfect forward secrecy. The quote-on-quote connectionless protocol minimizes packet loss during handshakes while providing users with smooth performance.

Simply put, WireGuard stands out in the overly engineered landscape of VPN protocols. And while it’s still in the development stage, the speed, ease of use, and state of the art cryptography make for an appealing security solution.

By launching WireGuard, we’re furtherly improving speed and overall performance of our VPN, which has already been rated as top 3 by download speed in the AV-Comparatives VPN Report.

Additional privacy safeguards: using double NAT

We give a dynamic IP to all WireGuard users, rather than a static one, so that every time you connect to a VPN server using WireGuard, your IP address is different.

As you’re given a different IP address each time, there’s no incentive to save any identifiable data on a server. This is possible thanks to WireGuard’s extremely modular and easy to deploy architecture, which allows for all manner of IP provisioning schemes.

With the double NAT method in place, Surfshark can offer you WireGuard with excellent privacy preserving traits. It perfectly complements our RAM-only server network, which we finished realizing earlier this year in pursuit of more private and transparent practices across the field.

Get fast and clutter-free VPN

Sign up for Surfshark

“WireGuard” is a registered trademark of Jason A. Donenfeld