VPN technologies are rarely the subject of much scrutiny: yes and no. Wireguard creator Jason A. Donenfeld turned out to be lucky after Linus Torvalds' harshly laudatory assessment of the code quality.
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.
Shortly thereafter, Wireguard ended up in the upstream of the stable Linux kernel. What makes Wireguard so great and different from other VPNs?
Encryption: Differences between Wireguard and OpenVPN
Wireguard takes a minimalist and no-nonsense approach to encryption, deliberately eliminating the flexibility and protocol choices that are too expensive. If there is no choice of protocols, there is no negotiation process in which security holes are traditionally found. In addition, SSL / TLS vulnerabilities, coming in an even stream, also do not favor the wealth of choice.
Wireguard
- — 4000 Wireguard.
- :
- ChaCha20 AEAD RFC7539;
- Poly1305 , AEAD RFC7539;
- Curve25519 — Diffie-Hellman;
- Blake2 — RFC7693 -;
- SipHash2-4 — ;
- HKDF — ;
- UDP - as a transport layer protocol;
- Perfect forward secrecy is the principle of preventing compromise of session keys.
Unlike OpenVPN, Wireguard does not use X.509 certificates and has no associated issues . Instead, Wireguard uses asymmetric public and private key encryption.
OpenVPN encryption protocols
OpenVPN supports many cryptographic algorithms using the OpenSSL library . More specifically, the following algorithms are used for encryption and authentication. Such functions are available for hash sums. OpenVPN in conjunction with OpenSSL supports PKI standards RSA, DSA and ECDSA, but not all of them are suitable for all user scenarios. For example, ECDSA keys have not yet received widespread support from root CAs.
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 rc5 rc5-cbc
rc5-cfb rc5-ecb rc5-ofb seed
seed-cbc seed-cfb seed-ecb seed-ofb
sm4-cbc sm4-cfb sm4-ctr sm4-ecb
(1:701)$ openssl dgst --list
Supported digests:
-blake2b512 -blake2s256 -md4
-md5 -md5-sha1 -mdc2
-ripemd -ripemd160 -rmd160
-sha1 -sha224 -sha256
-sha3-224 -sha3-256 -sha3-384
-sha3-512 -sha384 -sha512
-sha512-224 -sha512-256 -shake128
-shake256 -sm3 -ssl3-md5
-ssl3-sha1 -whirlpool
- UDP / TCP - as a transport layer protocol;
- Perfect forward secrecy is the principle of preventing compromise of session keys.
Conclusions on encryption and security standards
Wireguard is architecturally more secure due to the fact that the attack surface is much smaller compared to OpenVPN. Nevertheless, OpenVPN is considered to be very secure and reliable, having undergone independent code audits many times. Due to this, OpenVPN benefits from a conservative approach to choosing a VPN solution.
At the same time, the lack of flexibility and choice of encryption method creates significant obstacles for the use of Wireguard in the corporate segment of VPN users. Imagine a typical situation for our employees in which employees connect to a work network via VPN from various devices. In such a situation, lack of flexibility and choice will create many more problems than it can eliminate them.
Performance comparison
Since Wireguard is implemented in kernel space and OpenVPN is in user space, the former should have a speed advantage. This is due to the fact that packages are constantly copied from one space to another, and in addition, a constant background OpenVPN service is required.
All this needs to be checked in practice, fortunately there are many speed measurements for VPN tunnels. To get started, you can take a look at the VPN derby results from the author of Wireguard himself. Here are some details and measurement results.
- Technologies - IPSEC, OpenVPN and Wireguard;
- Processors IntelCore i7-3820QM and Intel Core i7-5200U;
- Network cards - Intel 82579LM and Intel I218LM gigabit Ethernet;
Comparison of VPN performance by Jason A. Donenfeld
In both throughput and ping response tests, Wireguard significantly outperformed OpenVPN, as well as the two IPSec variations. In addition, during the throughput test using OpenVPN and IPSec, CPU utilization reached 100% . At the same time, the use of Wireguard did not load the central processor so much, thereby making it possible to completely utilize the resources of the Gigabit Ethernet network card.
It is natural to assume that the author of Wireguard may be biased in scripting and interpreting the results of measuring the performance of VPN technologies. Therefore, it makes sense to look at other speed tests of different VPNs. Fortunately, all that is needed for this is a VPS server, VPN and iperf3 package.
But other similar tests show Wireguard's superiority in performance tests.
Comparison of Wireguard and OpenVPN Performance
An unexpected fact is that openvpn-tcp is faster than openvpn-udp, but upon closer inspection, everything falls into place. TCP stream has fewer completed tests than UDP. In any case, Wireguard shows the best performance results here too.
In the same series of tests, it is interesting to compare the speed of a VPN connection depending on the number of open sockets. With an increase in their number, Wireguard performance drops abruptly, although it continues to be higher than openvpn-tcp and openvpn-udp.
Comparison of Wireguard and OpenVPN performance depending on the number of open sockets. TestID 0-600 corresponds to openvpn-udp, 700-1200 to openvpn-tcp and 1300-1800 to Wireguard
Conclusions on VPN connection speed
Synthetic speed tests from various authors using the iperf3 package suggest Wireguard is faster than OpenVPN.
Data privacy
VPN protocols place much more emphasis on connection security than on privacy. However, the possibility of maintaining anonymity also matters - who wants to write explanatory notes on the fact of downloading an Oracle textbook, or a Cisco topology emulator? Nothing betrays a violation as well as the user's IP address.
Wireguard settings explicitly contain the IP addresses of users and this circumstance will not allow them to go unnoticed after the server is interested in law enforcement agencies. Of course, you won't be able to read the network traffic, but you can identify the participants in the secure connection.
Setting up a Wireguard secure connection itself is pretty straightforward. Installation first.
(1:530)$ sudo emerge -av wireguard-modules wireguard-tools
These are the packages that would be merged, in order:
Calculating dependencies... done!
[binary N ] net-dns/openresolv-3.11.0 USE="(-selinux)"
[binary N ] virtual/resolvconf-1
[ebuild N ] net-vpn/wireguard-modules-1.0.20201221 USE="module -debug -module-src"
[binary N ] net-vpn/wireguard-tools-1.0.20200827 USE="wg-quick"
Would you like to merge these packages? [Yes/No]
We create public and private keys.
(1:531)$ wg genkey | tee privatekey | wg pubkey > publickey
Next, you need to configure the /etc/wireguard/wg0.conf file.
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24, fdc9:1f28:04d7:9ee9::1/64
SaveConfig = true
ListenPort = 51820
PrivateKey = 2JtKAUFzecmgIVzbscQh3iUZrZanxIzvbejcIkvC5Hk= #PEER_A_PRIVATE_KEY
[Peer]
PublicKey = rgqd1cHKgRWX3IkYYSlrKA/SW3qZUhSJMqwTq4+3eFs= #PEER_B_PUBLIC_KEY
PresharedKey = PEER_A-PEER_B-PRESHARED_KEY
AllowedIPs = 10.0.0.2/32, fdc9:1f28:04d7:9ee9::2/128
Endpoint = pb.example.com:51280
The second participant of the connection must configure the same file at himself, indicating his private key and the public key of participant A. To establish a connection, each party performs.It
wg-quick up interface_name.
can be seen that when configuring Wireguard, the IP address or the host name is set explicitly and will be visible in system log files and SNMP tables until the server is rebooted.
OpenVPN better protects the confidentiality of client connections, since it does not require the IP addresses or network names of client computers to be entered before establishing a secure connection.
Conclusions on data privacy
In this nomination, OpenVPN has a definite advantage due to the fact that only Wireguard assumes storing users' IP addresses on a VPN server for a long time.
Bottom Line: Which VPN to Choose?
There are a myriad of custom VPN use cases out there, and the same recommendation is unlikely to be good for everyone. Accordingly, for different scenarios, two groups can be distinguished with the most suitable VPN solution.
- If you are a regular user;
- You need a VPN to bypass any ridiculous RKN restrictions;
- speed matters to you, for example, for file sharing, or the operation of your application;
Use Wireguard.
- Business users of medium and large companies using VPN for remote access to the internal network;
- business users who provide remote access via VPN to IT resources containing confidential data or trade secrets;
- anyone who needs a reliable and time-tested VPN solution;
Better use OpenVPN.
Well, you already know which VPS to take for VPN.