Why are so many people switching to VPN services that support the WireGuard protocol? The answer is simple: WireGuard offers numerous benefits over legacy protocols like OpenVPN.
This article covers everything you might want to know about the WireGuard VPN protocol, as well as the best VPNs that support WireGuard. We will also be discussing some frequently asked questions about the WireGuard protocol, as well as some tips and tricks to better optimize performance.
For those who are short on time, here are the best VPNs that support WireGuard in 2022:
- NordVPN – Full WireGuard support in all apps, extremely fast speeds, and tons of privacy and security features [68% Off Coupon]
- Surfshark – A fast and affordable VPN with WireGuard support in all apps (except Linux)
- OVPN – This Swedish VPN supports WireGuard directly in desktop and mobile apps, with solid speeds
- VyprVPN – A Switzerland VPN with WireGuard support for Windows, Mac OS, Android, and iOS apps
Why we like the WireGuard VPN protocol
Aside from being fans of the shiny new thing, here's a list of substantial reasons why we like WireGuard so much:
- Modern cryptography
- Tiny code base
- Better performance
- Cross-platform support
- Raw speed
Jason Donenfeld, the creator of WireGuard has said that while implementing WireGuard he wanted to upgrade “outdated” protocols like OpenVPN and IPSec. According to his WireGuard.com website, “WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.”
If you really want to dig into the cryptography used to implement WireGuard, you can get the hardcore info in the technical white paper [PDF].
Tiny code base
The more capabilities you build into a VPN protocol, the greater the amount of computer code you need to implement it. For example OpenVPN along with OpenSSL (which provides encryption and authentication) comprise approximately 600,000 lines of code.
Mr. Donenfeld didn't try to replicate all the features of OpenVPN, instead opting to build a fast and secure, but limited protocol. As a result, the WireGuard VPN protocol only requires about 4,000 lines of code. Reducing the number of lines of code in the WireGuard protocol yields a number of benefits. They include:
- Easier auditing – Not surprisingly, 4,000 lines of code are easier to audit than 600,000 lines of code. The easier the code is to audit, the more likely it is that the auditors will find any vulnerabilities. Over time, this can make WireGuard a more secure protocol than those with hundreds of thousands of lines of code.
- Smaller attack surface – The attack surface of software is the number of places where a hacker could try to break into the software. Fewer lines of code means fewer locations for a hacker to attack that code, reducing the attack surface. All other things being equal, a smaller attack surface means more secure software.
WireGuard delivers several performance benefits when compared to other VPN protocols. The relatively small size of the code base helps the protocol to be faster than the competition. So does the fact that WireGuard is built with extremely high-speed cryptographic primitives.
In addition, the Linux kernel supports WireGuard. This makes WireGuard even faster on systems that use the Linux kernel, including Android, which is based on Linux.
While the actual performance of a VPN that uses WireGuard will depend on many factors beyond WireGuard, that VPN should display better performance in the following areas:
- Higher speed data transfers means less time spent actively transmitting and receiving data
- Greater battery life on mobile devices thanks to faster data transfers and less computational overhead
- Built-in roaming support
- Faster handshaking when connecting to networks
Looking at this list, it is clear that WireGuard has many characteristics that are ideal for use on mobile devices. Even though I am using an “ancient” Samsung s9+ on slow 3G networks, I never notice problems with data transfers or transitions from one cell tower coverage zone to the next.
The WireGuard protocol is now supported on all the major platforms: Windows, Mac OS, and Linux, plus Android and iOS apps. As we pointed out earlier, the Linux support is particularly interesting. That is because the Linux developers decided to support WireGuard by integrating it into the Linux kernel.
The kernel is the core of the operating system. Among other things, it has direct access to the hardware of the system. Most programs on Linux systems run in User Mode (a.k.a. User Mode Linux, or UML). Programs running in User Mode do not have direct access to the system hardware. They must send requests to the kernel which passes along commands to the hardware.
This means that software running in the Linux kernel can be faster than programs running in UML. And that should lead to WireGuard VPNs running on Linux being particularly fast. We've got our eyes open for any definitive reporting on this subject.
I know I (and everyone else) keep talking about how fast WireGuard is. While we are not set up to do tests of the protocols themselves without the VPNs they run on, we do have results of our own testing. We've found that switching VPN protocols from OpenVPN to WireGuard without changing anything else results in around a 40% speed increase.
We also found that NordVPN running with its WireGuard app turned in the fastest result we ever saw. Running on a 500 Mbps fiber optic internet connection and connecting to a nearby server, our speed test showed a download speed of almost 456 Mbps.
This is by far the fastest test result we have ever recorded. We've seen impressive speed increases for every VPN that supports WireGuard so far. The rumors of WireGuard's impressive speed are definitely true.
The WireGuard protocol and privacy
To reiterate, the WireGuard protocol was designed to be fast and secure. It was not designed to be private. Any VPN provider that supports WireGuard needs to address the privacy issue. In this section you'll see what the problem is, and how leading VPN providers are addressing it.
The default WireGuard protocol stores user IP addresses indefinitely
As I mentioned earlier, the WireGuard VPN protocol was designed for maximum speed and security, not for privacy. Those design goals resulted in WireGuard saving connected IP addresses on the server. Those user IP addresses remain on the server until it is rebooted.
Keeping user IP addresses on the server is effectively logging the identity of users. In other words, the default WireGuard design is not suitable for use in no-logs VPN services.
VPN providers have had to come up with solutions to this problem in order to gain the benefits WireGuard offers. Here are two of the solutions that are being used by no-logs VPNs with WireGuard.
A double NAT system: NordVPN and Surfshark
NordVPN developed the double NAT (Network Address Translation) system and combined that system with WireGuard in their NordLynx VPN protocol. Surfshark also uses a double NAT system in conjunction with WireGuard.
Explaining how a double NAT system works can be difficult, so we'll let the good folks at NordVPN take a stab at it. From the NordVPN website:
To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
Only the dynamically-assigned IP address remains on the VPN server, and that is only until the user session ends. Your actual IP address is known to a separate, secure authentication server (see the image below) but is never saved on a VPN server.
You can find more info about how WireGuard and the NordLynx protocol work on the NordVPN website.
Erasing IP addresses as soon as a session ends: OVPN and VyprVPN
While the default WireGuard implementation keeps a log of IP addresses until the server is rebooted, this information is only needed as long as a VPN connection is active. OVPN and VyprVPN resolve this log problem by deleting the logged addresses as soon as the session ends. As the VyprVPN team explains it:
The VyprVPN implementation provisions a WireGuard configuration on-demand for every connection and nothing is left behind on the server after you disconnect. There is simply no static configuration left behind.
A double NAT system vs erasing the logs as soon as possible: Which is better?
There are pros and cons to each of these approaches. With the double NAT system, user data is never stored on the VPN server. With the “erase the logs” approach, user data is stored on the server while the network connection is active. Theoretically, an attacker could break into a server while sessions are active and capture user addresses.
At the same time, a double NAT system is much more complicated than the “erase the logs” approach. This theoretically results in a larger attack surface for a hacker to target. A double NAT system also requires a separate authentication server which an attacker could theoretically target.
Only time will tell if either (or both) approach can ever be exploited in practice.
The problem of static IP addresses in WireGuard
Any WireGuard VPN provider that chooses to use the protocol's static IP address approach has a second consideration to deal with. Keeping a static IP address on the server for any length of time poses a few risks. One is WebRTC leaks. Such a leak would pass the real IP address of a user to connected websites. Malicious software running on your device might also be able to see the real addresses of users.
OVPN has also voiced concerns that using static internal addresses could become a problem when tens of thousands of users are connecting at the same time.
OVPN and other WireGuard VPN services have come up with solutions for this problem as well. They allow you to regenerate keys, which causes the system to rotate IP addresses, mitigating potential privacy problems.
The OVPN website has more information on this topic and how they implement WireGuard.
You can also help to mitigate the static IP address problem by blocking or disabling WebRTC in your web browser. How this is done varies depending on which web browser you are using. You'll need to check the documentation for your particular browser version to find the correct steps.
…you could switch to a secure web browser that disables WebRTC for you. See our guide to secure browsers for several options.
Now that we’ve got all that behind us, are you ready to learn about the best WireGuard VPN providers?
WireGuard VPN providers
Here are short reviews of our top 4 picks for the best VPNs for WireGuard.
NordVPN – The best WireGuard VPN for 2022
|Logs||No logs (audited)|
|Support||24/7 chat; email|
If you've been coming to Security Tech for any length of time, you know that NordVPN is one of our favorite VPNs. Once again, this Panama-based VPN provider takes the top spot in another category. Among all its other sterling attributes, NordVPN has full WireGuard support built into their NordLynx VPN protocol.
The NordLynx protocol resolves WireGuard privacy concerns using a double NAT system. During our VPN tests, we found that NordLynx didn't display any leaks, while at the same time being super fast. As I mentioned before, on one test, NordVPN with NordLynx active delivered a download speed of just under 446 Mbps.
Note: To see how NordVPN's speed compares to that of Surfshark, the next fastest VPN around, check out our NordVPN vs Surfshark writeup.
NordVPN excels at privacy and security. They have had their no-logs status audited twice by independent auditors. They also completed a full security audit and penetration testing, again conducted by outside auditors. Not many VPN providers have done anywhere near this much to ensure your privacy and security.
Not an organization to rest on its laurels, NordVPN now has all servers in the network running in RAM-disk mode (diskless mode) making it impossible to store any user data or malware on the VPN server. Now they are deploying self-owned (co-located) servers throughout their network, putting all VPN servers under their control. Last but not least, they are installing 100 Gbps routers at key points to ensure that data keeps moving smoothly and quickly through their network.
Using WireGuard with NordVPN is easy. Simply open the VPN app and select the NordLynx protocol. Then connect to a VPN server and you are done. The VPN client (app) handles all the details of key generation and address management for you.
Full WireGuard support is built into the NordVPN apps for Windows, Mac OS, and Linux, as well as the iOS, Android apps.
More noteworthy NordVPN features
Whether you use NordLynx (WireGuard) or one of the other VPN protocols supported by NordVPN, you have access to an array of advanced security and privacy features. They include:
- Double-VPN servers – Passing your traffic through two different encrypted tunnels as it flows between two different VPN servers located in two different locations. This makes it extremely difficult for hostile forces to track where you go and what you do online.
- Onion-over-VPN servers – Get the security and privacy of NordVPN as well as the anonymity of the Onion (Tor) network for additional anonymity. NordVPN encrypts your data and hides your real IP address before passing your data through the Onion network. Your data is secure even if it passes through a corrupted onion server, entry node, or exit node.
- Obfuscated servers – By making your VPN traffic look like HTTPS (HTTP Secure) web traffic, it becomes effectively invisible to internet censors and other snoops. Very helpful if you need to work around various internet blocks.
- CyberSec – This NordVPN feature protects you from, “ads, unsafe connections, and malicious sites.” Not surprisingly, Google does not allow NordVPN to post an app with ad blocking in the Google Play store. You can download an Android VPN app that can block ads directly from the NordVPN website.
NordVPN is ranked as our best VPN for Netflix. It can give you access to many Netflix regional libraries, and stream the content extremely fast, without the jitter and delays and degraded video quality that lesser competitors provide.
If you would like to give this great VPN a try you can get a great price using the coupon below. The company offers a 30 day money back guarantee so you have plenty of time to put it through its paces before making a long-term commitment.
To learn more about the leading WireGuard VPN, check out our complete NordVPN review.
Surfshark VPN – A high-quality, low-cost WireGuard VPN provider
|Support||24/7 chat; email|
Surfshark, based in the British Virgin Islands (BVI), gives you a very interesting proposition: It is a high-quality no logs VPN provider that works great, has strong WireGuard support, is extremely fast, and allows for unlimited simultaneous connections. Yet it is priced with the budget VPN providers. Want to know more? Keep reading.
Surfshark is only a few years old but has blasted past VPN services that have been around much longer. It is a strong general-purpose VPN service that supports WireGuard on most major operating systems (Linux support is still under development). When you activate WireGuard, Surfshark becomes the second-fastest VPN that we have ever seen.
Like NordVPN, Surfshark uses a double NAT system to compensate for WireGuard's inherent privacy weaknesses. Your address will never appear on a server for some creepy hacker to steal.
To get started with WireGuard on Surfshark just open your Surfshark app and go to Settings. Enable WireGuard and get ready to experience a major speed increase. Surfshark is pretty slow when using the default OpenVPN protocol, so it is definitely worth the minimal hassle of activating WireGuard.
When we tested Surfshark with WireGuard selected, we saw major speed increases relative to OpenVPN. In fact, we clocked one test with a speed of 397 Mbps on our 500 Mbps test connection:
This result makes Surfshark the second fastest VPN we have ever tested. The benefits of WireGuard are clear, even when compared against ExpressVPN and its new Lightway protocol. You can see how this head to head speed testing worked out in our ExpressVPN vs Surfshark comparison.
More noteworthy Surfshark VPN features
Like NordVPN, Surfshark also has several advanced security and privacy features you should know about:
- MultiHop (double-VPN) servers – route your VPN traffic through two servers located in different countries. Use this feature when you are seriously concerned that your online activities are being tracked.
- NoBorders mode – Switches you to specialized servers when are connected to a restricted network. Designed to get you around these restrictions.
- Camouflage mode – Obfuscates your VPN traffic by making it look like regular HTTPS encrypted traffic. Automatically activated when you are using OpenVPN.
- CleanWeb – This Surfshark feature blocks ads, trackers, and malware domains. Your web pages may even load faster because CleanWeb blocks so much useless or harmful junk from ever reaching your device.
Surfshark is one of the best VPNs for streaming video that you will find. It works with a huge variety of streaming services and can defeat the geo-blocking software many services use to control who can view their content in any particular region of the world.
You can get yourself a Surfshark VPN subscription at a great price using the discount below. And while you are testing, don't forget that Surfshark supports an unlimited number of simultaneous connections so you never have to worry about running out of usable connections. Take advantage of the 30 day money back guarantee to assure yourself that of all the VPN services on the market, Surfshark is the one for you,.
If this VPN service sounds appealing to you, you'll learn more in our full Surfshark VPN review.
OVPN – A niche VPN with growing WireGuard support
OVPN, a Swedish VPN service, takes the quality over quantity approach to business. They have a small network of colocated, high-end servers, and concentrate on the core functions of a VPN: security and privacy.
OVPN has had some level of WireGuard support since the end of 2020, with WireGuard integrated into their mobile apps for some time. Earlier this year the company announced that the WireGuard protocol is finally integrated into their desktop apps.
Note: We have not yet had an opportunity to test OVPN's new WireGuard-enabled desktop apps. We'll update this section once we have test results, particularly speed test results.
OVPN gives you quite a few advanced options for configuring exactly how the VPN functions, as you can see here:
What OVPN doesn't give you is strong streaming options. While it does have some limited streaming capabilities, the other VPNs we cover here are all better options if streaming is a top priority for you.
But if great security and privacy in a small, high-quality WireGuard VPN is what you seek, OVPN could be your answer. Just beware that unlike services such as NordVPN with their 30-day guarantees, OVPN offers a 10 day money back guarantee.
For more information on this quality WireGuard VPN service, see our full OVPN review.
VyprVPN – Strong WireGuard performance at a premium price
VyprVPN has been around for several years, doing okay but nothing spectacular. But in 2021, VyprVPN made numerous strides that moved it into the top rank of VPNs. Based in Switzerland, it is an audited no-logs VPN provider that has included WireGuard in most of their VPN apps since 2020.
Note: The VyprVPN team doesn't have WireGuard working in their Linux app yet, as we also saw with Surfshark.
Their WireGuard implementation is reliable. They deal with the WireGuard privacy issue by maintaining address information while a connection is active, then immediately deleting it.
VyprVPN is fast too. We've seen speed test results hitting over 300 Mbps, clearly making it one of the fastest VPN services around.
Like OVPN, VyprVPN owns every server in their network, which lets them ensure that their hardware is secure and well maintained.
Unlike OVPN, VyprVPN does a good job connecting to, and unblocking streaming services. This includes several Netflix regional libraries and streaming services like Disney Plus, Hulu, Amazon Prime, and more. Still, if streaming media is a top priority for you, you can do better than VyprVPN. See our NordVPN vs VyprVPN review for a comparison.
Note: VyprVPN recently increased their prices, going from one of the cheapest VPNs that implemented WireGuard to one of the most expensive. Their current lowest price is now $8.33 per month. They do still offer a 30 day money-back guarantee so you have plenty of time to test everything and see if it's worth the price.
To get the full story on this WireGuard VPN provider, click through to our full VyprVPN review.
WireGuard VPN FAQ
Here are answers to some of the most common questions about VPNs and VPN providers that implement WireGuard.
Here at SecurityTech, we believe that, properly integrated into a no logs VPN, the WireGuard VPN protocol is superior to OpenVPN and other existing VPN protocols. Even though it is a relatively new VPN protocol, it is faster and more secure than older protocols. It should use less battery power and mobile data than older protocols, while also switching between mobile networks so fast that you will probably not even notice the switch.
For the vast majority of our readers, WireGuard is superior to other VPN protocols.
WireGuard is extremely secure. It uses modern encryption algorithms, and the code is less vulnerable to attack than that of protocols like OpenVPN. So from that perspective, WireGuard is definitely safe.
But WireGuard itself is not a private protocol. So if your definition of a “safe VPN” includes privacy, WireGuard by itself is not safe. A VPN that uses WireGuard needs to address the privacy issue to be considered safe in this case.
The WireGuard protocol works similarly to other VPN protocols. It uses modern encryption and networking code to create a secure (encrypted) tunnel through the internet. When used in a VPN service, the tunnel connects your device to a VPN server. The VPN server then connects to the website you are browsing.
The design of WireGuard makes it extremely fast, both to transfer data and to reconnect when moving between wireless hotspots. It has great potential for both desktop and mobile use.
It is hard for us to give an exact value for the speed of WireGuard. We test VPNs that implement WireGuard, not the WireGuard protocol itself. That means our test results are influenced by which WireGuard VPN providers we are testing, and the specific VPN servers we are connecting to for each test.
There are two things I can say about the speed of WireGuard. First, we have found that VPNs with WireGuard support download data faster when they are using WireGuard than when they are using OpenVPN. Second, so far we have found that VPNs using WireGuard are always faster than VPNs that don't use WireGuard.
This depends on your definition of better. WireGuard is faster, both connecting and reconnecting, as well as in transferring data. WireGuard appears to be more secure than OpenVPN and is lighter on battery use in mobile devices. However, OpenVPN is more private than WireGuard.
To use WireGuard in a no-logs VPN, the VPN provider must do something to address the privacy issue. Our top two current picks for the best WireGuard VPN, NordVPN and Surfshark, both use a double NAT system to address WireGuard's lack of privacy.
NordVPN does support the WireGuard protocol, although it doesn't surprise me that you didn't realize it. This is because NordVPN has incorporated WireGuard into their NordLynx VPN protocol. NordLynx combines WireGuard with a double NAT system, resulting in a protocol that has the speed and security of WireGuard, as well as privacy sufficient for use in a no-logs VPN like NordVPN.
Yes, WireGuard does work on Android. It is actually a great option to use on an Android device. WireGuard has much less code and needs to transfer less data than competing protocols, making it more energy efficient. It also reconnects much faster than OpenVPN when your connection moves from one mobile hotspot to the next.
The WireGuard protocol itself only supports UDP tunneling. According to the Known Limitations page on the WireGuard website, this is because of the, “classically terrible network performance of tunneling TCP-over-TCP”. Refer to the WireGuard site for more information on how WireGuard handles TCP.
Conclusion: Use a good WireGuard VPN service in 2022
The WireGuard VPN protocol is here to stay. Fast and secure, VPN services have figured out how to address its privacy issues. VPN companies are taking advantage of this new protocol to deliver new levels of performance without sacrificing your security or privacy.
It is time to take the leap and test drive some of the best VPNs that support the WireGuard protocol. Here are our current recommended services, along with discount-price links you can use to get the best deal possible.
This WireGuard VPN guide was last updated on March 28, 2022.