The WireGuard VPN revolution is in full swing. Why are so many people switching to VPN services that support the WireGuard protocol? The answer is simple: WireGuard offers numerous benefits over legacy protocols like OpenVPN.
In this article, we've covered all the basics you need to know about the WireGuard VPN protocol. We've also given you quick overviews of the best WireGuard VPN services available today. And we've wrapped up the article with some frequently asked questions about the WireGuard protocol, as well as some tips and tricks to optimize performance.
For those who are short on time, here are the best VPNs that support WireGuard in 2023:
- NordVPN – Full WireGuard support in all apps, extremely fast speeds, and tons of privacy and security features [63% Off Coupon]
- Surfshark – A fast and affordable VPN with WireGuard support in all apps (except Linux)
- OVPN – This Swedish VPN supports WireGuard directly in desktop and mobile apps, with solid speeds
- VyprVPN – A Swiss VPN with WireGuard support for Windows, Mac OS, Android, and iOS apps
Other WireGuard VPNs that didn't make the cut
There are certainly many other VPN services that support WireGuard, but they also come with limitations and drawbacks, based on our tests. For example, Mullvad is a great VPN that supports WireGuard, but we found it to not work well for streaming. Similarly, there are also VPNs like CyberGhost that support WireGuard, but we also found it to be very slow in our speed tests.
The best VPNs for WireGuard that we recommend in this guide have passed all of our VPN tests and are also the best well-rounded VPNs for all types of users. In short, our recommended VPNs perform well in all categories, not just a select few.
Why we like the WireGuard VPN protocol
Aside from being fans of the shiny new thing, here's a list of substantial reasons why we like WireGuard so much:
- Modern cryptography
- Tiny code base
- Better performance
- Cross-platform support
- Raw speed
Jason Donenfeld, the creator of WireGuard has said that while implementing WireGuard he wanted to upgrade “outdated” protocols like OpenVPN and IPSec. According to his WireGuard.com website,
WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.
Note: If you really want to dig into the cryptography used to implement WireGuard, you can get the hardcore info in the technical white paper [PDF].
A tiny code base
The more capabilities you build into a VPN protocol, the greater the amount of computer code you need to implement it. For example, OpenVPN along with OpenSSL (which provides encryption and authentication) comprises approximately 600,000 lines of code.
Mr. Donenfeld didn't try to replicate all the features of OpenVPN, instead opting to build a fast and secure, but limited protocol. As a result, the WireGuard VPN protocol only requires about 4,000 lines of code. Reducing the number of lines of code in the WireGuard protocol yields several benefits. They include:
- Easier auditing – Not surprisingly, 4,000 lines of code are easier to audit than 600,000 lines of code. The easier the code is to audit, the more likely it is that the auditors will find any vulnerabilities. Over time, this can make WireGuard a more secure protocol than those with hundreds of thousands of lines of code.
- Smaller attack surface – The attack surface of software is the number of places where a hacker could try to break into the software. Fewer lines of code mean fewer locations for a hacker to attack that code, reducing the attack surface. All other things being equal, a smaller attack surface means more secure software.
WireGuard delivers several performance benefits when compared to other VPN protocols. The relatively small size of the code base helps the protocol to be faster than the competition. So does the fact that WireGuard is built with extremely high-speed cryptographic primitives.
In addition, WireGuard is extra fast on systems that use the Linux kernel, including Android, which is based on Linux.
While the actual performance of a VPN that uses WireGuard will depend on many factors beyond WireGuard, that VPN should display better performance in the following areas:
- Higher-speed data transfers mean less time spent actively transmitting and receiving data
- Greater battery life on mobile devices thanks to faster data transfers and less computational overhead
- Built-in roaming support
- Faster handshaking when connecting to networks
Looking at this list, it is clear that WireGuard has many characteristics that are ideal for use on mobile devices. Even when I was using an “ancient” Samsung S9+ on slow 3G networks, I never noticed problems with data transfers or transitions from one cell tower coverage zone to the next.
The WireGuard protocol is now supported on all the major platforms: Windows, Mac OS, and Linux, plus Android and iOS apps. As we pointed out earlier, the Linux support is particularly interesting. That is because the Linux developers decided to support WireGuard by integrating it into the Linux kernel.
The kernel is the core of the operating system. Among other things, it has direct access to the hardware of the system. Most programs on Linux systems run in User Mode (a.k.a. User Mode Linux, or UML). Programs running in User Mode do not have direct access to the system hardware. They must send requests to the kernel which passes along commands to the hardware.
This means that software running in the Linux kernel can be faster than programs running in UML. And that should lead to WireGuard VPNs running on Linux being particularly fast. We've got our eyes open for any definitive reporting on this subject.
I know I (and everyone else) keep talking about how fast WireGuard is. While we are not set up to do tests of the protocols themselves without the VPNs they run on, we do have results of our own testing. We've found that switching VPN protocols from OpenVPN to WireGuard without changing anything else results in around a 40% speed increase.
We also found that NordVPN running with its WireGuard app turned in the fastest result we ever saw. Running on a 500 Mbps fiber optic internet connection and connecting to a relatively nearby server, our speed test showed a download speed of almost 456 Mbps.
This is by far the fastest test result we have ever recorded. We've seen impressive speed increases for every VPN that supports WireGuard so far. The rumors of WireGuard's great speed are definitely true.
About the WireGuard protocol and privacy
To reiterate, the WireGuard protocol was designed to be fast and secure. It was not designed to be private. Any VPN service that supports WireGuard needs to address the privacy issue. In this section, I'll explain what the problem is, and how leading VPN services are addressing it.
The default WireGuard protocol stores user IP addresses indefinitely
As I mentioned earlier, the WireGuard VPN protocol was designed for maximum speed and security, not for privacy. Those design goals resulted in WireGuard saving connected IP addresses on the server. Those user IP addresses remain on the server until it is rebooted.
Keeping user IP addresses on the server is effectively logging the identity of VPN users. In other words, the default WireGuard design is not suitable for use in no-logs VPN services.
VPN companies have had to come up with solutions to this problem in order to gain the benefits WireGuard offers. Here are two of the solutions that are being used by the best VPNs with WireGuard to maintain their no-logs status.
A double NAT system: NordVPN and Surfshark
NordVPN developed the double NAT (Network Address Translation) system and combined that system with WireGuard in their NordLynx VPN protocol. Surfshark also uses a double NAT system in conjunction with WireGuard.
Explaining how a double NAT system works can be difficult, so we'll let the good folks at NordVPN take a stab at it. From the NordVPN website:
To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same address.
Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.
The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active.
Only the dynamically-assigned IP address remains on the VPN server, and that is only until the user session ends. Your actual IP address is known to a separate, secure authentication server (see the image below) but is never saved on a VPN server.
You can find more info about how WireGuard and the NordLynx protocol work on the NordVPN website.
Erasing IP addresses as soon as a session ends: OVPN and VyprVPN
While the default WireGuard implementation keeps a log of IP addresses until the server is rebooted, this information is only needed as long as the connection to a VPN server is active. OVPN and VyprVPN resolve this log problem by deleting the logged addresses as soon as the session ends. As the VyprVPN team explains it:
The VyprVPN implementation provisions a WireGuard configuration on-demand for every connection and nothing is left behind on the server after you disconnect. There is simply no static configuration left behind.
A double NAT system vs erasing the logs as soon as possible: Which is better?
There are pros and cons to each of these approaches. With the double NAT system, user data is never stored on the VPN server. With the “erase the logs” approach, user data is stored on the server while the network connection is active. Theoretically, an attacker could break into a server while sessions are active and capture user addresses.
At the same time, a double NAT system is much more complicated than the “erase the logs” approach. This theoretically results in a larger attack surface for a hacker to target. A double NAT system also requires a separate authentication server which an attacker could theoretically target.
Only time will tell if either (or both) approach can ever be exploited in practice.
The problem of static IP addresses in WireGuard
Any WireGuard VPN service that chooses to use the protocol's static IP address approach has a second consideration to deal with. Keeping a static IP address on the server for any length of time poses a few risks. One is WebRTC leaks. Such a leak would pass the real IP address of a user to connected websites. Malicious software running on your device might also be able to see the real addresses of VPN users.
OVPN has also voiced concerns that using static internal addresses could become a problem when tens of thousands of users are connecting at the same time.
OVPN and other WireGuard VPN services have come up with solutions for this problem as well. They allow you to regenerate keys, which causes the system to rotate IP addresses, mitigating potential online privacy problems.
The OVPN website has more information on this topic and how they implement WireGuard.
You can also help to mitigate the static IP address problem by blocking or disabling WebRTC in your web browser. How this is done varies depending on which web browser you are using. You'll need to check the documentation for your particular browser version to find the correct steps.
…you could switch to a secure web browser that disables WebRTC for you. See our guide to secure browsers for several options.
Now that we’ve got all that behind us, are you ready to learn about the best WireGuard VPN providers?
The best WireGuard VPN providers
Here are short reviews of our top 4 picks for the best VPNs for WireGuard.
NordVPN – The best WireGuard VPN for 2023
|Logs||No logs (audited)|
|Support||24/7 chat; email|
If you've been coming to Security Tech for any length of time, you know that NordVPN is one of our favorite VPNs. Once again, this Panama-based VPN provider takes the top spot in another category. Among all its other sterling attributes, NordVPN has full WireGuard support built into its NordLynx VPN protocol.
The NordLynx VPN protocol resolves WireGuard privacy concerns using a double NAT system. During our VPN tests, we found that NordLynx didn't display any leaks, while at the same time being super fast. As I mentioned before, on one test, NordVPN with NordLynx active delivered a download speed of just under 446 Mbps.
Note: To see how NordVPN's speed compares to that of Surfshark, the next fastest VPN around, check out our NordVPN vs Surfshark writeup.
All of NordVPN's major apps have full WireGuard support. This means that if you use their Windows, macOS, Linux, Android, and iOS apps, all the benefits of WireGuard are only a few clicks away. NordVPN apps are also attractive and easy to use, like this Windows desktop app:
NordVPN excels at privacy and security. They have had their no-logs status audited multiple times by independent auditors. They also completed a full security audit and penetration testing, again conducted by outside auditors. Not many VPN providers have done anywhere near this much to ensure your privacy and security.
Not an organization to rest on its laurels, NordVPN now has all servers in the network running in RAM-disk mode (diskless mode) making it impossible to store any user data or malware on the VPN server. Now they are deploying self-owned (co-located) servers throughout their network, putting all VPN servers under their control. Last but not least, they are installing 100 Gbps routers at key points to ensure that data keeps moving smoothly and quickly through their network.
Using WireGuard with NordVPN is easy. Simply open the VPN app and select the NordLynx protocol. Then connect to a VPN server and you are done. The VPN client (app) handles all the details of key generation and address management for you.
Full WireGuard support is built into the NordVPN apps for Windows, Mac OS, and Linux, as well as the iOS, and Android apps.
More noteworthy NordVPN features
Whether you use NordLynx (WireGuard) or one of the other VPN protocols supported by NordVPN, you have access to an array of advanced security and privacy features. They include:
- Double-VPN servers – Pass your traffic through two different encrypted tunnels as it flows between two different VPN servers located in two different locations. This makes it extremely difficult for hostile forces to track where you go and what you do online.
- Onion-over-VPN servers – Get the security and privacy of NordVPN as well as the anonymity of the Onion (Tor) network for additional anonymity. NordVPN encrypts your data and hides your real IP address before passing your data through the Onion network. Your data is secure even if it passes through a corrupted onion server, entry node, or exit node.
- Obfuscated servers – By making your VPN traffic look like HTTPS (HTTP Secure) web traffic, it becomes effectively invisible to internet censors and other snoops. Very helpful if you need to work around various internet blocks.
- Threat Protection – This NordVPN feature is an ad blocker and much more. It protects you from, “ads, unsafe connections, and malicious sites.” Not surprisingly, Google does not allow NordVPN to post an app with ad blocking in the Google Play store. You can download an Android VPN app that can block ads directly from the NordVPN website.
NordVPN is ranked as our best VPN for Netflix. It can give you access to many Netflix regional libraries, and stream the content extremely fast, without the jitter and delays, and degraded video quality that lesser competitors provide. It likewise can stream all the other major services, including Amazon Prime Video, HBO Max, Hulu, and many others.
If you would like to give this great VPN a try you can get a great price using the coupon below. The company offers a 30-day money back guarantee so you have plenty of time to put it through its paces before making a long-term commitment.
The NordVPN Cyber Deal is live:
Get 63% Off NordVPN plus an additional 3 months FREE:
(Coupon applied automatically.)
To learn more about the leading WireGuard VPN, check out our complete NordVPN review.
Surfshark – A high-quality, low-cost WireGuard VPN provider
|Support||24/7 chat; email|
Surfshark, based in the British Virgin Islands (BVI), gives you a very interesting proposition: It is a high-quality no logs VPN provider that works great, has strong WireGuard support, is extremely fast, and allows for unlimited simultaneous connections. Yet it is priced with the budget VPN providers. Want to know more? Keep reading.
Surfshark is only a few years old but has blasted past VPN services that have been around much longer. It is a strong general-purpose VPN service that supports WireGuard on most major operating systems (Linux support is still under development). When you activate WireGuard, Surfshark becomes the second-fastest VPN that we have ever seen.
Like NordVPN, Surfshark uses a double NAT system to compensate for WireGuard's inherent privacy weaknesses. Your address will never appear on a server for some creepy hacker to steal.
To get started with WireGuard on Surfshark just open your Surfshark app and go to Settings. Enable WireGuard and get ready to experience a major speed increase. Surfshark is pretty slow when using the default OpenVPN protocol, so it is definitely worth the minimal hassle of activating WireGuard.
When we tested Surfshark with WireGuard selected, we saw major speed increases relative to OpenVPN. In fact, we clocked one test with a speed of 397 Mbps on our 500 Mbps test connection:
This result makes Surfshark the second-fastest VPN we have ever tested. The benefits of WireGuard are clear, even when compared against ExpressVPN and its new Lightway protocol. You can see how this head-to-head speed testing worked out in our ExpressVPN vs Surfshark comparison.
More noteworthy Surfshark features
Like NordVPN, Surfshark also has several advanced security and privacy features you should know about:
- MultiHop (double-VPN) servers – route your VPN traffic through two servers located in different countries. Use this feature when you are seriously concerned that your online activities are being tracked.
- NoBorders mode – Switches you to specialized servers when are connected to a restricted network. It is designed to get you around these restrictions.
- Camouflage mode – Obfuscates your VPN traffic to avoid internet censorship by making it look like regular HTTPS encrypted traffic. Automatically activated when you are using OpenVPN.
- CleanWeb – This Surfshark feature is an ad blocker that also prevents connections to trackers and malware domains. Your web pages may even load faster because CleanWeb blocks so much useless or harmful junk from ever reaching your device.
Surfshark is one of the best VPNs for streaming video that you will find. It works with a huge variety of streaming services and can defeat the geo-blocking software many services use to control who can view their content in any particular region of the world.
You can get yourself a Surfshark VPN subscription at a great price using the discount below. And while you are testing, don't forget that Surfshark supports an unlimited number of simultaneous connections so you never have to worry about running out of usable connections. Take advantage of the 30-day money back guarantee to assure yourself that of all the VPN services on the market, Surfshark is the one for you.
Surfshark VPN Coupon
Get 82% off Surfshark VPN plus an additional 2 months FREE.
(Coupon applied automatically.)
If this VPN service sounds appealing to you, you can learn more in our full Surfshark review.
OVPN – A niche VPN with growing WireGuard support
OVPN, a Swedish VPN service, takes the quality over quantity approach to business. They have a small network of colocated, high-end servers, and concentrate on the core functions of a VPN: security and privacy.
OVPN has had some level of WireGuard support since the end of 2020, with WireGuard integrated into their mobile apps for some time. Last year the company announced that the WireGuard protocol is fully integrated into their desktop apps. This includes their GUI (graphical user interface) Ubuntu (Linux) client. Few VPNs offer either a Linux GUI, or Linux WireGuard support. Kudos to OVPN for supporting the Linux community.
Note: We have not yet had an opportunity to test OVPN's new WireGuard-enabled desktop apps. We'll update this section once we have test results, particularly speed test results.
OVPN gives you quite a few advanced options for configuring exactly how the VPN functions, as you can see here:
What OVPN doesn't give you is strong streaming options. While it does have some limited streaming capabilities, the other VPNs we cover here are all better options if streaming is a top priority for you.
But if great security and privacy in a small, high-quality VPN with WireGuard support is what you seek, OVPN could be your answer. Just be aware that unlike services such as NordVPN with their 30-day guarantees, OVPN offers a 10-day money back guarantee.
For more information on this quality WireGuard-capable VPN service, see our full OVPN review.
VyprVPN – Strong WireGuard performance, but an above-average price
VyprVPN has been around for several years, doing okay but nothing spectacular. But in 2021, VyprVPN made numerous strides that moved it into the top rank of VPNs. Based in Switzerland, it is an audited no-logs VPN provider that has included WireGuard in most of their VPN apps since 2020.
Note: The VyprVPN team doesn't have WireGuard working in their Linux app yet, as we also saw with Surfshark.
Their WireGuard implementation is reliable. They deal with the WireGuard privacy issue by maintaining address information while a connection is active, then immediately delete it.
VyprVPN is fast too. We've seen speed test results hitting over 300 Mbps, clearly making it one of the fastest VPN services around.
Like OVPN, VyprVPN owns every server in their network, which lets them ensure that their hardware is secure and well maintained.
Unlike OVPN, VyprVPN does a good job of connecting to, and unblocking streaming services. This includes several Netflix regional libraries and streaming services like Disney Plus, HBO Max, Hulu, Amazon Prime video, and more. Still, if streaming media is a top priority for you, you can do better than VyprVPN. See our NordVPN vs VyprVPN review for a comparison.
With our discount coupon, you can get the 12-month VyprVPN plan for a price of $5.00 per month ($60.00 billed every 12 months). They also offer a 30-day money-back guarantee, so you can try their service risk-free.
To get the full story on this WireGuard VPN provider, click through to our full VyprVPN review.
Now we will examine some WireGuard Frequently Asked Questions (FAQs).
WireGuard VPN FAQs
Here are answers to some of the most common questions about VPNs and VPN providers that implement WireGuard.
Here at SecurityTech, we believe that properly integrated into a no logs VPN, the WireGuard protocol is superior to OpenVPN and other existing VPN protocols. Even though it is a relatively new VPN protocol, it is faster and more secure than older protocols. It should use less battery power and mobile data than older protocols, while also switching between mobile networks so fast that you will probably not even notice the switch.
For the vast majority of our readers, WireGuard is superior to other VPN protocols.
WireGuard is extremely secure. It uses modern encryption algorithms, and the code is less vulnerable to attack than the code of protocols like OpenVPN. So from that perspective, WireGuard is definitely safe.
But WireGuard itself is not a private protocol. So if your definition of a “safe VPN” includes privacy, WireGuard by itself is not safe. A VPN that uses WireGuard needs to address the privacy issue to be considered safe in this case. All the VPNs we cover in this article have done the work to ensure the privacy of your WireGuard connection.
The WireGuard protocol works similarly to other VPN protocols. It uses modern encryption and networking code to create a secure (encrypted) tunnel through the internet. When used in a VPN service, the tunnel connects your device to a VPN server. The VPN server then connects to the website you are browsing.
The design of WireGuard makes it extremely fast, both to transfer data and when switching wireless hotspots while moving about in the world. It has great potential for both desktop and mobile use.
It is hard for us to give an exact value for the speed of WireGuard. We test VPNs that implement WireGuard, not the WireGuard protocol itself. That means our test results are influenced by which WireGuard VPN providers we are testing, and the specific VPN servers we are connecting to for each test.
There are two things I can say about the speed of WireGuard. First, we have found that VPNs with WireGuard support download data faster when they are using WireGuard than when they are using OpenVPN. Second, so far we have found that each WireGuard VPN featured in this article is faster than VPNs that don't use WireGuard.
This depends on your definition of better. WireGuard is faster, both connecting and reconnecting, as well as in transferring data. WireGuard appears to be more secure than OpenVPN and is lighter on battery use in your smartphone or other devices. However, OpenVPN is more private than WireGuard.
To use WireGuard in a no-logs VPN, the VPN provider must do something to address the privacy issue. Our top two current picks for the best WireGuard VPN, NordVPN and Surfshark, both use a double NAT system to address WireGuard's lack of privacy.
NordVPN does support the WireGuard protocol, although it doesn't surprise me that you didn't realize it. This is because NordVPN has incorporated WireGuard into their NordLynx VPN protocol. NordLynx combines WireGuard with a double NAT system, resulting in a protocol that has the speed and security of WireGuard, as well as privacy sufficient for use in a no-logs VPN like NordVPN.
Yes, WireGuard does work on Android. It is actually a great option to use on an Android device. WireGuard has much less code and needs to transfer less data than competing protocols, making it more energy efficient. It also reconnects much faster than OpenVPN when your connection moves from one mobile hotspot to the next.
The WireGuard protocol itself only supports UDP tunneling. According to the Known Limitations page on the WireGuard website, this is because of the, “classically terrible network performance of tunneling TCP-over-TCP”. Refer to the WireGuard site for more information on how WireGuard handles TCP.
As of now, most routers do not support the WireGuard protocol. One that does is the Vilfo VPN Router. Out of this list of the best WireGuard VPNs, Vilfo has built-in support for NordVPN, Surfshark, and OVPN. You can get all the benefits of WireGuard speed and security while protecting any or all of the devices connected to the router.
Vilfo claims that the router can support speeds of up to 1 Gbps while running WireGuard (assuming of course that your internet connection can run that fast).
Conclusion: Use a good WireGuard VPN service in 2023
The WireGuard VPN protocol is here to stay. Most of the leading VPNs have addressed the WireGuard VPN protocol's privacy issues and added WireGuard support. As a result, they are reaping the rewards of higher speeds and better all-around performance. Over the next few years we expect WireGuard to displace OpenVPN as the industry standard VPN protocol.
But you don't have to wait that long. You can take the leap with one of the four best WireGuard VPNs right now. Here are our current recommended services, along with discount-price links you can use to get the best deal possible.
63% Off NordVPN Coupon >>
Visit Site >>
Visit Site >>
Visit Site >>
This WireGuard VPN guide was last updated on March 10, 2023.
which of these provide options for residential static ip addresses ?
NordVPN and a few others, see the static IP VPN guide here.
Does NordVPN support a VPN connection directly from router supporting Wireguard? Based on your reporting, its not clear if they support Wireguard or only support their closed source version of Wireguard – ie Nordlynx.
I think you could do this with a Vilfo router, but with most routers, no, because they do not support WireGuard.