📚 Should businesses consider WireGuard?
Kernel-level support for WireGuard, the next-generation protocol for virtual private networks (VPNs), expanded to Windows last year. This news raises the question of whether WireGuard VPN is ready to replace IPsec and OpenVPN. Naturally, it depends. We will introduce WireGuard VPN, discuss its advantages, and explain where certain businesses can benefit from using WireGuard VPN to secure their remote traffic.
WireGuard is a modern VPN protocol that avoids the compromises of established protocols like OpenVPN and IPsec. As a general-purpose VPN, WireGuard’s code is light enough to run on embedded systems and performant enough for supercomputing applications. The WireGuard project aimed to deliver these core benefits:
WireGuard can outperform other protocols across several metrics. Its cryptography protocols are highly efficient, which lets WireGuard process packets faster than other protocols.
Kernel-level support for WireGuard eliminates context switching, further improving performance. OpenVPN, on the other hand, runs in userspace, requiring extra hand-offs between it and the operating system.
The user experience improves since WireGuard can roam across IP addresses. When a device switches from a mobile network to a WiFi network, WireGuard’s VPN tunnel remains in place for a seamless transition.
VPN protocols like OpenVPN and IPsec appeared decades ago. Cryptography has advanced considerably since then. WireGuard takes advantage of state-of-the-art developments to offer more powerful encryption capabilities such as:
- Noise protocol framework
Legacy VPN protocols like OpenVPN and IPsec have evolved to meet many use cases. IPsec, in particular, is very flexible. Developers and network administrators can configure the protocol for their unique requirements. That flexibility, however, creates problems. One misconfigured setting in a complex implementation can create vulnerabilities that hackers can exploit.
In addition, these older protocols have massive codebases. IPsec and OpenVPN implementations extend to several hundred thousand lines of code. The more code, the more opportunities for error. The Internet Engineering Task Force (IETF) IPsec development while OpenVPN is an open-source project. Although they have their strengths, neither model can thoroughly vet enormous and complex protocols
WireGuard, on the other hand, runs on a mere 4,000 lines of code — all of it open source. Security experts can easily inspect this code to find and address vulnerabilities. Developers can spend less time and effort when reviewing their WireGuard implementations. This small footprint is another reason for WireGuard’s performance advantages and ability to run on embedded systems.
WireGuard has business-friendly capabilities as well. Network administrators can make WireGuard the only network interface in their Docker containers, ensuring that any data entering and leaving the container is fully encrypted.
WireGuard does not require complex firewall extensions because of the way it encrypts and authenticates every IP packet. The protocol’s cryptokey routing tables let you quickly confirm whether packets are secure and authentic, simplifying network access control.
WireGuard’s creator, Jason Donenfeld, had grown frustrated with Linux’s bloated, inefficient VPN capabilities. He felt a modern protocol would significantly enhance the open-source operating system. Although he met initial resistance from the community, he eventually won over Linus Torvalds, who said in 2018:
“Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
After being an experimental option for several years, WireGuard was formally included as a stable feature in 2020.
Through much of its development, WireGuard was available as a userspace option for Windows. In late 2021, WireGuard released a device driver for Windows 7 through 11. Driver support has been extended to Windows Server 2008R2 and later. This WireGuardNT driver is still an experimental feature, however, with more testing and development ahead of it.
Even without kernel-level support, you can run WireGuard in userspace on every major desktop and mobile platform.
As WireGuard development was underway, personal VPN services let consumers replace OpenVPN and IPsec with the new protocol. NordVPN, Mullvard, Surfshark, and others were early adopters of WireGuard VPN. The protocol is gradually expanding its presence with other third-party VPN providers. However, you are less likely to find WireGuard in enterprise VPN solutions.
For many business use cases, WireGuard’s implementation has unacceptable tradeoffs. Government agencies, as well as some regulated industries, simply cannot use WireGuard. Yet, many businesses may find WireGuard’s performance and simplicity worth considering.
WireGuard does not assign IP addresses dynamically. Instead, it stores IP addresses on the VPN server. Each WireGuard VPN implementation must either accept this or add code to flush old IP addresses from the system.
Another privacy concern arises when users travel to countries that regulate internet access. WireGuard’s reliance on UDP makes it much easier for national firewalls to spot and block VPN traffic.
U.S. government agencies, their contractors, and certain regulated industries must follow specific guidelines for using VPNs. WireGuard’s encryption algorithms are not authorized by the National Institute of Standards and Technology or the Committee on National Security Systems. That makes it off-limits for federal agencies and many enterprises.
As mentioned earlier, Windows kernel-level support for WireGuard requires installing an experimental driver. But most organizations will be reluctant to deploy WireGuard into production. Instead, now may be a good time to experiment with WireGuard to understand how it may help network performance and security.
Although WireGuard has kernel-level support in Linux, the decision may not be any easier. Linux distributions treat WireGuard differently. For example, Red Hat Linux Enterprise 9 includes WireGuard as a “technology preview” and does not recommend the protocol for production use. In addition, companies that use Red Hat must disable the operating system’s Federal Information Processing Standard (FIPS) mode since WireGuard does not use NIST-approved encryption algorithms.
Legacy VPN protocols, especially IPsec, are widely used by enterprises because they are feature rich. They give developers room to customize VPN implementations. The WireGuard project’s decision to make simplicity a core philosophy offers many benefits, but makes particular implementations more complex. Capabilities that involve IPsec configuration changes require additional development work with WireGuard.
Small or mid-sized organizations that use consumer and commercial VPN providers can use WireGuard today. These businesses have already decided the benefits these services offer outweigh the loss of control. The provider handles any issues with implementation and privacy. Switching their VPN protocols to WireGuard gives these businesses a more seamless, performant experience.
Larger organizations with specific use cases may consider using WireGuard when they can balance the development effort with the performance benefits. As mentioned earlier, WireGuard’s lightweight codebase and container compatibility make it an option for secure communications in cloud environments. However, any decision to implement WireGuard requires a careful evaluation of the risks and capabilities relative to IPsec or OpenVPN.
Another question many organizations are asking is whether they should keep using VPN at all, regardless of the protocols powering it. VPN is a legacy technology designed for an age when most information resources, networks, and users sat within a secure perimeter. Things look quite different today:
- Resources are scattered across the cloud.
- Many applications are provided by X-as-a-Service third parties.
- Most users work remotely.
- Many more users are not company employees.
- Outsourcing and bring-your-own-device policies multiply device populations.
- Cybercriminals are increasingly sophisticated.
As a result of these changes, VPN has made managing network access expensive and difficult. VPN gateways concentrate traffic, reducing bandwidth and increasing latency. And vulnerabilities inherent to VPN’s architecture make the technology a common vector for security breaches. WireGuard does little to mitigate VPN’s weaknesses.
Twingate offers a more secure and performant alternative to WireGuard VPN. Based on a Zero Trust framework, Twingate shifts the focus of secure access away from networks to protect encrypted, direct connections between each user and the resources they access.
Replacing VPN’s hub-and-spoke topology and routing user/resource traffic directly improves network performance and the user experience. Private networks no longer backhaul traffic between users and cloud resources. Low-latency connections give users more responsive access to their work.
Twingate is simple to deploy, simple to manage, and easy to use. DevSecOps teams can deploy our lightweight proxy apps through their existing CI/CD pipelines. Administrator consoles can onboard and off-board users at the click of a button. Users no longer need to switch gateways to access the resources they need.
Companies worldwide rely on Twingate to provide their users with a seamless, secure access experience. Try Twingate yourself by signing up for our free Starter plan. Or contact us to learn how Twingate can solve your secure access challenges today....