The quantum-resistant tunnels feature is finally stabilized and can easily be enabled for all WireGuard tunnels in our desktop app.
Back in November we blogged about Post-quantum safe VPN tunnels being an experimental feature available on all our WireGuard servers. The protocol has since then been stabilized. The setting for enabling the feature is available from version 2023.3 of our desktop app.
How to enable
In the app, go to Settings → VPN settings → WireGuard settings → Quantum-resistant tunnel and set the setting to On.
When the VPN is connected, the app should now say QUANTUM SECURE CONNECTION in green text in the main view of the app.
This feature is currently only available in our desktop app (Windows, macOS and Linux). We plan on incorporating this feature on Android and iOS as well.
If it turns out to work as well as we hope it will, we will enable this by default in a future release of the app. There is no reason to not have every tunnel be quantum-resistant.
What is this?
The encryption used by WireGuard has no known vulnerabilities. However, the current establishment of a shared secret to use for the encryption is known to be crackable with a strong enough quantum computer.
Although strong enough quantum computers have yet to be demonstrated, having post-quantum secure tunnels today protect against attackers that record encrypted traffic with the hope of decrypting it with a future quantum computer.
A WireGuard tunnel is established, and is used to share a secret in such a way that a quantum computer can’t figure out the secret even if it had access to the network traffic. We then disconnect and start a new WireGuard tunnel specifying the new shared secret with WireGuard’s pre-shared key option.
The Post-Quantum secure algorithms used here are Classic McEliece and Kyber.