Checking connection...

Why WireGuard?

WIREGUARD

Last updated: 30 March 2020


This article answers some typical questions we receive about why we use and recommend WireGuard®.

But first, what is WireGuard?

In short, WireGuard® is a new VPN protocol that utilizes state-of-the-art cryptography. It aims to be simpler than IPsec and OpenVPN. In fact, it even performs better. Here's why we love WireGuard.

I already use Mullvad. Can I use WireGuard too?

You bet. Follow one of our WireGuard guides.

Desktop users, you can easily turn on WireGuard in the Mullvad app.

Android users, the Mullvad app automatically uses WireGuard so you don’t need to do anything extra!

WireGuard will become the default protocol in the Mullvad VPN app, but not until we've implemented internal IPs and keys that rotate regularly and automatically.

How many devices can I use WireGuard on?

You can have up to 5 WireGuard keys at a time, each one for a different device, so 5 devices.

What is the development status of WireGuard?

WireGuard is considered stable by its own team and many security experts (including us). This was the case well before its initial implementation into Linux kernel 5.6 in March 2020.

We believe that the security of WireGuard as a protocol and its Linux kernel implementation are superior to all alternatives. Code audits and the project age function as signals for decision makers, but if you look deeper, there are other, stronger signals. The simplicity of the protocol state machine; the fact that it can be implemented without dynamic memory allocation; and the cryptographic primitives used are all arguably equally or more useful.

Even the attack surface is much smaller: WireGuard is written with less than 7,000 lines of code whereas IPSec contains 400,000 lines (OpenVPN is of similar complexity). The more code used, the greater the chance of a vulnerability being present in those lines. With a background in kernel exploit development, we don't expect the creator of WireGuard to have written code that contains 100 times more vulnerabilities than IPSec or OpenVPN.

Is it true that a user's public IP must be logged in order for WireGuard to work?

No. When using WireGuard, your public WireGuard IP address is temporarily left in memory (RAM) during connection. By default, WireGuard deletes this information if this server has been rebooted or if the WireGuard interface has restarted.

For us this wasn't enough, so we added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.

If you want to hide your public IP even more, use multihopping.

Is logging of any user activity required in order for WireGuard to work?

No. There is never a need to log user activity no matter if you're using OpenVPN or WireGuard.

Does using WireGuard put me at greater risk for leaks?

No, not more than if you're not using WireGuard. Whatever protocol you use for connecting to Mullvad, you should perform a leak test. If you're not safe from WebRTC, take necessary action.

What are your thoughts on the internal WireGuard IP address being static?

We acknowledge that keeping a static IP for each device, even internally, is not ideal.

Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you've installed software that is malicious, it can also leak that information.

And theoretically, a static internal IP that is leaked, together with obtaining a payment record, could help to identify a user. (Dive into the payment info we handle for a fascinating read.)

Having said that, we still believe that WireGuard overall is in a better state than OpenVPN.

Solutions to the problem

You as a user can mitigate this issue in two ways:

  • When connected to Mullvad, perform a leak test. If you're not safe from WebRTC leaks, take necessary action.
  • Never download and install applications that you don't trust.

These concerns will no longer be an issue once we've implemented our very own solution of internal IPs and keys that rotate regularly and automatically. This is something we are currently working on. However in the current Mullvad App you can manually rotate keys and static ip-addresses in Settings, (Advanced), WireGuard Key and press Regenerate key/Replace key.  The rotation takes a few seconds.

We also want to see the WireGuard protocol itself improved, which is why we're taking part in the development of WG-dynamic. This implementation will give the ability to dynamically assign a new internal IP every time a connection is made.

Which cryptography is used in WireGuard?

WireGuard utilizes the following protocols and primitives:

  • ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
  • Curve25519 for ECDH
  • BLAKE2s for hashing and keyed hashing, as described in RFC7693
  • SipHash24 for hashtable keys
  • HKDF for key derivation, as described in RFC5869
  • Noise_IK handshake from Noise, building on the work of CurveCP, NaCL, KEA+, SIGMA, FHMQV, and HOMQV
  • All packets are sent over UDP.

The WireGuard website goes into detail on protocol and cryptography.

"WireGuard" is a registered trademark of Jason A. Donenfeld.