This article answers some typical questions we receive about why we use and recommend WireGuard.
But first, what is WireGuard?
In short, WireGuard® is a new VPN protocol that utilizes state-of-the-art cryptography. It aims to be simpler than IPsec and OpenVPN. In fact, it even performs better. Here's why we love WireGuard.
I already use Mullvad. Can I use WireGuard too?
You bet. Follow one of our WireGuard guides.
How many devices can I use WireGuard on?
You can have up to 5 WireGuard keys at a time, each one for a different device, so 5 devices.
Do you recommend WireGuard even though it's still a work in progress?
Yes, we do. And we did, even when this statement existed on the WireGuard project's homepage: "WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change."
It was removed mid-2019, and by then we had been offering the opportunity to test WireGuard with Mullvad for over two years, since March 2017. However, the WireGuard team still considers the protocol a "work in progress" and that it won't be ready until it has been merged into the Linux kernel and properly audited.
So why have we been so keen on using WireGuard anyway? Well, it's because most security experts (including us) strongly believe that WireGuard, even as a work in progress, is superior to the OpenVPN protocol.
Both the security of WireGuard as a protocol and its Linux kernel implementation are most likely superior to all alternatives. Code audits and the project age function as signals for decision makers, but if you look deeper, there are other, stronger signals. The simplicity of the protocol state machine; the fact that it can be implemented without dynamic memory allocation; and the cryptographic primitives used are all arguably equally or more useful.
Even the attack surface is much smaller: WireGuard is written with less than 7,000 line of code whereas IPSec contains 400,000 lines (OpenVPN is of similar complexity). The more code used, the greater the chance of a vulnerability being present in those lines. With a background in kernel exploit development, we don't expect the creator of WireGuard to have written code that contains 100 times more vulnerabilities than IPSec and OpenVPN.
I don't trust WireGuard since it's a work in progress. Can I still use Mullvad VPN?
Yes! By default, our Mullvad Desktop App uses the OpenVPN protocol. Our WireGuard implementations are run on entirely separate servers. If you wanted to use WireGuard, you would need to manually choose it.
WireGuard will become the default protocol in the Mullvad VPN app, but not until we've implemented internal IPs and keys that rotate regularly and automatically.
Our Android app uses WireGuard only. The current Andorid and Desktop beta has button to replace the WireGuard key with a new one. This allows manual key rotation.
Is it true that a user's public IP must be logged in order for WireGuard to work?
No. When using WireGuard, your public WireGuard IP address is temporarily left in memory (RAM) during connection. By default, WireGuard deletes this information if this server has been rebooted or if the WireGuard interface has restarted.
For us this wasn't enough, so we added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
If you want to hide your public IP even more, use multihopping.
Is logging of any user activity required in order for WireGuard to work?
No. There is never a need to log user activity no matter if you're using OpenVPN or WireGuard.
Does using WireGuard put me at greater risk for leaks?
No, not more than if you're not using WireGuard. Whatever protocol you use for connecting to Mullvad, you should perform a leak test. If you're not safe from WebRTC, take necessary action.
What are your thoughts on the internal WireGuard IP address being static?
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you've installed software that is malicious, it can also leak that information.
And theoretically, a static internal IP that is leaked, together with obtaining a payment record, could help to identify a user. (Dive into the payment info we handle for a fascinating read.)
Having said that, we still believe that WireGuard overall is in a better state than OpenVPN.
Solutions to the problem
You as a user can mitigate this issue in two ways:
- When connected to Mullvad, perform a leak test. If you're not safe from WebRTC leaks, take necessary action.
- Never download and install applications that you don't trust.
These concerns will no longer be an issue once we've implemented our very own solution of internal IPs and keys that rotate regularly and automatically. This is something we are currently working on. However in the current Mullvad App you can manually rotate keys and static ip-addresses in Settings, (Advanced), WireGuard Key and press Regenerate key/Replace key. The rotation can take up to two minutes.
We also want to see the WireGuard protocol itself improved, which is why we're taking part in the development of WG-dynamic. This implementation will give the ability to dynamically assign a new internal IP every time a connection is made.
Which cryptography is used in WireGuard?
WireGuard utilizes the following protocols and primitives:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, as described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
- Noise_IK handshake from Noise, building on the work of CurveCP, NaCL, KEA+, SIGMA, FHMQV, and HOMQV
- All packets are sent over UDP.
The WireGuard website goes into detail on protocol and cryptography.