This article answers some typical questions we receive about why we use and recommend WireGuard®.
But first, what is WireGuard?
In short, WireGuard® is a new VPN protocol that utilizes state-of-the-art cryptography. It aims to be simpler than IPsec and OpenVPN. In fact, it even performs better. Here's why we love WireGuard.
I already use Mullvad. Can I use WireGuard too?
You bet. Depending on your operating system, WireGuard might already be enabled:
- Windows users, you can easily turn on WireGuard in the Mullvad app.
- Android and iOS users, WireGuard is always used so you don’t need to do anything.
- macOS and Linux users, WireGuard is the default protocol.
How many devices can I use WireGuard on?
You can have up to 5 WireGuard keys at a time, each one for a different device, so 5 devices.
What is the development status of WireGuard?
WireGuard is considered stable by its own team and many security experts (including us). This was the case well before its initial implementation into Linux kernel 5.6 in March 2020.
We believe that the security of WireGuard as a protocol and its Linux kernel implementation are superior to all alternatives. Code audits and the project age function as signals for decision makers, but if you look deeper, there are other, stronger signals. The simplicity of the protocol state machine; the fact that it can be implemented without dynamic memory allocation; and the cryptographic primitives used are all arguably equally or more useful.
Even the attack surface is much smaller: WireGuard is written with less than 7,000 lines of code whereas IPSec contains 400,000 lines (OpenVPN is of similar complexity). The more code used, the greater the chance of a vulnerability being present in those lines. With a background in kernel exploit development, we don't expect the creator of WireGuard to have written code that contains 100 times more vulnerabilities than IPSec or OpenVPN.
Is it true that a user's public IP must be logged in order for WireGuard to work?
No. When using WireGuard, your public WireGuard IP address is temporarily left in memory (RAM) during connection. By default, WireGuard deletes this information if this server has been rebooted or if the WireGuard interface has restarted.
For us this wasn't enough, so we added our own solution in that if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.
If you want to hide your public IP even more, use multihopping.
Is logging of any user activity required in order for WireGuard to work?
No. There is never a need to log user activity no matter if you're using OpenVPN or WireGuard.
Does using WireGuard put me at greater risk for leaks?
No, not more than if you're not using WireGuard. Whatever protocol you use for connecting to Mullvad, you should perform a leak test. If you're not safe from WebRTC, take necessary action.
What are your thoughts on the internal WireGuard IP address being static?
We acknowledge that keeping a static IP for each device, even internally, is not ideal.
Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you've installed software that is malicious, it can also leak that information.
And theoretically, a static internal IP that is leaked, together with obtaining a payment record, could help to identify a user. (Dive into the payment info we handle for a fascinating read.)
Having said that, we still believe that WireGuard overall is in a better state than OpenVPN.
Solutions to the problem
You as a user can mitigate this issue in two ways:
- When connected to Mullvad, perform a leak test. If you're not safe from WebRTC leaks, take necessary action.
- Never download and install applications that you don't trust.
The Mullvad VPN app automatically replaces the WireGuard keys once a week (except for the iOS version).
To manually rotate keys and static IP addresses whenever you like, click on the gear icon > Advanced > WireGuard key, then click on Regenerate key. The rotation takes a few seconds.
We also want to see the WireGuard protocol itself improved, which is why we're taking part in the development of WG-dynamic. This implementation will give the ability to dynamically assign a new internal IP every time a connection is made.
Which cryptography is used in WireGuard?
WireGuard utilizes the following protocols and primitives:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, as described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
- Noise_IK handshake from Noise, building on the work of CurveCP, NaCL, KEA+, SIGMA, FHMQV, and HOMQV.
With WireGuard, all packets are sent over UDP.
The WireGuard website goes into detail on protocol and cryptography.
"WireGuard" is a registered trademark of Jason A. Donenfeld.