In 2015, a new competitor entered the stage of VPN protocols: WireGuard®. WireGuard set out to do everything better than the competition by being simple, secure, fast and open. To achieve this goal, WireGuard had to clearly differentiate itself from other protocols.
Alongside the clear benefits WireGuard provides, it also comes with some major drawbacks. In this post, we take a deep dive into the main pros and cons of WireGuard VPN, as well as how it fares against other VPN protocols.
3 main advantages of WireGuard VPN
As one of the most popular choices for VPN admins, IPsec is a fairly simple protocol in principle. Its real complexity lies in negotiating the connection details via the IKE or IKEv2 protocol.
In comparison, WireGuard requires nowhere near this level of complexity. WireGuard knows exactly one method for exchanging keys, one method for authenticating endpoints, one method for encrypting data, and one method for ensuring data integrity; meaning no negotiation needs to take place.
In terms of configuration, there is only an optional second pre-shared key encryption layer to ensure that WireGuard will still be secure with regard to quantum cryptography. However, this is also not negotiated; instead, both sides either use it or do not use it, but the sides must agree on this in advance.
2. Protocol speed
What about speed? Well, WireGuard is fast. Since there is nothing to negotiate, establishing a WireGuard tunnel basically just means performing a key exchange and the tunnel is considered up.
WireGuard is layered on top of UDP and uses the fastest available state-of-the-art encryption and is still considered top notch security.
Interestingly, the encryption methods (ChaCha20) and integrity protection (Poly1305) used by WireGuard are also available to IPsec as an extension. However, even when IPsec uses the same algorithms, WireGuard is still faster as the protocol has less overhead and is easier to process by CPUs and network equipment.
3. Fast Setup
All network configuration in WireGuard is static. The client gets the VPN gateway address, along with a static IP address, a list of accessible remote networks, and optional DNS settings – all inside a simple, text-based config file.
This config file also contains the optional pre-shared key and the key pair of the client, as well as the public key of the server.
The config file is in fact so small that it fits into a QR-code. This means instead of transferring the VPN configuration by copying a file, it can be transferred by scanning a QR-code. You install a client, the gateway shows you a QR-code, you scan it and you are all set, what could be easier than that?
P.S. Want to try it out? Check out our WireGuard VPN configuration guide →
3 downsides to WireGuard VPN
On first impressions, it appears WireGuard is the perfect VPN protocol in all regards. However, WireGuard VPN has three major drawbacks, as it misses two important features that are considered standard with all modern VPN protocols: client provisioning and verification of network parameters.
1. Large scale rollout
Scanning a QR-code to provision the config sounds pretty cool… unless you are a huge enterprise with 1,000 or more employees and need to deploy a unique VPN configuration to each of their multiple devices.
With other VPN protocols, all you need to tell the users is the address of the VPN gateway. They can then enter that address into the VPN client, click on connect, and get prompted for a username and password – i.e. the same login credentials they already use for pretty much everything else in their company.
Once authenticated, all further VPN configuration is pushed to them by the gateway. This entire process uses user databases that already exist and can be based on user network groups that already control network access.
I hear you ask: But can't something similar be built for WireGuard? The only option is developing some kind of enterprise deployment system that will integrate with your existing systems.
However, for this to work, you first have to invest the time and resources into building it; requiring coding skills or programmers to build it for you. Furthermore, if every company developed its own method, we would quickly have countless isolated solutions that are all different and can't work together, meaning any interoperability is out the window. Also whenever a central company service needs exchanging, you’ll need to start again from scratch and develop a new solution.
In contrast, other protocols offer you this functionality right out of the box. You don't have to build anything for them and their servers have pre-made plugin interfaces and either ship with plugins for common enterprise solutions, or the vendors of these enterprise solutions will provide plugins for you.
This pretty much makes WireGuard a no-go for large organizations.
2. Managing configuration updates
The other problem is that WireGuard’s network configuration is static. Of course, this is not an issue if the configuration never has to change, but that's a very unrealistic scenario in the long run. Every time the configuration needs to be changed, all employees will need to manually update their VPN config by re-downloading a config file or re-scanning a QR-code.
With client provisioning, VPN config is managed in a central place and updating all clients is a no brainer: Users don't have to do anything following a config change, as the next time they connect, they automatically get the updated config pushed.
3. Network configuration
This directly brings us to the final issue with WireGuard: As network configuration is not negotiated, users won't notice if their network configuration is outdated.
Other VPN protocols will check your configuration and inform you of any issues. For example, if the configuration cannot be updated automatically, the connection will at least fail with an error letting the user know what is wrong about that configuration, so the users can fix it by themselves or inform their admin.
In comparison, if you use the wrong private IP address with WireGuard, your client will connect but you will not be able to reach anything remotely, having no idea what the problem is. If the remote networks have changed, your connection will come up just fine but the wrong kind of traffic will be routed over the VPN tunnel and again, you won't notice that. If the DNS settings have changed, DNS will stop working for you and many users will not be able to distinguish a DNS problem from a routing problem, so they won't know that bad DNS settings might be the issue.
WireGuard does not view this as a priority, as the idea was never to duplicate existing functionality. Routing is controlled by remote routing tables, access restrictions are enforced by a remote firewall and DNS is optional anyway.
With every modern VPN gateway having a routing table and a firewall, there is no need for WireGuard to manage any of this, hence the static configuration. The problem? Neither the routing table nor the firewall will let you know on connect that your VPN settings are wrong, they will just not forward your traffic, forward it incorrectly, or drop it right on the spot.
This often results in users contacting the admin with the phrase "My VPN connects but then nothing works", leaving them to figure out what the problem is without any detailed error message or information.
This again deems WireGuard a poor choice in enterprise environments.
WireGuard: "Triple-F: Fast, Furious, and Feature Incomplete"
So how successful is WireGuard VPN? As mentioned above, there’s no doubt that WireGuard VPN has its plus points – particularly for individual users looking for a fast and easy way to connect to their home network. For this reason, you can find WireGuard as a VPN option on many popular consumer devices, including ASUS routers.
In spite of this, some vendors have already decided not to use WireGuard directly but instead to embed it into a proprietary protocol which provides those missing features like client provisioning and verifying connection parameters. In this case, WireGuard is merely used as a tunnel protocol for traffic. WireGuard acts as IPsec in that scenario, whereas the proprietary protocol acts as IKE.
However, this again leads to various isolated solutions, to vendor-specific protocols that are incompatible with each other and that are, above all, no longer open. In fact, these protocols are usually not even documented in any form, making it impossible to integrate them into third party solutions, meaning customers may end up in a vendor lock-in, which kills one of the fundamental goals of the WireGuard protocol.
The goal of WireGuard was never to help vendors develop their own easier, faster VPN protocols, but that's exactly where it might end up in the long run.
In this regard, it could be argued that IPsec and OpenVPN are both better solutions, as IPsec is truly an open protocol and OpenVPN, despite having its own flaws, has at least received enough features in the meantime that there is no need to embed the protocol in another protocol. It remains the same, open source protocol.
Why VPN Tracker?
VPN Tracker is the best secure remote access solution for Mac, iPhone and iPad and, as well as support for WireGuard VPN, also offers compatibility with all major VPN protocols, including IPsec (IKEv1 + IKEv2), OpenVPN, PPTP, L2TP, and more.
Your VPN Tracker benefits
- Securely connect with your home and office networks
- Use your own gateway
Preconfigured profiles for 300+ VPN devices
- Expert productivity features for teams
- For Mac, iPhone, iPad
- Explore all features