Sep 1, 2018

Wireguard - the new VPN kid on the block

Having tried my hand with OpenVPN to provide a secure Internet connection for my gadgets while travelling, I was less than impressed by the throughput on the Raspberry Pi. At a measly 3 Mbps, it was simply not good enough.

I had heard about Wireguard almost a year back, but last week's ArsTechnica article rekindled my interest. Many others have also tried their hands, and looks like it's all set to take over the VPN landscape. Major benefits include a much simplified setup (compared to the maze that is OpenVPN), superior performance (throughput much greater than others), much smaller codebase (only 4,000 lines of code, compared to 600,000 for OpenVPN and 400,000 for IPSEC) which theoretically translates into a reduced attack surface and others.

Spun up a VPS instance and installed Wireguard. From install to setup on both server and client, it literally took less than 10 minutes and I had a working connection on my Android phone. A quick test indicates almost 4-5x times faster speeds than OpenVPN, and nearly instantaneous connection against the roughly 8-10 seconds for OpenVPN. Another major benefit seems to be that the protocol is not chatty, and packets need not be sent regularly to keep the connection alive - a major concern for mobile devices with batteries that drain quickly. It also promises full IP roaming on both peers (term to refer to both 'server' and 'client' on Wireguard), again significant when switching between WiFi and cellular connections where each transition would have otherwise initiated a full renegotiation of the session.

Still under heavy development, I couldn't find a package for the Raspberry Pi yet, although it can be compiled. The Android release is very basic and experimental. However, Wireguard could be soon integrated into the Linux kernel itself, giving it much needed code review and mainstream acceptance. Even Linus himself seems to be a fan.