The personal blog of Arthur Khessin

Why Not WireGuard

With increasing share of remote work, question of the right VPN protocol comes up more frequently. The “new” kind on the block is Wireguard.

Source: https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

Benchmark values speak a clear language. Compared to OpenVPN, there is a factor 4 improvement in terms of bandwidth. Now we talk!

Yes… but, says Michael Tremer from IPFire blog (a network security guru).

It is not very hard for me to conclude that WireGuard is not ready – yet. It has been drafted as a lightweight and fast solution to some problems of the existing solutions. Unfortunately it has sacrificed many features that will be relevant for many users and therefore will not be able to replace IPsec and OpenVPN. For that we need to add at least IP address assignment, pushing configuration like DNS servers and routes. Obviously this needs cipher negotiation, too. Security is my top priority and I have currently no reason to believe that IKE or TLS are intrinsically broken. Modern ciphers are supported in both of them and they have all been audited over decades. Just because something is newer, does not mean that it is better. Interoperability is important when you connect with third parties that you do not control. IPsec is established as the de-facto standard and is virtually supported everywhere. It works. As it even looks, WireGuard might not even be compatible with itself in the future. Cryptography breaks and things need to be replaced and updated. Denying any of this and still wanting to use WireGuard to connect your iPhone to your home is a masterclass of putting your head in the sand.

Source: https://blog.ipfire.org/post/why-not-wireguard (highlz recommended read)

Leave a Reply

Your email address will not be published.

Back to top