Page 58 - Cyber Defense Magazine for August 2020
P. 58
on the security track, with WireGuard being a more recent addition compared to the likes of OpenVPN, it
has benefitted from being built from the ground up to support more modern encryption methods and hash
functions.
Telling it straight
Taking all of these benefits into account, recent media coverage and some claims have certainly been a
cause to raise eyebrows. Let’s take a look at just a few of the myths that have been circulating in recent
weeks and months so that you can better understand exactly what WireGuard can deliver.
Fixed IP address
So does WireGuard insist that each device on the network get a fixed IP address? No, not really. In fact,
it doesn’t really demand anything and largely performs in a similar fashion to any other protocol; operating
as a versatile cryptographic piece of a larger puzzle called a VPN tunnel. It's more useful to think about
how you manage it. If you use a simple or rigid setup, this requires static IPs on the servers. However, it
can be managed in a more dynamic fashion. WireGuard is able to perform just like any other VPN protocol
by adding IPs when they're needed and getting rid of them as soon as the VPN session is concluded.
Server Communication and data exchange
Can WireGuard offer a considerable change to the way servers communicate with each other?
Again, not really, it operates in a similar fashion to all the other protocols. What about the exchange and
verification of data? Is it the case that WireGuard sticks to strong but simple ways of exchanging and
verifying data? In fact, WireGuard only supports one method of key exchange. There is only support for
one AEAD. Other protocols support a profusion of cryptosystems but tend to settle on AES. AES is not
flawed, no exploit has been found yet. Also, AES256 cipher is cryptographically stronger than ChaCha20
which is used by WireGuard. However, It is computationally expensive when compared to ChaCha20.
ChaCha20 offers the best bang for the buck. One could argue that Poly1305 MAC is stronger than
GHASH, but then again we come to the point of the whole AES-GCM construct being supported in Intel’s
hardware.
Internet Speed
When we talk about who is quick and who is slow, are other protocols more sluggish than WireGuard?
Would you see a dramatic increase in speed by adopting WireGuard? Essentially, some VPN protocols
are slower, but this is almost entirely down to circumstances and not really related to crypto. If you are
connecting through a dialup modem, for example, then speedy crypto becomes a moot point. Additionally,
if you are a provider that supports much faster protocols then WireGuard isn't going to be able to deliver
on impressive speed promises.
Our measurements show that OpenVPN usually outperforms WireGuard by at least 10 percent (on the
Windows platform when WinTUN driver is used and when the OS is running on an Intel CPU. On Linux,
again on an Intel CPU, WireGuard outperforms OpenVPN significantly (by more than 40%), but it is still
significantly slower than IPSec (by more than 10 percent). These measurements were performed on an
1 Gigabit LAN since such a speed is commercially available for our customers. On 10 Gigabit Ethernet,
OpenVPN pales in comparison with WireGuard as it is about 10 times slower. IPSec, on the other hand,
outperforms WireGuard by more than 30 percent when AES is used as a symmetric algorithm.
Cyber Defense eMagazine – August 2020 Edition 58
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
