What is WireGuard?

Reading: 3 mins
Category: Proton VPN Features

WireGuard® is a new VPN protocol used to secure the connection between your device and a VPN server.

Learn more about how VPNs work(new window)

WireGuard uses state-of-the-art cryptography to keep your connection secure and, at just a few thousand lines of code, it is extremely lightweight. This makes it faster than traditional VPN protocols such as OpenVPN and IKEv2, especially on lower-end hardware

Originally developed for Linux, WireGuard was officially integrated into the Linux kernel (versions 5.6+) in March 2020, marking it as a secure, stable, and fast VPN protocol suitable for daily use. The main benefits of WireGuard are:

Fast
Instant connection
Lightweight

Proton VPN now supports WireGuard on the following platforms:

Windows
macOS
Android
iOS/iPadOS

Learn how to change VPN protocols or select Smart Protocol(new window)

Secure

Although itself new, WireGuard uses proven state-of-the-art cryptographic primitives to secure your VPN connection.

ChaCha20(new window) — A symmetric key cipher(new window). Much like AES on OpenVPN and IKEv2, ChaCha20 secures your actual data.
Poly1305(new window) — A message authentication code(new window) (MAC) used to authenticate WireGuard connections.
Curve25519(new window) — An elliptic curve(new window) used by the Elliptic-curve Diffie–Hellman(new window) (ECDH) protocol to secure the TLS key exchange. This ensures your connection to our VPN servers is secure.
SipHash(new window) — An XOR(new window)-based pseudorandom hash function used to securely map hash table(new window) keys.
BLAKE2(new window) – A cryptographic hashing function used to verify data.

Private

Proton VPN’s implementation of the protocol uses double-NAT to dynamically provision sessions. This ensures the same level of privacy when using WireGuard as when using OpenVPN or IKEv2. We do not store your IP address and our strict no-logs policy(new window), which has been verified by external experts(new window), fully applies.

Learn more about how Proton VPN protects your privacy with WireGuard(new window)

Fast

Unlike the AES encryption usually used by OpenVPN, where hardware support is often built into processors, WireGuard currently enjoys no hardware support. Despite this, WireGuard performance is comparable(new window) to hardware-accelerated AES(new window) (AES-NI).

As with all VPN protocols supported by Proton VPN, WireGuard fully benefits from our unique VPN Accelerator(new window) technology that can dramatically improve connection speeds over long distances or when there is high packet loss.

Efficient

Low CPU usage translates into better battery life for users running our apps on mobile devices and laptops.

Instant connection

On Android and iOS devices, WireGuard takes less than 1 second to establish a VPN connection.

Open source and audited

Much like all Proton VPN’s apps, WireGuard is open-source software(new window) that can be audited by anyone to ensure it is secure. Indeed, the fact that the protocol consists of under 4000 lines of code (compared to over 300,000 for OpenVPN) makes it very easy to audit.

WireGuard has undergone various formal verifications, and to be incorporated in the Linux kernel, the WireGuard Linux codebase was independently audited(new window) by a third party.

Unlike some of our competition, our open-source implementation of WireGuard is 100% compatible with the official version.

FAQ

Can WireGuard hide the fact that I’m using a VPN?

WireGuard uses UDP(new window), and does not support use over TCP. This makes it less effective at obfuscation than OpenVPN. Although occasionally useful for defeating censorship, the WireGuard developers opted not to support tunneling through TCP because running TCP-over-TCP is hugely inefficient.(new window)

However, it is possible to add obfuscation techniques on top of WireGuard for greater resistance to censorship.

Does WireGuad support cost extra?

No. WireGuard is available for free to all Proton VPN users in our Windows, macOS, Android, and iOS./iPadOS apps.

Are all features available with WireGuard?

Yes. WireGuard is fully integrated into our apps and can be used with all features supported by them. This includes Secure Core(new window), Adblocker(new window) (NetShield), DNS leak protection(new window), IPv6 leak protection(new window), kill switch(new window), permanent kill switch(new window) (Windows), alternative routing(new window), and VPN Accelerator(new window).

How do I use WireGuard?

WireGuard support is also fully integrated into our Smart Protocol(new window) feature which automatically switches your connection to the best protocol for your situation. Smart Protocol is enabled by default, so you don’t need to do anything to automatically use the best protocol (including WireGuard) for your needs.

You can also manually select WireGuard if you prefer.