WireGuard® is a new VPN protocol used to secure the connection between your device and a VPN server.
WireGuard uses state-of-the-art cryptography to keep your connection secure and, at just a few thousand of code, it is extremely lightweight. This makes it faster than traditional VPN protocols such as OpenVPN and IKEv2, especially on lower-end hardware
Originally developed for Linux, WireGuard was officially integrated into the Linux kernel (versions 5.6+) in March 2020, marking it as a secure, stable, and fast VPN protocol suitable for daily use. The main benefits of WireGuard are:
- Instant connection
ProtonVPN now supports WireGuard on the following platforms:
Although itself new, WireGuard uses proven state-of-the-art cryptographic primitives to secure your VPN connection.
- ChaCha20 — A symmetric key cipher. Much like AES on OpenVPN and IKEv2, ChaCha20 secures your actual data.
- Poly1305 — A message authentication code (MAC) used to authenticate WireGuard connections.
- Curve2551 — An elliptic curve used by the Elliptic-curve Diffie–Hellman (ECDH) protocol to secure the TLS key exchange. This ensures your connection to our VPN servers is secure.
- SipHash — An XOR-based pseudorandom hash function used to securely map hash table keys.
- BLAKE2 – A cryptographic hashing function used to verify data.
ProtonVPN’s implementation of the protocol uses double-NAT to dynamically provision sessions. This ensures the same level of privacy when using WireGuard as when using OpenVPN or IKEv2. We do not store your IP address and our strict no-logs policy fully applies.
Unlike the AES encryption usually used by OpenVPN, where hardware support is often built into processors, WireGuard currently enjoys no hardware support. Despite this, WireGuard performance is comparable to hardware-accelerated AES (AES-NI).
As with all VPN protocols supported by ProtonVPN, WireGuard fully benefits from our unique VPN Accelerator technology that can dramatically improve connection speeds over long distances or when there is high packet loss.
Low CPU usage translates into better battery life for users running our apps on mobile devices and laptops.
On Android and iOS devices, WireGuard takes less than 1 second to establish a VPN connection.
Open source and audited
Much like all ProtonVPN’s apps, WireGuard is open-source software that can be audited by anyone to ensure it is secure. Indeed, the fact that the protocol consists of under 4000 lines of code (compared to over 300,000 for OpenVPN) makes it very easy to audit.
WireGuard has undergone various formal verifications, and to be incorporated in the Linux kernel, the WireGuard Linux codebase was independently audited by a third party.
Unlike some of our competition, our open-source implementation of WireGuard is 100% compatible with the official version.
Can WireGuard hide the fact that I’m using a VPN?
WireGuard uses UDP, and does not support use over TCP. This makes it less effective at obfuscation than OpenVPN. Although occasionally useful for defeating censorship, the WireGuard developers opted not to support tunneling through TCP because running TCP-over-TCP is hugely inefficient.
However, it is possible to add obfuscation techniques on top of WireGuard for greater resistance to censorship.
Does WireGuad support cost extra?
No. WireGuard is available for free to all ProtonVPN users in our Windows, macOS, Android, and iOS./iPadOS apps.
Are all features available with WireGuard?
Yes. WireGuard is fully integrated into our apps and can be used with all features supported by them. This includes Secure Core, Adblocker (NetShield), DNS leak protection, IPv6 leak protection, kill switch, permanent kill switch (Windows), alternative routing, and VPN Accelerator.
How do I use WireGuard?
WireGuard support is also fully integrated into our Smart Protocol feature which automatically switches your connection to the best protocol for your situation. Smart Protocol is enabled by default, so you don’t need to do anything to automatically use the best protocol (including WireGuard) for your needs.
You can also manually select WireGuard if you prefer.