How private is WireGuard?

Reading
3 mins
Category
Proton VPN Features

WireGuard® is a new VPN protocol that is lightweight, fast, and secure. By default, there are some potential privacy issues with WireGuard, but Proton VPN’s implementation of the protocol uses unique technical solutions to safeguard your privacy.

Which implementation of WireGuard does Proton VPN use?

Proton VPN uses a specially modified version of the WireGuard implementation built into the Linux kernel(new window). Our modifications are designed to enhance performance and privacy while maintaining full compatibility.

Do you store the IP addresses of users on your servers?

No matter which VPN protocol you use, we do not store your IP address. Our WireGuard implementation follows our strict no-logs policy(new window), which has been verified by independent experts(new window).

Do you keep logs of WireGuard sessions?

No. Despite claims made by other VPN providers, WireGuard does not necessarily create logs, and we do not store any IP addresses on our servers.

The misconception that WireGuard inevitably generates logs is probably based on the fact that, by default, it requires a static (and therefore identifiable) connection between the VPN app and the VPN server. To get around this, we hardcoded our apps to begin every WireGuard VPN connection using the same internal IP address (10.2.0.2).

To allow more than two people to be connected to the same VPN server at the same time on WireGuard, we use double network address translation (NAT) to dynamically provision sessions.

This means when your app connects to one of our VPN servers via WireGuard, the first NAT will rewrite the 10.2.0.2 IP address to a random but unique internal IP address that is assigned to your session. From this point on, WireGuard works like any other VPN: The second NAT rewrites your session IP address again to the VPN server’s public IP address before it connects to your desired website.

Diagram explaining double-NAT

This technological innovation is how we are uniquely able to provide the publicly audited security and performance of WireGuard, without privacy trade-offs.

TL:DR

When you connect to our VPN server via WireGuard, your device can only see the IP address 10.2.0.2, and the website you visit can only see the public IP address of our VPN server. Your true IP address remains secure and private, just as it would with OpenVPN.

Does WireGuard benefit from Proton VPN’s VPN Accelerator technology?

Yes. Our unique VPN Accelerator(new window) technology can improve speed performance by over 400% and is particularly effective over large distances. It is free to all Proton VPN users, available in all Proton VPN apps, and works with all supported VPN protocols, including WireGuard.