Editor’s note: This article was originally published in March 2019. ExpressVPN has since developed Lightway, a VPN protocol that we built from the ground up to meet the privacy, security, and performance needs of our users. While we have a lot of respect for WireGuard, we felt it wasn’t really designed for a large VPN network with privacy and security as the first principle, and we won’t be adding it to our protocol selections. Find out more about Lightway. Also check out this short video in which we answer the question: Why not WireGuard?
WireGuard® is a free and open-source VPN protocol originally written by Jason A. Donenfeld (you can support WireGuard in its efforts here) and currently developed by Edge Security LLC. WireGuard works directly on the kernel level of a device’s operating system, making it possible to encrypt and decrypt data more quickly and securely and with fewer risks of leaks, compared with other VPN protocols.
So far, the hope is that WireGuard can establish itself as a widespread protocol that makes VPN connections ubiquitous (including on mobile phones and the Internet of Things) without the risk of arbitrary disconnects or high battery usage.
It’s exciting to see such significant improvements, and, understandably, many are excited about seeing this protocol deployed commercially. We at ExpressVPN are frequently asked about our immediate plans and opinions on WireGuard, and we’d like to take the opportunity to clarify our position.
WireGuard: A great idea in development
WireGuard is easier to set up and handle than other VPN protocols, although more development is required before it’s ready for a large production environment with countless users.
This is an opinion shared by the developers of WireGuard, who state on their website:
One of the challenges WireGuard faces is to ensure anonymity for VPNs. No single user should be statically allocated a single IP address, neither on a public nor a virtual network. A user’s internal IP address might be discovered by an adversary (through WebRTC, for example), who might then be able to match it with records acquired from a VPN provider (through theft, sale, or legal seizure). A good VPN must be unable to match such an identifier to a single user. Currently, this setup is not easily achieved with WireGuard.
ExpressVPN will be supporting efforts to review and audit the WireGuard code, as we have done in the past with OpenVPN. We will contribute code and report bugs whenever we can and raise security and privacy concerns directly with the development team. And, due to WireGuard’s reduced complexity, any public audit will be more comprehensive and provide a higher level of assurance.
On Android, Linux, Mac, and routers, WireGuard performs very well. ExpressVPN puts the security and privacy of its users first, though, so we will await further testing before we roll out WireGuard to our large customer base.
WireGuard is a registered trademark of Jason A. Donenfeld.