Testing WireGuard with an early-adopter VPN service
By Jim Salter
7 - 9 minutes
Following our earlier WireGuard coverage, commercial VPN provider IVPN's chief marketing officer reached out to me to let me know his company was adding WireGuard support to its offering and asked if I'd be interested in covering the launch. Honestly, I planned to brush him off—there are a million VPN providers out there, and at least 999,000 of them are pretty shady—so I answered with a quick, dirty trick question: what are you doing on the Windows side?
Viktor surprised me with a picture-perfect answer that ruined my plans to get rid of him fast:
Since there is no official support for Windows by WireGuard and they advise against any non-official implementation as per https://www.wireguard.com/install/, we are launching this beta without Windows support [...] We are in contact with the author however and aim to integrate it first thing as they release a package for Windows (they are working on it).
The official Ars stance on VPN recommendations is that we can't recommend anyone whose policies we can't independently verify and whose log retention we can't audit ourselves. This sounds like a cop-out from having to make a recommendation, but this is a service that readers will likely be putting a significant amount of trust in, and it would be irresponsible to give a recommendation that important without being able to provide assurances.
And to be very clear, we are still not recommending either IVPN or any other commercial VPN provider directly—but knowing and respecting the WireGuard project's official guidelines, even when that meant minimizing the impact of its own product launch, made me a lot more interested in taking a look at what IVPN is doing.
Fantastic tunnels and where you can find them
IVPN isn't the first commercial VPN provider to offer WireGuard connectivity. To the best of my knowledge, that would be a widely respected and unusually tech-friendly Swedish provider, Mullvad, which began offering WireGuard support almost a year ago. What makes IVPN's WireGuard support launch news despite being a year behind Mullvad? Simplicity. While Mullvad (and another Swedish provider, AzireVPN) will offer you a working key that you can use with your own WireGuard client and config files, IVPN is offering you a dead-simple, user-friendly, tap-it-and-it-works application requiring no personal technical ability from the end user.
The sharper-eyed among you might notice something else IVPN is bringing to the table, and it's a doozy: the first widely available iOS implementation of WireGuard. WireGuard's Jason Donenfeld has had iOS client code in his Git repo for some time now, but for most of us, that's been a purely academic curiosity—getting a non-Apple-approved app running on iOS is a non-trivial task, much more difficult than side-loading APKs on an Android device. Donenfeld made a TestFlight release for the stock WireGuard iOS app available in November. The release cut down the difficulty of getting the code working on an iPhone or iPad considerably, but IVPN's effort is still the only WG client available in the App Store itself.
This brings the list of WireGuard-supported platforms out to, effectively, "everything but Windows." IVPN itself offers support in its easy-mode app for macOS, Android, and iOS (all of which I directly tested). It also offers basic "here's your key" support for Linux, BSD, or any other platform that you've got your own working WireGuard client running on.
I also tested IVPN's WireGuard functionality on a Linux workstation—it worked fine, which wasn't a surprise; what was a mild surprise was that IVPN's framework still made the process a touch quicker and easier than rolling my own. In your own "clientarea" on IVPN's website, you can feed it a public key you generated locally, and it'll automatically set up everything necessary on the back end for you to connect to. The site will also provide you with a boilerplate WireGuard config file into which you can paste your private key and the IP address the site has given you.
Is it fast?
WireGuard itself has the potential to be faster than IPSec or OpenVPN, especially on slower devices. But in my experience, it isn't really there yet. To realize the full potential, it'll need to run in kernel mode instead of user mode. That isn't the case so far on either of the major mobile platforms, whether you're using Donenfeld's stock WireGuard app or IVPN's new easy-mode app.
However, as a pretty heavy VPN user, I'm happy to report that I am already seeing significant decrease in battery usage. My Huawei Mediapad M5 android tablet still likes to warn me that WireGuard wakes up the tablet more frequently than it prefers, but I don't see any significant difference in experienced battery life whether the app is running or not. By contrast, with an OpenVPN tunnel active and significant Web-browsing use, battery life would go down from a couple of days to no more than four or five hours on either the MediaPad M5 or my Pixel 2XL.
WireGuard also still offers near-magical connection times for those who have to make and break their VPN connections frequently. In my experience, OpenVPN and IPSec tunnels generally require somewhere between eight seconds and 30+ seconds to establish a tunnel, during which time the user must twiddle his or her thumbs and stare uncertainly at a very techy-looking dialog. WireGuard, by contrast, connects in 0.2 seconds or less, every time. No scary dialog talking about key exchanges and whether or not the perfect forward secrecy is perfect enough; just tap—connected—done.
But we're not just talking about WireGuard now—we're talking about IVPN's service as well. The fastest VPN protocol in the world won't help if your provider has slow or crappy servers. Again, Ars Technica as a matter of policy does not recommend this or any other commercial VPN provider—but with that said, IVPN looked good in my testing.
Running tests on a wired connection from my Linux workstation, there wasn't enough difference to easily spot which one was the VPN and which one was the bare connection—the IVPN test had slightly lower download throughput but slightly higher upload throughput. Both tests demonstrated excellent latency and no bufferbloat issues.
Running speed tests again on a mobile device over Wi-Fi, there still wasn't much to see—which is a positive thing. Over a 2.4GHz Wi-Fi connection 20 feet, a wall, and some furniture away from the AP, my Huawei Mediapad M5 managed a little more than 35Mbps over bare Wi-Fi. With all traffic routed over a WireGuard tunnel, it got a little less than 30Mbps. That's not enough of a throughput difference to notice if you're not staring obsessively at a speed test; and more importantly, there wasn't much change in latency. This is a thoroughly usable VPN session, with no real impact on browsing quality.
The only problem I had while testing the IVPN connection happened while literally writing this article: Ars Technica's CMS correctly recognized IVPN's back-end IP address as something inside a data center and immediately kicked me out of the system as a suspected interloper.
This isn't really a black mark against IVPN; modern Internet services are, on the whole, extremely effective at identifying the difference between automated data centers and residential or business IP blocks that are expected to have actual humans operating Web browsers behind them. Services that are suspicious of attacks and shenanigans are quick to block "browsing" traffic coming from a data center; I had the same issue with my own personal WireGuard and OpenVPN tunnels, with an exit point in a Linode data center. (This is also likely to bite you if you try to use a VPN provider to "region shift" in order to acquire video content that isn't available in your home country.)
Is it secure?
There are two major questions you must ask about a VPN's security and privacy: first, you must question both the technology in question and the provider. Trusting WireGuard itself right now is a bit of a mixed bag—we know that it was carefully designed with the primary goal of maximum security no matter what, using cryptography expert consensus best algorithms:
WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical white paper, an academic research paper which clearly defines the protocol and the intense considerations that went into each decision.
But we also know that WireGuard is a relatively new project by comparison to its elders, and it comes with a warning label:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing, and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.
IVPN seems to be following a long tradition of Unix-like applications that shout, "I'm beta, don't use me!" for long periods of time despite successful, widespread use. (The dovecot IMAP server, which much of the world used in wide production for years before its official 1.0 release, is a great example.) I've been impressed with WireGuard's stability and lack of apparent bugs compared to existing technologies in my evaluation of it so far, but you buy your ticket and you take your chances. No warranty, express or implied—it says "beta" on the tin, and any poor outcomes are all on you.
Is it private?
Have we mentioned yet that Ars Technica does not endorse any commercial VPN provider? Oh, we have? Well, good then. We still don't. We tend to trust general-purpose VM providers like Linode or Digital Ocean more than we trust VPN providers, for myriad reasons we've laid out in our roll-your-own OpenVPN guide earlier. No matter what you do, at absolute best a VPN doesn't solve your (in)security problems. It just kicks the can down the road a bit. So instead of being insecure across your local coffee shop Wi-Fi or across your sketchy local ISP's backbone, now you're insecure on the way out of somebody's data center.
Although we don't, can't, and won't recommend a commercial VPN provider, in my opinion IVPN is at the very least making the right noises. When I asked Viktor about things like warrant canaries, logging policies, and more, he pointed me to an already-existing trust document, which very clearly and directly lays out everything from company ownership information, to marketing practices, to legal compliance policies, and more. The document was produced specifically to comply with the Center for Democracy and Technology's guidelines to demonstrate a commitment to consumer privacy and trustworthiness for VPN providers.
The company also has a transparency report online offering some minimal, barebones information about how many government or law enforcement requests it has received, how many were valid, and how many resulted in providing the agency with data (two, none, and none so far). IVPN has not had an open third-party audit done yet; the company says it has plans for one and has tentatively scheduled publishable results in February.
Without that audit, of course, there's nothing to say that IVPN is not all a clever fake. All we can really say for now is that the company clearly at least understands and takes seriously the issues at hand.
The real story here is probably not about IVPN itself as much as it's about the continuing evolution and spread of the WireGuard protocol. WireGuard still needs an official Windows port, and it's still waiting to be formally merged into the Linux kernel; it missed the deadline for 4.20 and may or may not get merged for 4.21. But IVPN's integration marks a significant milestone in terms of actual consumer adoption whose importance shouldn't be understated—there's a difference between "easy for a VPN" and "easy for end users." IVPN's offering makes the latter a reality for WireGuard for the first time.
I'm in the process of migrating a fairly substantial 24/7/365 monitoring network from OpenVPN to WireGuard, and so far, so good—I'm seeing significantly more reliable connectivity and a lot of niggling problems solved. That project is still in its early days, but it's looking great so far. I'll circle back to the topic for a full report here at Ars Technica on my own WireGuard use in Q1 2019.