WireGuard for the masses —

Testing WireGuard with an early-adopter VPN service

Veteran VPN provider IVPN launches in-app WireGuard support.

We don't recommend specific VPN solutions, but we sure like analyzing them.
Enlarge / We don't recommend specific VPN solutions, but we sure like analyzing them.

Following our earlier WireGuard coverage, commercial VPN provider IVPN's chief marketing officer reached out to me to let me know his company was adding WireGuard support to its offering and asked if I'd be interested in covering the launch. Honestly, I planned to brush him off—there are a million VPN providers out there, and at least 999,000 of them are pretty shady—so I answered with a quick, dirty trick question: what are you doing on the Windows side?

Viktor surprised me with a picture-perfect answer that ruined my plans to get rid of him fast:

Since there is no official support for Windows by WireGuard and they advise against any non-official implementation as per https://www.wireguard.com/install/, we are launching this beta without Windows support [...] We are in contact with the author however and aim to integrate it first thing as they release a package for Windows (they are working on it).
Viktor Vecsei, IVPN CMO

The official Ars stance on VPN recommendations is that we can't recommend anyone whose policies we can't independently verify and whose log retention we can't audit ourselves. This sounds like a cop-out from having to make a recommendation, but this is a service that readers will likely be putting a significant amount of trust in, and it would be irresponsible to give a recommendation that important without being able to provide assurances.

And to be very clear, we are still not recommending either IVPN or any other commercial VPN provider directly—but knowing and respecting the WireGuard project's official guidelines, even when that meant minimizing the impact of its own product launch, made me a lot more interested in taking a look at what IVPN is doing.

Fantastic tunnels and where you can find them

IVPN isn't the first commercial VPN provider to offer WireGuard connectivity. To the best of my knowledge, that would be a widely respected and unusually tech-friendly Swedish provider, Mullvad, which began offering WireGuard support almost a year ago. What makes IVPN's WireGuard support launch news despite being a year behind Mullvad? Simplicity. While Mullvad (and another Swedish provider, AzireVPN) will offer you a working key that you can use with your own WireGuard client and config files, IVPN is offering you a dead-simple, user-friendly, tap-it-and-it-works application requiring no personal technical ability from the end user.

The sharper-eyed among you might notice something else IVPN is bringing to the table, and it's a doozy: the first widely available iOS implementation of WireGuard. WireGuard's Jason Donenfeld has had iOS client code in his Git repo for some time now, but for most of us, that's been a purely academic curiosity—getting a non-Apple-approved app running on iOS is a non-trivial task, much more difficult than side-loading APKs on an Android device. Donenfeld made a TestFlight release for the stock WireGuard iOS app available in November. The release cut down the difficulty of getting the code working on an iPhone or iPad considerably, but IVPN's effort is still the only WG client available in the App Store itself.

This brings the list of WireGuard-supported platforms out to, effectively, "everything but Windows." IVPN itself offers support in its easy-mode app for macOS, Android, and iOS (all of which I directly tested). It also offers basic "here's your key" support for Linux, BSD, or any other platform that you've got your own working WireGuard client running on.

I also tested IVPN's WireGuard functionality on a Linux workstation—it worked fine, which wasn't a surprise; what was a mild surprise was that IVPN's framework still made the process a touch quicker and easier than rolling my own. In your own "clientarea" on IVPN's website, you can feed it a public key you generated locally, and it'll automatically set up everything necessary on the back end for you to connect to. The site will also provide you with a boilerplate WireGuard config file into which you can paste your private key and the IP address the site has given you.

Is it fast?

WireGuard itself has the potential to be faster than IPSec or OpenVPN, especially on slower devices. But in my experience, it isn't really there yet. To realize the full potential, it'll need to run in kernel mode instead of user mode. That isn't the case so far on either of the major mobile platforms, whether you're using Donenfeld's stock WireGuard app or IVPN's new easy-mode app.

However, as a pretty heavy VPN user, I'm happy to report that I am already seeing significant decrease in battery usage. My Huawei Mediapad M5 android tablet still likes to warn me that WireGuard wakes up the tablet more frequently than it prefers, but I don't see any significant difference in experienced battery life whether the app is running or not. By contrast, with an OpenVPN tunnel active and significant Web-browsing use, battery life would go down from a couple of days to no more than four or five hours on either the MediaPad M5 or my Pixel 2XL.

Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.
Enlarge / Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.

WireGuard also still offers near-magical connection times for those who have to make and break their VPN connections frequently. In my experience, OpenVPN and IPSec tunnels generally require somewhere between eight seconds and 30+ seconds to establish a tunnel, during which time the user must twiddle his or her thumbs and stare uncertainly at a very techy-looking dialog. WireGuard, by contrast, connects in 0.2 seconds or less, every time. No scary dialog talking about key exchanges and whether or not the perfect forward secrecy is perfect enough; just tap—connected—done.

Channel Ars Technica