WireGuard® VPN

WireGuard is a revolutionary VPN protocol using state-of-the-art cryptography that promises better security and faster speeds compared to existing solutions. See the WireGuard protocol page for a quick overview of the protocol and cryptography. For an in-depth discussion review the technical white paper.

IVPN + WireGuard

Since its merge into Linux Kernel v5.6, the release of WireGuard 1.0 and a 3rd party security audit, we consider the protocol to be ready for wide-scale use. We consider WireGuard to be the best protocol for most customers due to its exceptional performance, security properties, ability to roam between IP addresses without packet loss or disconnections and instantly connect/disconnect.

However, WireGuard® was not designed with privacy VPN providers in mind. In addition, it leaves certain aspects (e.g. IP address assignment, key distribution etc.) to the responsibility of the implementer. As a result some privacy issues exist which all responsible VPN providers must resolve. These issues do not in any way represent a weakness of the WireGuard protocol itself, they are simply aspects which the protocol designers intentionally left out. We have identified and implemented the following solutions on the IVPN network.

Issue

Public IP address of peer is stored in memory indefinitely

We have implemented a key management daemon on all servers which scans the list of peers where the latest handshake time > 180 seconds and deletes/reinstates their configuration.

Issue

No mechanism for tunnel IP address allocation or rotation

IVPN apps automatically and transparently call backend every 24 hours to generate new random IP address and distribute to all servers.

Issue

No identity-hiding forward secrecy

IVPN apps automatically and transparently regenerates new key pair every 24 hours and upload public key to backend to distribute to all servers.

WireGuard FAQ

How can I use WireGuard?

  • Set up your own WireGuard server and connect using one of the official client apps.
  • Subscribe to a VPN provider that supports WireGuard. While IVPN is not the only service to offer WireGuard, we were early adopters and have significant experience in supporting it.

Which operating systems does WireGuard support?

WireGuard supports all major operating systems. Support for WireGuard is built in to IVPN’s Windows, macOS, Linux, Android and iOS apps.

What cryptography is used in WireGuard?

WireGuard utilizes the following protocols and primitives:

Where do you have WireGuard servers?

We offer WireGuard servers in 45 locations in 32 countries. Review the full list of servers on our server status page.

I’m an IVPN subscriber. Do I need to register for WireGuard?

WireGuard is available and ready for use for all existing IVPN customers. You do not need to sign up separately.

Do you offer all features of IVPN for WireGuard?

We support the same security and privacy features as with OpenVPN e.g. firewall, trusted networks and AntiTracker. However, we do not offer multi-hop and port forwarding with WireGuard at this time.

Do you offer IPv6 support for WireGuard?

Not yet.

What ports do you use for WireGuard?

UDP ports 2049, 2050, 53, 30587, 41893, 48574, 58237.

Do I need to manually create and add a public key in the IVPN Client Area when adding a new device?

No, when using the IVPN app keys are automatically generated and the public key uploaded to our server the moment you select the WireGuard protocol in the app.

If you are not using an IVPN app you may also manually add a new public key via the WireGuard tab of the Client Area.

What happens if I delete a public key?

If you purposefully or accidentally deleted public keys from the Client Area, new keys will be automatically generated upon selecting the WireGuard protocol in the IVPN app.

In case the public key was deleted while your device was connected to one of the WireGuard servers, the IVPN app will stay connected, however, you will have no internet access. You will need to disconnect and either login again to the IVPN app or click on the ‘Re-generate Keys’ button under the ‘WireGuard’ details/configuration area.

What DNS server is used when connecting with WireGuard?

We host our own log-less DNS servers which are pushed and applied automatically to your device when you connect. When connected the IP address of the DNS server is 172.16.0.1