The Rise of WireGuard

If you’ve not read the CyberSecurity Insiders SSE Adoption report, now is a good time to do so. The document packed with insights on the state of security from a practitioner point of view. It also provides insight into how companies are looking to securing their workforce. Over 700 network and security leaders were interviewed. The report provides details on concerns about how companies are struggling with traditional security solutions and why and how companies are making the move to SSE solutions. As you peel back the data, two themes emerge. Old vs New. Complex vs Simple. From a technical perspective, it brings a up question. How can we move forward to “New and Simple” for the underlying transport for SSE? Let’s dive in.

Traditional VPNs, based on pizza box style devices, leverage the IPSec suite of protocols for authentication and encryption. The same is true for several of the SSE vendors in the marketplace today. IPSec operates at the network layer, making it versatile for various applications, including site-to-site VPNs and remote access scenarios. IPSec comprises several components:

· Internet Key Exchange (IKE): Handles security associations and key management.

· Encapsulating Security Payload (ESP): Provides encryption for data confidentiality.

· Authentication Header (AH): Ensures data integrity and authenticity but does not encrypt the payload.

Despite its utility and widespread adoption, IPSec's utility and complexity also is its weakness. Its origins extend into the decade of the 90s and as a result, its extensive code based often exceeds 400,000 lines of code built up over 3 decades. Let’s be honest, the technical debt has piled up. As a result, this leads to challenges in configuration and maintenance. More importantly, it makes auditing and vulnerability assessments challenging.

Is there another option you should be considering? There is. WireGuard. This is a relatively recent addition to the VPN landscape. WireGuard emerging around 2015. Looking back on two decades of IPSec, the designers targeted the development of a simpler, faster, and more secure alternative to existing VPN protocols. For speed, WireGuard operates at the kernel level, integrating directly into the operating system's core for enhanced performance. Its minimalist design philosophy results in a codebase of approximately 4,000 lines, significantly reducing the attack surface and making auditing more manageable.

Let’s get into the technical details. WireGuard utilizes state-of-the-art cryptographic primitives:

· ChaCha20: For symmetric encryption, offering comparable security to AES but with better performance on certain hardware.

· Curve25519: For key exchange, ensuring secure and efficient session establishment.

· BLAKE2s: For hashing, providing fast and secure message digests.

· Poly1305: For message authentication, ensuring data integrity and authenticity.

The result? A modern, and more efficient cryptographic techniques that enhance both security and performance.

Why should you be looking at WireGuard for SSE?

Performance – WireGuard operates inside the kernel space and thus produces efficient cryptographic algorithms. How much? Measured against IPSec, WireGuard achieves lower latency and higher throughput compared to traditional VPN protocols. Performance tests have demonstrated a 13% higher throughput than IPSec using AES-GCM encryption and a 75% improvement over OpenVPN. Additionally, WireGuard exhibited 77.5% lower ping responses than IPSec and a 74% reduction in latency compared to OpenVPN.

Simplicity - WireGuard's slim design translates to straightforward configuration and deployment. On the other hand, IPSec, can be complex to set up due to its numerous configuration options and modes. With WireGuard you gain simplicity. This reduces the likelihood of misconfiguration, a common source of security vulnerabilities. Furthermore, WireGuard's lean codebase facilitates easier auditing and maintenance.

Security - WireGuard provides a fixed set of modern cryptographic protocols. It does not support legacy, heritage cryptographic suites from decades ago. Result, only the most secure and efficient algorithms are used. This greatly reduces the attack surface and enhances overall security. Another advantage is WireGuard is easily upgraded to quantum resistant algorithms such as Kyber. When thinking about the future, this will become a critical item for companies as we enter the next decade.

Mobility and Roaming – Where WireGuard stands out is in remote access scenarios, especially with mobile clients. Why? Maintaining a stable VPN connection across changing networks is challenge for heritage solutions. This is where WireGuard excels. In the modern networks, devices and users are highly mobile and constantly roaming between different IP addresses. Keep in mind, this was not the case in the late 90s when IPSec was designed. Devices where static and wireless was still in its infancy. Today, users and devices move between networks (from Wi-Fi to cellular and back). WireGuard was designed with this mind. It can maintain the VPN session without requiring re-establishment, providing a smoother and more reliable user experience.

Resource Efficiency - WireGuard's efficient design results in lower CPU usage and power consumption, which is particularly beneficial for devices with limited resources, such as smartphones and IOT systems. Again, recall that in the 90s, 90% of devices were plugged into to power. This efficiency does not come at the expense of security or performance. This makes WireGuard an attractive option for a wide range of devices we leverage in the modern workplace.

Real World Use

So, how is Wireguard being used in networking and security solutions? Currently many networking vendors and open-source projects now use WireGuard as a base to build more complex networking features, including mesh networking, dynamic peer discovery, and automated key rotation. Where we are seeing the most integrations are solutions targeting developers to create backend peer to peer (P2P) connections. The main reasons are a benefit from its kernel-level support in Linux, and WireGuard’s user-space implementations for cross-platform compatibility, its enabling low-latency, the high-throughput secure communication channels in embedded systems provided and mobile applications, and cloud-native services. A good example of this is Tailscale’s use of the protocol. Additionally, the team at Tailscale has added several features which enhance its ability to provide Zero Trust access to applications and systems.

In the context of Security Service Edge (SSE), WireGuard plays a key role in enabling secure and high-performance connectivity from remote users to cloud-delivered security services. Some SSE platforms use WireGuard as the underlying VPN technology to establish secure tunnels between user devices and the SSE PoPs (Points of Presence), ensuring fast, encrypted traffic routing without the performance overhead of legacy VPN protocols. Its low attack surface and fast reconnection capabilities make it well-suited for Zero Trust Network Access (ZTNA) scenarios, especially for mobile or roaming users. By leveraging WireGuard under the hood, SSE solutions can offer seamless, resilient user experiences while maintaining strict access controls and traffic inspection—key pillars of Zero Trust security models. Of the major well-known vendors, HPE is currently only one in the SSE space utilizing WireGuard.

Conclusion

If you are starting your evaluation of backend application connectivity or SSE or experience the pain of legacy solutions or still supporting traditional remote access VPNs, start looking into WireGuard. It represents a significant advancement in VPN technology, offering superior performance, security, and ease of use compared to traditional protocols like IPSec. Don’t accept the traditional solutions which include legacy technical debt and thus impact performance and security. Rather seek a modern approach. Ask the questions, do your research and then take WireGuard on a test drive.