NordVPN Unveils First Mainstream WireGuard Virtual Private Network

One of the largest VPN companies, NordVPN, is rolling out NordLynx -- it's first mainstream WireGuard virtual private network for its Windows, Mac, Android and iOS client-software applications. ZDNet reports: NordVPN's own tests have shown NordLynx easily outperforms the other protocols, IKEv2/IPsec and OpenVPN. How much faster? According to NordVPN's 256,886 speed tests, "When a user connects to a nearby VPN server and downloads content that's served from a content delivery network (CDN) within a few thousand miles/kilometers, they can expect up to twice higher download and upload speed." While speed is what customers will notice, security experts like WireGuard for its code's simplicity. With only about 4,000 lines of code, WireGuard's code can be comprehensively reviewed by a single individual.

Besides WireGuard, NordVPN adds in its double Network Address Translation (NAT) system to protect users' privacy. This enables users to establish a secure VPN connection while storing no identifiable user data on a server. You're assigned a dynamic local IP address that remains assigned only while the session is active. User authentication is done with the help of a secure external database. To switch to NordLynx, users need to update their NordVPN app to the latest version. The NordLynx protocol can be chosen manually from the Settings menu.

Wireguard's Own site say its not ready

[MikeDataLink]

And you should wait until its been fully tested and all security attack vectors have been identified or tested and therefore should not be relied on...

https://www.wireguard.com/#abo... [wireguard.com]

Re: Wireguard's Own site say its not ready

[Your Father]

People think the fact their VPN is encrypted saves you? Fact time. - your traffic leaves the VPN to go to your destination the same as from your home - you still have cookies and browser fingerprinting - your home computer is still fully fucked from the last anime porn Trojan you downloaded - please get out of our basement and stop using my credit card on anime - NAT protects the outside in, which our cheap ass router already does - VPN companies talking about double NAT as impressive are dumb

Re:

[AK Marc]

So then you want a proxy. When some other machine makes the request, it can't fingerprint you.

Re:

[TheInternetGuy]

Enter the proxy tumbler.

Re:

[guruevi]

VPN does help in some cases. First of all, it prevents prying eyes from seeing where you're going. With a regular router you're basically telling your ISP and in some cases (public WiFi, shared and bad ISP's) everyone around you where you're going. Second, it may increase your security if you have a decent VPN provider that is providing eg DNS filtering.

With a VPN you tunnel securely through any compromised routers directly onto the Internet. This also avoids any censoring that is happening at your ISP or c

Re:

[skids]

With a VPN you tunnel securely through any compromised routers directly onto the Internet.

...Most critically, your home router, which these days you really cannot trust unless you happen to be among those few of us who can roll their own.

And, given that WireGuard is a pre-shared-public-key system really it is only half a VPN (more intended as an L2L VPN rather than an RA VPN). Which is why NordVPN has to add a AAA layer to their app, and if the code in that AAA layer does not receive the same level of scrutiny as wireguard, then you really have no idea whose WireGuard server you are attaching t

Re:

[Xenx]

While I'm not trying to take away from your point in general, I cannot find much on that page that says they claim it's not ready. At best, I saw this bit.

It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Nothing else stood out as any kind of claim on their part that it wasn't ready for use.

Re:Wireguard's Own site say its not ready

[grep -v '.*' *]

And you should wait until its been fully tested and all security attack vectors ... Not Ready for Prime Time [wireguard.com]

Old [archive.org] - WireGuard is not yet complete. You should not rely on this code. ... We're working toward a stable 1.0 release, but that time has not yet come.

New [zx2c4.com] - #define WIREGUARD_VERSION "1.0.0"
Straight from the project page. [wireguard.com]

So it's obviously production-ready now, and just as good as BTRFS in RAID5 mode [kernel.org]. It works in test and we can put it in a thing we can charge for, so what more do you want?

Still: THEY think it's ready for release so it's at least worth looking at, even waiting for v1.1. Heck, insure that your data's completely security by double ROT-13ing it.

BTRFS RAID5/6

[DrYak]

So it's obviously production-ready now, and just as good as BTRFS in RAID5 mode [kernel.org].

Given that the official status page [kernel.org] lists it as unstable....

Heck, insure that your data's completely security by double ROT-13ing it.

:-D

Re:

[AmiMoJo]

Chances are it's secure for most general purposes unless you are at risk of state level actors attacking you.

I use Wireguard because there are some useful benefits over OpenVPN. It's much lighter on resource usage so runs well on older systems is the primary one. It also recovers from dropped connections much better than OpenVPN, often not even killing TCP streams.

Re:Wireguard's Own site say its not ready

[GameboyRMH]

Furthermore I'd never support NordVPN after they've spent so many years misinforming people about how the Internet really works for the purpose of selling VPN accounts:

https://www.theregister.co.uk/... [theregister.co.uk]

They're still running ads like this in many other countries.

Their speed claim is totally bogus too

[raymorris]

The claim of a massive speedup is also totally bogus.
Once you're connected to the VPN, encryption doesn't make a major difference in speed. Your speed will be whatever your internet speed is (and your VPN provider's connection) with a pretty small overhead, and roughly the SAME overhead whether you're using IKE with IPsec or Wireguard.

Where Wireguard *is* faster is in the initial connection to the VPN. For enterprise-grade services (and new browser updates) we update the cipher and mac algorithms annually

Re:

[zybexXL]

It's not bogus. PIA also enabled WireGuard since April 1, and I switched. I was getting 100Mbps with OpenVPN, and now I'm getting 250Mbps with Wireguard.

I have this installed on a low-power HTPC, and with openVPN I see the CPU capped at 100% - this is the cause of the speed limit. With WireGuard, CPU usage is much lower so speed is higher.

Wireguard encryption protocols are perhaps more suitable for hardware acceleration, hence the difference. OR, they're just better optimized.

Bet you changed openvpn to tcp

[raymorris]

It's actually the other way around - Intel processors since Westmere in 2010 do hardware AES. They don't do hardware Chacha. (Though some mobile processors do). AES is used by Openvpn and IPSec.

If you set Openvpn to use tcp rather than the default udp that can definitely wreck things. Check your OpenVPN config. If you accidentally set it to TCP then yeah, crappy connections absolutely make sense. Openvpn's page tells you not do that:
https://openvpn.net/faq/what-i... [openvpn.net]

TCP is offered as an option for when you

Re:

[bill_mcgonigle]

> It's actually the other way around - Intel processors since Westmere in 2010 do hardware AES. They don't do hardware Chacha. (Though some mobile processors do). AES is used by Openvpn and IPSec.

Yeah, it's CPU heavy, which I didn't expect. Xeon-to-Ryzen (3.6GHz-ish) testing on my gigabit iSCSI VLAN showed a drop from 80MB/s to 50MB/s over a WireGuard interface, using iperf to measure.

I thought CHACHA20 was small enough to fit in L1 so I don't have an answer for why, but as of the version in Debian10 ba

Re:

[zybexXL]

Thanks, but it's UDP. I've ran many tests on this box to make sure it was using HW Accel with openVPN, and it does seem to be enabled. Even so, I get 100% CPU with PIA+OpenVPN (UDP), but not with Wireguard. Could be the OpenVPN build that is shipped with PIA, perhaps.

Re:

[erp_consultant]

Thanks for letting me know about that. I use PIA but wasn't aware that they pushed out WireGuard. I changed to that and noticed a significant speed increase. Cheers!

Re:

[Thrakkerzog]

The speedup thing _can_ be true. If you are on Comcast and their interconnect to Netflix is congested, then using a VPN can change your route to Netflix to one which is not congested.

Re:

[skids]

A standard IKE/IPsec VPN has two stages - when the connection is made IKE is used to pick strong algorithms, then the connection runs on IPsec using whichever ciphers that IKE picked.

Be aware that if you are advertising multiple suites, an MITM can downgrade to the weakest one both sides offer. But your point still stands... if one side only offers one parameter set, no downgrade is possible, and it can be changed to a more modern configuration once your clients al support it.

From what I read about WireGuard's IK and session key behavior it readily renegotiates keys during packet loss. Were I a cryptographer I'd be heavily analyzing whether that offers an MITM which can selectively dr

Re:

[raymorris]

Right, and there is a middle-ground that offers both security and compatibility. Far too often I see systems using protocols and cipher suites that have been deprecated for 10-15 years because "compatibility". That's not necessary.

For easier reading, let's label our cipher suites 2020, 2019, 2018, 2017, etc according to the year they became the recommended standard. A machine can support 2016-2020, so it's compatible with any peer that has been updated in the four years. Or the last three years or whatev

Re:

[h33t l4x0r]

Even today it's not completely safe to connect through public wifi.

Re:

[AmiMoJo]

They are lying about being first too. Mullvad has had Wireguard support for a while now. I've been using it with them for a couple of years already.

Re:

[guruevi]

Public WiFi is insecure, the fact the UK government disagrees and tries to ban VPN ads is more telling about the UK government than anything else. Unlike what people like to believe, until TLS1.3 and probably even TLS1.4 before the change is mandatory, HTTPS still has unencrypted host headers, everyone can know where you are going.

I do agree that all VPN providers often make grandiose claims about their security or lack of security in not having their products, but the ads about public WiFi are relatively a

Re:

[Generic User Account]

FYI: WPA2-PSK, which is the most widely used Wifi encryption mode, lets anyone who knows the PSK read everything that's transmitted by the access point and all the clients. This is a completely passive attack, so there is no way to detect if someone is reading everything you're receiving and transmitting via public wifi, even if it's WPA2-PSK encrypted. WPA2-PSK with a public PSK is less secure than having an Ethernet socket outside your house that anybody can use to connect directly into your ethernet swit

Re:

[GameboyRMH]

Yes this is correct, however these days any sensitive information submitted to websites is (or certainly should be) also protected by HTTPS/SSL, probably with additional protections like HSTS and key pinning, so without the wifi encryption credit card numbers, SSNs etc. wouldn't be exposed to any sort of "hackers" as NordVPN's ads claim - at least without a remote MITM attack on HTTPS which is a whole different issue and wouldn't be possible on PCI-DSS-legal forms of SSL.

Even if the Wifi encryption were non

Re:

[arglebargle_xiv]

WireGuard has had quite a bit of analysis by cryptographers. It's a pretty good design, and unlike horrors like IPsec hasn't got a million incomprehensible facilities inserted into it during a lengthy design-by-committee evolution, leading to an endless line of vulns both in IPsec itself and in specific implementations who couldn't figure out the confused mess that's the IPsec standards. WireGuard in contrast is a do-one-thing-and-do-it-well design. The note on the web site is just a general, and sensibl

Re:

[lessSockMorePuppet]

I'll take the Cool Hand Luke reference. +1 for that.

Re:

[account_deleted]

Comment removed based on user account deletion

Purpose of a VPN

[flyingfsck]

The purpose of a VPN is to get around the restrictions, insecurities and spying of your local MAN, into the restrictions, spying and insecurities of a distant WAN. Sigh...

Re:

[Ceaus]

The purpose of a VPN is to get around the restrictions, insecurities and spying of your local MAN, into the restrictions, spying and insecurities of a distant WAN. Sigh...

No, not even that. (And please drop the "Sigh..."). People think a VPN is about security. But a VPN really is about location: where am I? A lot of problems from understanding what a VPN does is people don't know the historic context. You need to go back to the time when remote offices had to pay top dollar for a leased line to connect two sites. That all changed when cheap internet made it possible to securely connect two sites over insecure lines.Once you understand this, everything else false into place.

Re:

[TheInternetGuy]

This ^ A VPN to the internet is like a rubber with a hole at both ends.

Re:

[rho]

That is as apt a description as I've seen. I'll be stealing that, thanks.

Faster is not what we're looking for!

[BAReFO0t]

Otherwise I can offer you Rot13VPN an NopVPN, which are even faster!

PIA also launched wireguard

[zybexXL]

Private Internet Access enabled Wireguard on April 1.

I've been using it and I can confirm more than doubling of speeds. I use PIA on a low-power Celeron J4105 HTPC box, and with OpenVPN it will top out at around 100Mbps with CPU pegged at 100%. With WireGuard, I'm getting 250Mbps and it's no longer CPU-limited, it fluctuates between 50 an 90% at that speed. I'm VERY pleased :)

Re:

[thegarbz]

Private Internet Access enabled Wireguard on April 1.

Thanks this passed me by, upgrading now :-)

Re:

[Thrakkerzog]

Do you need their client to do the key exchange or can I use command line tools to establish the connection?

Re:

[zybexXL]

Not sure, I think that for now it's only with their client. The comments on this thread of their site mentions that support for that will come later:
https://www.privateinternetacc... [privateint...access.com]

Re:

[Thrakkerzog]

Bummer

Realworld value on a trusted network

[bit4byte]

I'm curious to know what the rest of the community think of the value of the VPN providers?

They claim your so much more secure, when technically unless you don't trust your ISP all that you are really doing is moving your egress point out to the VPN provider where your unencrypted traffic will again traverse the internet and could be eaves dropped on.

If your that concerned about your traffic then make sure all your applications and sites you use are encrypted else your living on false sense of security.

IMHO

Re:

[Computershack]

I'm curious to know what the rest of the community think of the value of the VPN providers?

I'm more trusting of NordVPN who is based in Panama where they have basically no internet laws so no need to retain logs than I am about VPN providers based in countries like the USA.

Re:

[gbjbaanb]

As a general thing, they're probably not much use at all.

Over insecure wifi though, probably makes a bit of sense, but that assumes you might connect using non-encrypted traffic. If you do, then the VPN doesn't add much.

But it does stop your ISP snooping, so if you're doing something like bittorrent downloads, then a VPN is probably essential.

If you want to change location to access content that is geo-locked, then a VPN is useful.

But as a one-stop automatic security system, it might give you peace of mind,

Re:

[MachineShedFred]

I don't trust my ISP. In fact, I fucking hate them and wish I had any other option for broadband. They can take their packet sniffing extortionist bullshit and fuck right off. I'll pay the $2/mo so that they don't get usage data out of me, and just see encrypted frames.

Oh, and I hate geoblocking as well. If you make content available for free on the Internet, you are an idiot if you think you can only make it free for some and not for others. VPNs allow me to route around damage caused by greedy whores

Re:

[thegarbz]

They claim your so much more secure, when technically unless you don't trust your ISP

Well ISPs have categorically proven to not be trustworthy, so that's not a hurdle to pass. I mean they actively say right on their box that they will collect your data, monitor you, and sell your information to 3rd parties. They don't even have the decency to lie or try and hide it.

I'm curious to know what the rest of the community think of the value of the VPN providers?

But the value of VPNs is not just trust, it's also about bypassing geoblocks, bypassing IP locks, bypassing connection limits, and all the other shit that is annoying. I signed up for a VPN back when I had to work in China. Since

There's NordVPN odd about this, right?

[notdecnet]

"There's NordVPN [theregister.co.uk] odd about this, right? Infosec types concerned over strange app traffic"

Mullvad did it

[TACD]

This makes it sound like NordVPN is the first major VPN provider to roll out WireGuard support, but Mullvad has offered WireGuard connectivity for many months now.