WireGuard support added!

WireGuard support added!

What is WireGuard®?

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Linus Torvalds had this to say about WireGuard:

Can I just once again state my love for it and hope it gets merged soon?
Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

Information about the inner-workings of WireGuard are available on their website.

Connecting

Go here for instructions on connecting.

Normally, WireGuard operates on a single UDP port defined by the server-side config.
Thanks to our port striping v2 feature, you can connect to WireGuard using any of our OpenVPN hosts on any UDP port (from 1-29999).
There's only one IP per server that WireGuard will use, but that's only for the "exit IP".
That means you can connect to any of the OpenVPN IPs, but the IP the internet will see you as having might be different.

Device limits

Similar to our OpenVPN setup, our WireGuard setup will limit the number of WireGuard keys allowed per cryptostorm token, based on the token's duration. The chart below lists the limits for each token type:

Token type Number of WireGuard keys allowed
one week or one month 1
three months 2
six months 3
one year 4
two years 5
lifetime 6

These limits are independent from our OpenVPN setup.
So if you have a one month (or one week) cryptostorm access token, you can connect one device using OpenVPN, and you can connect a device using WireGuard.

WireGuard was designed with roaming in mind, so connecting two devices at the same time using the same WireGuard keys/configs wouldn't work.

If you need to delete any WireGuard keys tied to your token, use this page.

Expired tokens

If your token expires, any WireGuard keys associated with that token will be removed from the network.
So if you've got a weekly or monthly PayPal subscription where you get a new token every week/month, each time that new token comes in you will have to revisit https://cryptostorm.is/wireguard and generate new WireGuard keys/configs.

If you don't want to do that so often, buy a token with a higher duration :-P

Speeds

Our free WireGuard server works the same as our "Cryptofree" service: bandwidth is throttled to roughly 160kbps down, 130kbps up. Not fast enough to watch any HD videos, but plenty of bandwidth for sending an email, browsing a website, IRC, etc.

On our paid servers, our tests verify WireGuard is indeed much faster than OpenVPN.
We've seen increased speeds anywhere from 25% to 60% compared to OpenVPN, depending on a variety of factors (client CPU/RAM/ISP, load/location of node, etc.).

Cryptofree

We can't impose limits on keys per token with our free WireGuard server since they aren't tied to tokens.
Instead, we've setup the server to automatically delete WireGuard keys if either of the following occurs:

  • A new key was added, but no connection was made within 24 hours
  • A used key hasn't had a handshake in a week

So if you plan on using our free WireGuard service, you need to connect within 24 hours or your key will be deleted. You also need to keep using the service at least once a week.
The reason for this is because our Cryptofree WireGuard setup uses 10.10.0.0/16 (65,534 IPs) for the internal networking. If we let people add keys without anything in place to delete unused keys, that 65,5354 max would be reached sooner or later.

WireGuard is a registered trademark of Jason A. Donenfeld.
Posted on