3 downsides to WireGuard VPN
On first impressions, it appears WireGuard is the perfect VPN protocol in all regards. However, WireGuard VPN has three major drawbacks, as it misses two important features that are considered standard with all modern VPN protocols: client provisioning and verification of network parameters.
1. Large scale rollout
Scanning a QR-code to provision the config sounds pretty cool… unless you are a huge enterprise with 1,000 or more employees and need to deploy a unique VPN configuration to each of their multiple devices.
With other VPN protocols, all you need to tell the users is the address of the VPN gateway. They can then enter that address into the VPN client, click on connect, and get prompted for a username and password – i.e. the same login credentials they already use for pretty much everything else in their company.
Once authenticated, all further VPN configuration is pushed to them by the gateway. This entire process uses user databases that already exist and can be based on user network groups that already control network access.
I hear you ask: But can't something similar be built for WireGuard? The only option is developing some kind of enterprise deployment system that will integrate with your existing systems.
However, for this to work, you first have to invest the time and resources into building it; requiring coding skills or programmers to build it for you. Furthermore, if every company developed its own method, we would quickly have countless isolated solutions that are all different and can't work together, meaning any interoperability is out the window. Also whenever a central company service needs exchanging, you’ll need to start again from scratch and develop a new solution.
In contrast, other protocols offer you this functionality right out of the box. You don't have to build anything for them and their servers have pre-made plugin interfaces and either ship with plugins for common enterprise solutions, or the vendors of these enterprise solutions will provide plugins for you.
This pretty much makes WireGuard a no-go for large organizations.
2. Managing configuration updates
The other problem is that WireGuard’s network configuration is static. Of course, this is not an issue if the configuration never has to change, but that's a very unrealistic scenario in the long run. Every time the configuration needs to be changed, all employees will need to manually update their VPN config by re-downloading a config file or re-scanning a QR-code.
With client provisioning, VPN config is managed in a central place and updating all clients is a no brainer: Users don't have to do anything following a config change, as the next time they connect, they automatically get the updated config pushed.
3. Network configuration
This directly brings us to the final issue with WireGuard: As network configuration is not negotiated, users won't notice if their network configuration is outdated.
Other VPN protocols will check your configuration and inform you of any issues. For example, if the configuration cannot be updated automatically, the connection will at least fail with an error letting the user know what is wrong about that configuration, so the users can fix it by themselves or inform their admin.
In comparison, if you use the wrong private IP address with WireGuard, your client will connect but you will not be able to reach anything remotely, having no idea what the problem is. If the remote networks have changed, your connection will come up just fine but the wrong kind of traffic will be routed over the VPN tunnel and again, you won't notice that. If the DNS settings have changed, DNS will stop working for you and many users will not be able to distinguish a DNS problem from a routing problem, so they won't know that bad DNS settings might be the issue.
WireGuard does not view this as a priority, as the idea was never to duplicate existing functionality. Routing is controlled by remote routing tables, access restrictions are enforced by a remote firewall and DNS is optional anyway.
With every modern VPN gateway having a routing table and a firewall, there is no need for WireGuard to manage any of this, hence the static configuration. The problem? Neither the routing table nor the firewall will let you know on connect that your VPN settings are wrong, they will just not forward your traffic, forward it incorrectly, or drop it right on the spot.
This often results in users contacting the admin with the phrase "My VPN connects but then nothing works", leaving them to figure out what the problem is without any detailed error message or information.
This again deems WireGuard a poor choice in enterprise environments.
