The new fast and lightweight WireGuard VPN protocol is now available to all users of NordVPN, which today (April 22) began rolling out its NordLynx implementation of WireGuard for Windows, Mac, Android, and iOS client software applications. Available now.

NordVPN's Linux software will include NordLynx as an option starting in July 2019.NordVPN uses OpenVPN, the primary VPN protocol used by NordVPN and most other VPN service providers, and IKEv2/IPsec, and that it "significantly outperformed" IKEv2/IPsec in its own internal testing.

NordVPN users must first update their client software and wait for the NordLynx option to appear in the configuration menu. Not all users will have immediate access to NordLynx, but NordVPN plans a full rollout by April 24.

OpenVPN will remain NordVPN's default protocol for the time being, so those who want to use WireGuard will have to manually select NordLynx. Users who prefer to set up their NordVPN connections manually through their operating system, rather than using client software, cannot use WireGuard for now.

However, NordVPN states that WireGuard has a small problem, which has been resolved with NordLynx.

"It doesn't dynamically assign IP addresses to everyone connecting to the server," said NordVPN privacy expert Daniel Markuson, referring to WireGuard. Thus, at least some user data has to be stored on the server, which compromises privacy."

To put this plainly, when you connect to most remote servers, whether your computer is a VPN or not, the remote server assigns your computer a random Internet Protocol (IP) address and uses that address for the duration of the connection session.

This process is part of the Dynamic Host Resolution Protocol (DHCP). Your home Wi-Fi router probably uses DHCP to assign an IP address to each device on your Wi-Fi network.

However, the next time you connect to the same server, your computer may be assigned a completely different IP address. In that case, someone looking at it may not know that the same computer connected both times.

Most VPN servers work this way, but not WireGuard's servers. Instead, WireGuard now requires each device on the network to get a fixed, or "static" IP address. The encryption key for each device is associated with that IP address.

This procedure greatly reduces complexity and processing time. However, it makes it much easier to track down a particular device, since it means that the returned device will likely have the same IP address next time.

WireGuard's static IP problem also plagued Mullvad, another VPN service that deployed WireGuard for Linux, Mac, Windows, and iOS client applications. (The Android version is in beta testing.)

"Even internally, keeping a static IP on each device is not ideal," Mullvad said in a blog post. That static internal IP address "could leak to the outside world" in the event of a WebRTC leak or if information-stealing malware is present on the client device.

For now, Mullvad allows users to manually regenerate WireGuard encryption keys, and thus static IP addresses, by pressing a button in the application settings. (NordVPN takes a more dynamic approach. Its solution, NordLynx, creates a sandwich of two Network Address Translation (NAT) implementations, hiding many IP internal addresses behind a single public-facing IP address.

A home Wi-Fi router does something similar, using NAT to present a single IP address to the outside world while assigning dozens of internal IP addresses to devices on the home network.

However, because NordLynx uses NAT twice, NordVPN claims it can handle WireGuard's static IP addresses without logging them.

"The dual NAT system allows us to establish secure VPN connections without storing identifiable data on the server," says NordVPN. A dynamic local IP address remains assigned only while the session is active."