Published on March 24, 2019
Today I am going to test the WireGuard VPN protocol in China. WireGuard is a fairly new protocol, which is not yet offered by many VPN providers. I managed to find 3 VPN providers offering WireGuard that work in China. I will be comparing the performance of WireGuard in China using 12VPN, VPN.ac, and TorGuard.
Before I even begin my testing of the WireGuard protocol, there is already a controversial issue which I need to address.
As of yet, there is no official Windows client released by the WireGuard team.
I am going to be using the Tunsafe client for Windows, which is made by a third party.
On the official WireGuard website, there is a warning about using this client.
A Windows client is coming soon. In the meantime, you are strongly advised to stay away from Windows clients that are not released from this site, as they may be dangerous to use, despite marketing efforts.
Here is an interesting thread on Reddit, where the author of WireGuard warns people not to use Tunsafe because it's closed-source.
As the author of WireGuard, I'd STRONGLY advise against using this closed-source implementation, which likely has interoperability and security issues.
We'll have an official Windows client coming out shortly, which won't have these same security concerns.
I should note that despite this thread being a year old and the author stating "We'll have an official Windows client coming out shortly", there is still no official Windows client released at this time.
In this same thread, the author of the Tunsafe client responds.
As the author of TunSafe and µTorrent, I wonder if you base that statement on facts or is it just an attempt at spreading FUD and general dislike against non open-source applications?
The official Windows client you mention is far from complete and nothing but an unsupported research project right now.
Your Go repo says: "There is no group of users that should be using the code in this repository here under any circumstances at the moment, not even beta testers or dare devils. It simply isn't complete."
Fast forward to 5 months later, in another Reddit thread, it was announced that the Tunsafe client was made open source.
The author of WireGuard responds to this thread.
I too would have loved to work together, but he seemed pretty adamant about going off in the hostile direction. Bummer.
To which the Tunsafe author responded.
I still don't understand your viewpoint that everything that's not under your umbrella is hostile. Never at any point was I hostile in discussions with you. You should be happy that people embrace your fantastic protocol instead of having a negative attitude.
It seems like there are some personal issues between the WireGuard author and the Tunsafe client author. Despite the fact that Tunsafe was made open source, the warning against using it remains on the WireGuard website.
Please do your own research and decide whether you think the Tunsafe Windows client is safe to use or not. Personally, I am using it and I don't have any concern about it.
If you are not using Windows, here are the official WireGuard clients that you can use.
#1 WireGuard provider - 12VPN
I'm not surprised to see that WireGuard is available with 12VPN. They are always offering the latest alternative protocols such as Shadowsocks, Outline, Openconnect, v2Ray, etc.
The only problem I had setting up WireGuard with 12VPN is that they don't offer any setup instructions for Windows.
As you can see, they are only offering their VPNGUI app, Chrome and Firefox proxy extensions, or SoftEther for Windows users.
I did manage to setup WireGuard on Windows by getting the configurations from the Android instructions, but I had to make some small modifications to the config files to get it working on Windows.
In the interface section, I had to add /32 to the end of the IPv4 address, and add /128 to the end of the IPv6 address. Then I had to delete the second DNS server (Tunsafe Windows client only allows 1 DNS server).
Here is what the config file looks like after I modified it (changes shown in red color).
PrivateKey = xxxxxxxxxxxxx
Address = x.x.x.x/32, z:z:z::z/128
DNS = 10.255.0.1
Here are my speed test results using the 3 best 12VPN WireGuard servers I can find.
Following the instructions for Android, I generated the config files. I was able to import the files directly into the Tunsafe client, no modification was necessary.
Here are my speed test results using the 3 best VPN.ac WireGuard servers that I could find.
Although I couldn't find any instructions for WireGuard on the TorGuard website, the setup was quite simple. Under the Tools menu, there is a page called Enable WireGuard Access. From there, just choose which server location to enable and then download the config file.
I was able to import the config files directly into the Tunsafe client without any modification.
Here are the speed test results for the 3 best TorGuard WireGuard servers that I could find (actually, they only offer 3 locations for WireGuard).
Now I want to compare WireGuard with other protocols on the same servers.
VPN.ac offers OpenVPN XOR on their Windows app with the exact same Taiwan server as the WireGuard one.
VPN.ac Taiwan OpenVPN XOR (5pm test)
VPN.ac Taiwan WireGuard (5pm test)
There doesn't seem to be much difference in speed. At this time of day, this Taiwan server seems to slow down compared to the day time speeds. The speed is likely limited by the available bandwidth between China Telecom and the host of this Taiwan server (Hi-Net), and not by the VPN protocol.
12VPN also offers the Shadowsocks protocol on the exact same server as the CN Optimized 2 (Hong Kong) WireGuard server. Although Shadowsocks is not a VPN protocol (it is a proxy), I still thought it would be interesting to compare.
12VPN CN Optimized 2 (Hong Kong) Shadowsocks (5:30pm test)
12VPN CN Optimized 2 (Hong Kong) WireGuard (5:30pm test)
Unlike the case with the VPN.ac Taiwan server, where the speed was limited by the available bandwidth, with 12VPN the speed seems to be limited by the protocol. While WireGuard tops out around 50Mbps, Shadowsocks can reach around 80Mbps on this server.
Note about Shadowsocks in China: My top recommended Shadowsocks provider is WannaFlix. However, they don't offer WireGuard or any other VPN protocols, so they are not included in this article. If you want to use Shadowsocks in China, Wannaflix is offering a 30 day money back guarantee and a generous 30% off coupon code for Tips for China readers.
All of the speed tests were done from my home WiFi network, which is powered by a residential Guangdong China Telecom 100/20 Fibre connection. The server performance depends on the international routes set up by the different ISPs in China, so you may get different results depending on your location in China and which ISP you are using.
To answer the question of whether WireGuard works in China: Yes, it definitely works.
The clear winner in terms of speed and latency is the 12VPN CN Optimized (Hong Kong) server. That is to be expected, because this server has China Telecom CN2 routing. In generally, I'm not a big fan of the 12VPN service, but this one server does make it worth subscribing to.
The VPN.ac Taiwan server has good latency, but unstable download speed. In my experience, the best VPN.ac server to use with China Telecom is the Hong Kong Kowloon location, which can be used with OpenVPN XOR through the VPN.ac app. WireGuard is not available on this server.
The TorGuard servers performance is quite poor. Actually, their WireGuard servers all seem to be hosted on Digital Ocean VPS, which is not really a good option for high performance in China. In general, I don't recommend TorGuard as a good VPN service to use in China. Their regular servers are all blocked in China, so you can only use the WireGuard servers or the Cisco Anyconnect servers, none of which perform very well.
In order of preference from best to worst options for WireGuard in China, I rate these 3 providers in this order.
#1 - 12VPN
#2 - VPN.ac
#3 - TorGuard
What I like the most about WireGuard is the fast connection time. As soon as you press connect, the connection is done in less than 1 second. You can also switch servers very quickly without disconnecting and reconnecting.
As for speed, I don't see any big advantage. In fact, the speeds that I typically get using the ExpressVPN Hong Kong 5 server with OpenVPN are faster than all of these (except for the 12VPN Hong Kong server).
For comparison purposes, I also tested the ExpressVPN Hong Kong 5 server during the last round of tests at 11pm.
ExpressVPN Hong Kong 5 - OpenVPN protocol with ExpressVPN Windows app (11pm test)
Besides the 12VPN CN Optimized (Hong Kong server), none of the other WireGuard tests come close to this at 11pm.
However, it does take up to a full minute to make a connection with ExpressVPN these days, so if the time to connect is important to you, then WireGuard clearly has a big advantage here.
Have you tried WireGuard in China yet? Leave your comments below.
March 25, 2019 Update
I tested the VPN.ac Taiwan WireGuard server again this morning, and the speed is much faster than any of the tests yesterday.
The performance of this server can be quite unstable. It can be really fast or really slow.
This result made me think about the 12VPN CN Optimized (Hong Kong) server and how it tops out around 50Mpbs on WireGuard, while using Shadowsocks on the same server can reach 80Mbps.
I think the reason for this is that 12VPN is hosting their server on a VPS, while VPN.ac is hosting on a dedicated server. The speed on the 12VPN server is likely limited by the CPU power on their VPS server, while the dedicated VPN.ac server probably has more CPU power.
So it's not the WireGuard protocol itself that tops out at 50Mpbs, but rather the CPU speed of the host server that is the limiting factor here.
March 27, 2019 Update
Here is a speed test result from my friend in Dongguan with a 300M China Telecom connection.
The test was done using the VPN.ac Canada 3 WireGuard server on his Mac. The time of the test was at 7:40am (non peak bandwidth time).
It's pretty rare to get this kind of speed in China due to international bandwidth congestion, but I thought it would be interesting to post this result just to show what is possible with the WireGuard protocol.
April 7, 2019 Update
Since publishing this article, 12VPN has now throttled down the speed on the CN Optimized (Hong Kong) server to almost nothing. Literally less than 1Mbps.
You can read more details about this on the April 7, 2018 entry of the 2019 VPN in China blog page.