WireGuard is a simple and lightweight VPN protocol. Unlike IKEv2/IPSec, WireGuard focuses on simplicity, speed, and ease of use. It is also a protocol with a very compact code base and functionality, making it ideal for use on IoT and embedded devices.
IKEv2 is an IETF-standardized protocol offering many extensions and high flexibility, but also significant complexity. While IKEv2, for example, supports crypto agility—meaning encryption algorithms can be exchanged or negotiated between endpoints—WireGuard uses a fixed key exchange (Curve25519) and a fixed encryption protocol (ChaCha20/Poly1305). In WireGuard, authentication is only possible via public/private keys, whereas IKEv2 allows flexible authentication methods such as PSK, certificates, or EAP. IKEv2 also supports many extensions, such as RADIUS or two-factor authentication, which are not available in WireGuard. Furthermore, WireGuard only supports transmission over UDP but includes built-in roaming functionality similar to MOBIKE in IKEv2.
IKEv2/IPSec continues to be the recommended standard protocol for branch connectivity and SD-WAN due to its wide range of configuration and deployment scenarios in LCOS. WireGuard on LANCOM router platforms does not provide hardware acceleration for ChaChaPoly1305, meaning encryption is handled in software. For scenarios requiring high VPN throughput, IKEv2/IPSec remains the preferred option.
Within LCOS, IKEv2/IPSec is based on many years of practical use in VPN site connectivity and numerous protocol and feature extensions for medium, large, and complex VPN or SD-WAN scenarios. WireGuard in LCOS is therefore an ideal addition for simpler use cases where only basic encrypted connections are needed. Another scenario for WireGuard use is when the VPN protocol is specified by a service provider or VPN vendor.
Conceptually, WireGuard is a "silent" protocol—no control or negotiation packets are exchanged until user data needs to be transmitted. In contrast, IKE tunnels can be configured to initiate immediately. For this reason, there is no hold time or related configuration for WireGuard in LCOS. WireGuard supports both IPv4 and IPv6, as transport protocols and for data transmission within the tunnel.
For IPv6, the inbound UDP ports used for the tunnel must be configured manually in the IPv6 firewall inbound table, since the ports in WireGuard are freely configurable.
WireGuard tunnels in LCOS can be defined as either "Unnumbered"—i.e., without a configured IP address—or with assigned IP addresses under .
In LCOS, WireGuard is classified as an interface type "VPN". This classification is relevant, for example, in connection with the access list for management protocols to the device itself under .
If WireGuard is used to connect to a VPN provider that, for example, routes public IP addresses or subnets to the router via WireGuard, the classification as a secure interface type "VPN" applies.
In this case, the ports of management protocols or the Voice Call Manager (VCM) that allow access "only via VPN" will be open and reachable via the public IP address of the WireGuard tunnel. If this is not desired, additional rules must be configured for access stations (for management protocols) or the setting must be changed to "from WAN denied".
This behavior also applies when an IPSec / IKE / IKEv2 interface has a public IP address.
