Paper—Comparison of VPN Protocols at Network Layer Focusing on Wire Guard Protocol Comparison of VPN Protocols at Network Layer Focusing on Wire Guard Protocol

The key point of this paper is to assess and look over the top of the line network layer-based VPN (Virtual Private Network) protocols because data link layer is hardly ever found to be in use in organizations, the reason is because of its exceedingly high charge. VPN is commonly used in business situations to provide secure communication channels over public infrastructure such as the Internet. VPNs provide secure encrypted communication between remote networks worldwide by using Internet Protocol (IP) tunnels and a shared medium like the Internet. The paper follows and sets standards for different types of protocols and techniques. The VPN architectural feature is made to deliver a dependable and safe network that is not in line with regular networks that provide a higher trust and a higher secure channel between user and organization. The current study took place to summaries the usage of existing VPNs protocol and to show the strength of every VPN, through different studies that have been made by other researchers as well as an extra focus on the state of art protocol, Wire guard. It is also worthy of mentioning that the wire guard compared with other protocols such as IPsec and GRE. The studies show the Wire Guard being a better choice in terms of other well-known procedures to inaugurate a secure and trusted


Introduction 2 Literature Review and Problem Statement
The reason for a VPN is to offer an organization the same power as remote contracted lines at a much cheaper cost by means of the joint infrastructure. In this section, a review of VPN protocols is presented. As mentioned above, a lot of work is aimed to find out the best rule for VPN due to the fact that it of great importance in terms of performance. VPN is a pretty used up and not new method that is still a widely used technology. Recent top studies give the image to be non-existent. However, the ones are still informative [3]. Some researches talk about security methods of a VPN [13], while many others focus on the amazingly accurate performance of VPNs [15][16][17]. However, no academic research doesn't really seems to compare IP Sec [8,10] to a more highly state VPNs procedure such as Wire Guard [18,19] and GRE [20]. One reason the VPN came to existence was for the purpose of giving organizations ability received by closed and not public leased lines at affordable rates by taking advantage of the shared infrastructure, Network abilities and how it is compared to its VPN protocols on both wired and the wireless networks are shown in [21]. In [18,[22][23][24][25] authors, which also shows a great overview of the Next Generation Kernel Network Tunnel (Wire Guard) they presented the format verification of the protocol and his architecture in addition to the attribute, strength, weakness and a future challenging promising. The comparative between protocol (SSL) in the data link layer (layer2) and IP Sec protocol in the network layer (layer 3) described in [26]. Problems that may occur in IP Sec policy specification are hard to analyze for three different reasons. First, Encapsulation in IP Sec makes it hard to show specific errors. Second, undesired errors can occur do to overlapping. Third, there is an unclear bond between objective and specific policies. To figure out the solution to the problems, we firstly started a security policy in two levels: requirement level security policy and implementation level security policy. Requirement level policies shows security objective and are implementation independent [27].

The Aim of the Paper
The main target of this work is to present the review on the VPN tunnel and to compare the three protocols in the network layer (IPsec, GRE, and Wire guard) mentioned above regarding their features and underlying technologies so as to identify their strengths and weaknesses. A broad purpose of our study is to show which one between the three protocols is the best depending on some of the remarks(characteristics) mentioned in our paper and based on some previous reviewers' papers. This is of great importance for the researchers in this field to effortlessly find and compare the above points to select the appropriate protocol for each purpose.
To achieve this aim, the following objectives are accomplished: • The first goal is to do a study of the three protocols. Depending on the newest latest papers • Performance evaluation of the three VPN protocols depending on standard metrics • Highlighting the main advantage and disadvantages of each protocol.

Types of a Virtual Private Network (VPN)
VPN gives users the opportunity to be in contact with a closed network while using the Internet in a safe way as well as securely. VPN produces converted data and information into codes that prevent interrelation, which is known as a VPN tunnel, and every Internet traffic and communication is taken into the safe tunnel [13,28]. VPN is practically made of two different kinds: • Remote Access VPN: Remote Access VPN allows the one using it to have the opportunity to latch to a closed network and open every service and resource available from a distance [29]. The attachment amongst the user and the closed network happens within the Internet, and the connection is safe and closed. Remote Access VPN is beneficial for those who use it at home as well as for business [30]. • Site to Site VPN: A Site-to-Site VPN is also known as Router-to-Router VPN and is typically taken in by massive companies. Companies or organizations, with more than one offices in many kinds of areas, put Site-to-site VPN in use to make an attachment from one office location to the network at additional office location [4,31,32]. • Intranet-based VPN: This is known when many offices of the similar company are attached using Site-to-Site VPN type, this is known as Intranet-based VPN [4]; • Extranet based VPN: They are companies that use Site-to-site VPN type to have a company attached to the office of an additional company, it this is known as Extranet based VPN [4]. • VPN Architecture (Framework): A VPN is said to function by routing your device's Internet connection by the VPN's private server of your choosing instead of your Internet service provider (ISP) the result will be your data being transmitted into the Internet. This process actually comes from the VPN instead of the computer [27]. The VPN plays a significant role as a negotiator in some kind of way. So keep in mind, to the Internet, the result will be the stealth of your IP addressthe series of figures your ISP gives your deviceand defending your identity [33,34,35]. Furthermore, if your data is somehow interrupted, it will be illegible until it ends up in its final destination. A VPN creates a secure "tunnel" from your device to the Internet and makes your vital data hidden through something that is known as encryption [27,36] see Fig. 1. Types of devices of VPN are of three different kinds, Hardware usually a VPN type of router, Firewall that is much safer, Software ideal for two endpoints not in a similar organization.

1.
VPN protocols types based on OSI layer three VPN depends on tunneling methods for conducting data. The tunneling protocols work at the same OSI network layer. The most popular protocols that linked with VPN tunnels are Internet protocol security (IP Sec) [36,37], GRE tunneling and Wire guard tunneling protocol [29]. These VPN tunnels provide security, authentication, Confidentiality, Integrity, and encryption mechanisms [3,38,40].
Internet protocol security (IP Sec): IP Sec provides validation of those who need to put it into use, coded parts of data, and data reliability in the moment of conduction of data stuck in the middle of the one that sends and the one that receives. It expenditures three main protocols one being Authentication Header (AH), the other Encapsulated Security Payload (ESP), and lastly, Internet Key Exchange (IKE) [41,42]. They are put into use during launching connection and the transmission of data in a safe way [31,41]. IP Sec can be worked in two encryption functions: • Transport mode • Tunnel mode.  Transport mode encrypts only the data part (Payload) of packets. Tunnel mode is much safer, which codes two things which are the header as well as the payload [13,43], for a better understanding the below Table 1 has more details that explain the performance of IP Sec VPN tunnels.
IP Sec protocol suite: IKE, AH and ESP: IPsec states procedures that are safe for obtaining a secure IP communication on a point to point basis, counting: the security protocols AH and ESP, the algorithms for validation and encryption, and significant altercation mechanisms. AH and ESP does not necessarily handle the key exchange; the reason for that is because they think that the two nodes have already made a Security Association (SA). A SA is a "contract" amongst the two IPsec endpoints used to create the protection mechanisms and the keys to be in use through the next data transfer. For this reason, IP Sec standard stipulates both the Pre-Shared Key (PSK) mechanism and Internet Key Exchange (IKE) protocol. Conversely, the final use is asymmetric cryptography that is presumed to be substantial weight for minor sensor nodes [3,17].
Both AH and ESP procedures help connectionless reliability, anti-replay security, and data origin validation. AH validates the entire IP packet, with the exemption of the IP header variable fields, which, being altered by intermediate nodes, cannot be validated. Unlike AH, ESP backs up confidentiality as well. ESP is used to encrypt the payload of an IP packet, but on the other hand, to AH it does not protect the IP header [46]. The Fig. 3 shows the IP Sec Architecture.
The AH and ESP conventions deliver two types of working modes: transport mode and tunnel mode. Conferring to the initial one, IP header and payload are encrypted, which was mentioned before. In tunnel mode, a new IP header is set up in front of the original IP packet, and security functions are applied to the encapsulated IP packet [16].  -Control the quality and characteristics of each protocol; it was taken from a set of approved researchers.

Generic Routing Encapsulation (GRE):
The GRE was typically made as an enclosing procedure enfolding an advanced level of practice. Chiefly this tunnel is put into use by conveying IP packets or non-IP packets from end to end of community IP networks. This tunnel correspondingly is put into action for the encapsulation of any OSI layer three procedures. The first data packets are merely enclosed inside GRE header that shields from numerous Internet outbreaks [11,27,47]. The following Fig.  4 shows the GRE encapsulation packet format.

Fig. 4. GRE Packet Format
GRE generates an end to end remote connection that generates a trustworthy and safe communication path. Then again, the communication way is not safe like IP Sec due to the fact that GRE does not offer heavy-duty security structures like encryption, validity, and sequencing. It is very plain but also a prevailing tunneling technique [20,26]. See Fig. 5 shows the general architecture of GRE.

Fig. 5. GRE VPN Tunnel
The GRE tunnel can be taken to implement a quick, dependable, and more laid-back communication within the open network. In the transmitter part of the tunnel, the data packet is acknowledged by the GREs final stage in the routers, and then the packet is later enclosed with the GRE header plus the target location of the tunnel. In the receiver area of the tunnel, receiving an encapsulated packet with receiver end routers decapsulate that packet and, lastly, is brought to the wanted target [20,33,48]. For more detail, Table 2 describes the performance of GRE VPN tunnels.  Table 2 describes the general performance of the GRE protocol depending on some properties like which port is used, cost of it, in addition to other characteristics described above in Table 2.
Wire Guard: Wire Guard is a first-hand open-source VPN procedure that targets to offer a quicker, easier, and more secure online practice for Internet users. The procedure is appealed to suggest a better performance than OpenVPN, and to be commonly more valuable and better designed than IP Sec [18,46]. Wire Guard was created by Jason Donenfeld, the man who opened Edge Security. In spite of how "young" the Wire Guard procedure is (it formally arose in 2018, but was in growth earlier to that date), it has been rapidly acknowledged by online users and even coped to clasp the courtesy of main Linux developer Linus Torvalds who called it a "work of art" [18,22,50] see Fig. 6 above that describe the Wire Guard.
The Wire Guard Virtual Private Network Protocol: The Wire Guard VPN licenses two parties to make a safe portal by establishing a Diffie-Hellman based key altercation procedure. It functions on layer 3 and has procedures on UDP as a transport layer. Wire Guard hires a new "crypto key routing" method to construct ways to endpoints, and give new ID hiding and DDoS resistance structures, that is later established on a cookie reply system. The handshake is part of the long-term and an ephemeral elliptic curve key [19,47]. Sanctuary can be reinforced by another way, which is a pre-shared symmetric key. If the handshake does not work like it should of, then the procedure needs to be done again, as UDP does not allow the finding of package loss. After the handshake, the procedure in succession over the secure Wire Guard channel, for example, TCP, can execute all its internal package loss detection techniques. Wire Guard alone cannot notice package forfeiture but only services a sliding window method to reorganize packages [48]. A new handshake is implemented every two minutes or after a number of sent packages redefined in the description, to avoid the possibility of collision attacks on the stream cipher [18,23,51].
The Noise Protocol Framework (IKpsk2): Wire Guard has obtained a procedure taken from the Noise Protocol Framework as the main framework for its exchange protocol. The Noise Protocol Framework regulates many kinds of cryptographic two-party key change protocols based on Diffie-Hellman key exchange [50]; skeptical of the exchange that was taken upon. It is stated as a brief language to explain protocols, due to symbols for instance 'e' which means ephemeral, 's' has the meaning of the static longterm key, PSK stands for pre shared key, and a double letter mixture of 'e' and 's' represent Diffie-Hellman work amongst the two combinations: ee, es, se, ss, where the letter that is prior to the others indicate the participating key from the initiator, and the other letter stands for the participating key for the responder [19,52,53].
One rule indicates, IKpsk2 can be separated into the two kinds IK and psk2. Both letters IK mean that the initiator directly sends its static key to the responder in the first protocol message (I for immediately), and the initiator, of course, understands the responder's static key prior (K for known) [54,55]. The number 2 in the last part of psk2 means the pre-shared key is in use at the final part of the second protocol message. The parameters (s, rs) define the value that is needed to implement an execution protocol. In this situation, it is both static keys, s for one of the initiators, and rs the remote static key, from the responder [19,23].
Protocol Messages and Key Derivation: The beginner is the party that initiates a procedure by transferring the primary procedure message to an additional party, which is known as the responder. These roles do not technically relate to the classic roles of client and server in a VPN situation, where the client is the customer and the server is an instrument of a VPN supplier. While the client normally is the procedure's start of a handshake, the roles could differ the moment there is a longer VPN "session." The Wire Guard protocol [24,25,56,57] is made up of 3 protocol messages that are a must so that joint validation amongst initiator and responder is certain. That is why it is wellthought-out as a 1.5-RTT key exchange protocol. The third message, which is directed from initiator to responder, is a transport data message and can be made of real data [56][57][58]60,61]. The legitimate encryption in this third message licenses the responder to substantiate the initiator. After these three messages, transport data messages can be swapped in any direction amongst the parties [25,48,59]. Table 3 below shows the evaluations depend on many factors which been tested by other researchers. From Table 1-3, Table 4 will Summarize the remark of all protocols against each other. Uses the UDP transmission protocol port 51820 Table 4 shows the final result of the characteristics and properties of the Wire Guard IPsec and GRE protocols' that have been got it from Table 1 to Table 3.

The VPN Tunneling Solutions
The necessary core base of safety and its purposes are the encryption and validation of the data traffic, security procedures of consultations amongst communication associates [45], well-defined security assets, and reliable transmission routes of VPN should not be altered with external third parties. The most security assaults of the VPN are man-in-the-middle assaults, DoS assaults, and VPN takeovers [63,64,65]. The security extortions and exposures occur because it is failing to provide the authentication of valid users, provide weak authentication with the client-side association of the compromised system, deficiency of synchronization between two connecting systems of different retailers, contamination of client-side with virus and malware, etc. [67]. The mentioned weaknesses are reasons that should be controlled to attain the main security goals of the VPN technique [66,20,69,70]. In Tables 5-7, the advantage and disadvantages of VPN tunnels such as IP Sec, GRE, and Wire guard are described.

References & Authors Advantages References & Authors Disadvantages
IP Sec [16,21,26] A great level of implementation in the network layer. [20] Issues with compatibility because of diverse standards [13,29] Screens incoming and outgoing traffic. [15,26,36] Encryption, decryption, and complex tunneling process [26,31] Easy maintenance. [13,15] The security algorithm is at risk, usage by IP Sec are split -- [36] Greater processing speed is required Table 6. Advantages and Disadvantages of GRE.

References & Authors Advantages References & Authors Disadvantages
GRE [9,20] GRE is an effortless but powerful tunneling technique. [20,34] Due to the fact that GREtunnel doesn't have a description, it makes it dangerous to important information sent over by the network. [28] It compresses different types of procedure, like packets inside the IP tunnel. [35,36] It gives virtual connections and static-IP addresses by not even hiding information or data via a network. [35,39] It is made to configure a separate tunnel for each link. [39] The lack of confidentiality. Table 7. Advantages and Disadvantages of Wire guard.

References & Authors Advantages References & Authors Disadvantages
Wire Guard [18] Wire Guard uses high-end cryptography to give a much safer online connection. [24,25] Security problems with Wire Guard occur because the way it is automated would make VPN providers log user data. [18,25] The Wire Guard VPN procedure shows a less heavy code base than OpenVPN and IP Sec, which helps by making it easier to check when finding vulnerabilities. [18,24] Currently, Wire Guard is only effective on UDP). That means it can possibly be blocked by a network admin. Wire Guard is better with Linux distributions. [18,19] The Wire Guard procedure shows performance enhancements that can decrease battery use and give better roaming maintenance on mobile devices. [18,22] Wire Guard is newer which means not many tests were done [19] A decrease in the amount of code, much safer, better performance, and it is easy to use.
-- [18] Wire Guard is created to offer high speeds, and recent benchmarks demonstrate that it is quicker than IP Sec and OpenVPN.
-- Table 5-7 shows the advantage and disadvantages of the three VPN protocols at the network layer (Wire guard, GRE, IPsec).

Discussion of Experimental Results
What was provided in this paper, a review of the most recent and relevant selective researches done on VPN protocols such as IPsec, GRE, Wire guard. It also elaborates on the objective, problems, advantages, and disadvantages in order to select appropriate protocol. To successfully handle the given situation, the decisions made are quite crucial. However, this paper states that there are plenty of open roads to different chances for additional enhancement, as discussed below. On the whole, we perceive that many academics put vast and very effective trials in IPsec, and a major part of organizations have put it into good use due to its security. However, a comparison results on a Wire guard protocol and GRE approaches have also proved to show good prediction as well as performance, with only some limitations of GRE. Thus, the development or advancement of Wire guard tactics that can be considered to be leading a bright future in VPN at network layer 3, according to recent studies. The comparison of Wire guard VPN protocol with two well-known and state of the art protocol IPsec, GRE, the study illustrates the terms, remarks, strength, and reliability of each protocol. As shown in Table  1-5, the study concludes that Wire guard is the simplest protocol in terms of design when compared with IPsec and GRE, but it still works well on Linux. The Wireguard, according to all the research, indicates that it is low cost in comparison with IPsec, which was and still is one of the most common protocols in a VPN. On the other hand, GRE is also low cost; however, not as secure nor confidential than the other VPN protocols; as a result, it is not preferred to be used by organizations. The tables above show strength point in the encryption scheme, and the integrity was studied in three protocols; both Wire guard and IPsec offer completeness and dedicated usage of protocols that ensure data integrity opposite to GRE, which does not provide good integrity protocol. The speed analysis display again the Wire guard has a reusable high speed in a wide diversity of device; likewise, some researchers suggest the speed of the protocol to the number of lines of code that do not exceed more than 4000 lines, which facilitates the installation process and its speed compared to IP Sec, which has a number of code lines that are close to 70,000 lines.
Furthermore, in term of authentication, the IP Sec shows a stronger authentication than GRE, and Wire guard due to the using AH and ESP, while Wire guard uses handshake.
Finally, the Wire guard and IPsec were competitive in terms of all remarks, but overall, the Wire guard is better than others protocol, but it has its weakness; unfortunately, it is very new and has not been tested thoroughly.

Conclusion
Because of that, VPN offers an organization by the same power as remote contracted lines at a much cheaper cost by means of the joint infrastructure, so VPN protocol depended widely. This paper provided a detailed explanation of three main VPN protocols at the network layer in terms of Design, Confidentiality, Cost, Encryption, Integrity, Speed, Authentication, Security, and Port. These metrics are taken from a set of approved researchers. So, dependent metrics are controlling the quality and characteristics of each protocol. Performance of IP Sec, GRE, and Wire guard VPN tunnels have been focused.
It can be concluded that IP Sec provides good encryption, authentication, and security. On the other side, this protocol has Issued compatibility, encryption, decryption, and complex tunneling process, risk-security, and needs more processing speed. While, GRE VPN provides simple-design, low-cost, good-integrity, and fast-speed. However, the GRE protocol suffers from dangerous to important information sent over by the network, giving virtual connections and static-IP addresses without hiding information or data via network and confidentiality lack. Finally, the Wire guard VPN tunnel provides simple and usable design, acceptable confidentiality, low-cost, encryption-support, well-integrity, and high-speed. In addition, it suffers from security problems by making VPN providers log user data, and it is only effective on UDP, which means it can possibly be blocked by a network admin, it is a newer protocol, which means not many tests were done.