WireGuard
A modern VPN tunneling protocol designed to be simpler, faster, and more auditable than OpenVPN or IPsec — around 4,000 lines of code with a fixed modern cryptographic suite.
Last updated:
What is WireGuard?
WireGuard is a modern VPN tunneling protocol introduced by Jason Donenfeld in 2016 and merged into the mainline Linux kernel in 2020. It runs over UDP (usually port 51820), uses a fixed set of modern cryptographic primitives (ChaCha20, Poly1305, Curve25519, BLAKE2s), and is deliberately small — the entire Linux implementation is around 4,000 lines of code, compared to hundreds of thousands for OpenVPN or IPsec. That small surface area makes WireGuard much easier to audit and much less likely to contain memory-safety bugs.
How WireGuard works
Each peer has a static Curve25519 public key, identical in concept to an SSH key. Configuration is a short list of allowed peers, their public keys, and which IP prefixes each peer is permitted to send traffic for. There is no concept of a long-lived "connection state" like OpenVPN — a WireGuard tunnel is stateless at the configuration level, with session keys regenerated on a fixed schedule via a Noise-framework handshake.
WireGuard in consumer VPNs
Most modern commercial VPN providers (NordVPN's NordLynx, Mullvad, Surfshark, ProtonVPN, IVPN) now offer WireGuard as their default or primary protocol. It reconnects faster on mobile network changes, runs close to line rate on modest hardware, and uses less battery on phones than OpenVPN over TCP. Because WireGuard is UDP and its packets look uniform, it is more easily fingerprinted and blocked by deep-packet-inspection firewalls, which is why some providers wrap it in TCP/TLS (obfuscation layers like NordWhisper or Shadowsocks) for use in restrictive networks.
Identify WireGuard VPN infrastructure and other anonymization services behind any IP with our VPN & proxy detector.