Summary
WireGuard is a modern open-source VPN protocol designed for simplicity, performance, and strong cryptography. It is built into the Linux kernel since version 5.6 and has clients for every major operating system.
What is WireGuard?
WireGuard takes a deliberately minimal approach. Where older VPN protocols (IPsec, OpenVPN) negotiate cipher suites and run on tens of thousands of lines of code, WireGuard pins a small set of modern primitives — Curve25519, ChaCha20, Poly1305, BLAKE2s — and ships in a few thousand lines. The protocol is connectionless, stateless from the network's point of view, and runs over UDP.
Each peer is identified by a static public key. Configuration is intentionally boring: a list of peer public keys, the allowed IP ranges for each peer, and an endpoint. There is no central authority, no certificate issuance, and no protocol negotiation. Higher-level products such as NetBird, Tailscale, and Headscale layer identity, policy distribution, NAT traversal, and key rotation on top of this primitive.
Because WireGuard sits in the kernel and uses fast cryptographic primitives, it consistently outperforms IPsec and OpenVPN in throughput and latency. Its small attack surface also makes auditing easier, which is one reason it has become the de facto standard for modern mesh VPNs.
Why is WireGuard relevant?
- Performance: Kernel implementation and modern crypto deliver near line-rate throughput
- Simplicity: Small codebase reduces attack surface and eases audits
- Cross-platform: Native clients for Linux, Windows, macOS, iOS, Android, and containers
- Foundation for modern VPNs: Underpins mesh VPNs, Zero Trust overlays, and self-hosted private networks
Related Terms
- VPN: The broader category WireGuard belongs to
- Mesh VPN: Topology where WireGuard typically delivers the data plane
- SSL VPN: Traditional alternative WireGuard increasingly replaces
- Peer-to-Peer: Communication model WireGuard implements between peers
- Zero Trust: Security model that pairs naturally with WireGuard-based overlays