What Is WireGuard?
WireGuard is a modern, open-source VPN protocol designed to be faster, simpler, and more secure than legacy protocols like OpenVPN and IPSec. Released in 2019 and merged into the Linux kernel in 2020, it has become the default protocol for most leading VPN providers.
How WireGuard Differs from Other Protocols
| Property | WireGuard | OpenVPN | IKEv2/IPSec |
|---|---|---|---|
| Lines of code | ~4,000 | ~400,000 | ~400,000 |
| Encryption | ChaCha20, Poly1305, Curve25519, BLAKE2 | AES-256-GCM, RSA, SHA-256 | AES-256, RSA, SHA-256 |
| Key exchange | Noise Protocol Framework | TLS/SSL | IKE (ISAKMP) |
| Transport | UDP only | UDP or TCP | UDP (port 500/4500) |
| Kernel integration | Linux kernel (5.6+), kernel modules elsewhere | Userspace | Kernel (most OS) |
| Mobile reconnect | Excellent (stateless sessions) | Good | Excellent (MOBIKE) |
| Speed | Fastest | Moderate | Fast |
| Audit surface | Very small | Large | Large |
WireGuard Security Model
WireGuard uses a fixed set of modern cryptographic primitives - There is no negotiation and no cipher agility. This eliminates entire classes of downgrade attacks and simplifies auditing. Key components:
- Curve25519 for Elliptic Curve Diffie-Hellman key exchange
- ChaCha20 for symmetric encryption (faster than AES on devices without hardware AES acceleration)
- Poly1305 for message authentication (AEAD construction)
- BLAKE2s for hashing
- SipHash24 for hash table keys (DoS resistance)
- HKDF for key derivation
WireGuard Privacy Considerations
WireGuard in its raw form maintains a mapping of public keys to allowed source IPs on the server, which could theoretically log when a specific key last connected. VPN providers address this with implementations like:
- NordVPN's NordLynx: Wraps WireGuard in a double NAT system so no persistent IP mapping is stored on servers.
- Mullvad: Rotates WireGuard key pairs periodically and does not log connection timestamps.
- ProtonVPN: Uses a NAT gateway between WireGuard clients and exit servers to prevent IP mapping persistence.
For a comparison of all VPN protocols, see VPN Protocols Explained. To verify WireGuard is actually protecting your traffic, run our VPN Leak Test.