Sign in Subscribe
By Sahil Kapoor -

WireGuard

A modern, fast, and minimal VPN protocol implemented in ~4,000 lines of code — compared to OpenVPN's ~100,000 — with state-of-the-art cryptography and kernel-level performance.

WireGuard is a VPN protocol created by Jason Donenfeld and merged into the Linux kernel in 2020. It replaces OpenVPN and IPsec for most new deployments with a dramatically simpler design: cryptokey routing, a single modern cipher suite (ChaCha20, Poly1305, Curve25519, BLAKE2s), and a stateless design that is auditable, fast, and secure by default.

The Design Philosophy

WireGuard has no negotiation phase, no algorithm selection, no configuration knobs for cipher suites. Every peer uses the same cryptography — there's nothing to misconfigure. The entire protocol fits in a few thousand lines of code; OpenVPN is 100,000+ lines. Fewer lines = smaller attack surface and easier auditing.

How It Works

  • Each peer has a public/private key pair (like SSH)
  • Peers are configured with each other's public keys and allowed IP ranges
  • Packets within allowed IP ranges are encrypted and routed through the WireGuard tunnel
  • The kernel handles the encryption directly — no userspace daemon overhead
[Interface]
PrivateKey = <your private key>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <peer public key>
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820

WireGuard vs OpenVPN vs IPsec

  • OpenVPN — mature, widely supported, but complex, slow handshakes, large codebase
  • IPsec — complex to configure, requires multiple protocols (IKEv2, ESP), but widely hardware-accelerated
  • WireGuard — simple config, fast handshakes (<1ms), modern crypto, kernel performance

WireGuard in the Ecosystem

Tailscale builds its data plane on WireGuard. Most cloud providers (Mullvad, ProtonVPN, AWS Client VPN's WireGuard mode) have adopted it. Mobile clients exist for iOS and Android. For orchestrated deployments, tools like kilo integrate WireGuard with Kubernetes.

Limitations

  • No built-in key management or peer discovery (handled by overlays like Tailscale or nebula)
  • No dynamic routing — allowed IPs must be configured statically
  • Roaming (changing IPs) works but requires reconnection in some setups
  • Does not hide that you're using WireGuard from a traffic observer (unlike obfuscated protocols)
  • Tailscale — builds a managed mesh VPN on top of WireGuard
  • Cloudflare Tunnel — different approach to connectivity without port forwarding
  • Traefik — often used to route traffic from WireGuard network interfaces to services

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon