Home / Definitions / WireGuard


Webopedia Staff
Last Updated May 24, 2021 8:03 am

WireGuard is a free and open source Virtual Private Network (VPN) software application and communication protocol that uses VPN techniques to create secure point-to-point connections in routed or bridged configurations. It uses cryptography protocols and algorithms to protect data. Originally developed for the Linux kernel, it can also be used on Windows, macOS, BSD, iOS, and Android. The protocol aims for better performance, security and simplicity than IPsec and OpenVPN tunneling protocols.

How WireGuard works

WireGuard uses tested cryptographic primitives that result in strong default cryptographic choices that users don’t have the ability to change. It does not use cryptographic agility, which is the concept of offering choices among different encryption, key exchange, and hashing algorithms, sometimes resulting in insecure deployments. WireGuard uses state of the art cryptography like ChaCha 20 for symmetric encryption with Poly1305 for message authentication. It includes protection against key impersonation, denial-of-service and replay attacks, and post-quantum cryptographic resistance.

A process called cryptokey routing is used in WireGuard’s encryption. It associates public encryption keys with a list of VPN tunnel IP addresses that are allowed inside the tunnel. A unique private key and a list of peers is associated with each network interface. Each peer has a short and simple public key to authenticate it with other peers. The public keys can be distributed for use in configuration files and is similar to key-based authentication in OpenSSH.

IP addresses can be readily switched on both ends without breaking the system. Users can switch between Wi-Fi, cellular, and other connections without having to worry about the configuration. This is because the client configuration contains an initial endpoint for its definition server so it knows where to send encrypted information before it receives any. Since the clients continue to track the server, if the system changes location, the clients will discover the new server endpoint and update their configuration.