WireGuard
A modern, fast VPN protocol and implementation.
WireGuard is a VPN protocol and implementation designed to be small, fast, and easy to configure. It uses a fixed, opinionated set of modern cryptographic primitives — Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, BLAKE2s for hashing — with no algorithm negotiation, which keeps the attack surface dramatically smaller than IPsec or OpenVPN. The codebase is around 4,000 lines of C, comparable in size to a single OpenSSL configuration file.
Jason Donenfeld started WireGuard in 2016. The protocol and Linux kernel implementation were merged into mainline kernel 5.6 in March 2020, after extensive review by the Linux networking community. Userspace implementations exist for Windows, macOS, iOS, Android, and the BSDs, and the configuration is portable: a single small INI-style file describes a peer and its allowed IP ranges.
WireGuard's simplicity has made it the basis of many consumer and corporate VPN offerings: Mullvad, IVPN, and ProtonVPN expose WireGuard tunnels; Tailscale and Headscale build a zero-config mesh on top of it; and Cloudflare's WARP client uses a custom WireGuard variant. Most modern self-hosted VPNs default to WireGuard rather than OpenVPN.
License: GPL-2.0-only (kernel) / various userspace
Category: Networking
Website: https://www.wireguard.com/
Install
Linux: included in kernel 5.6+; userspace tools: Debian/Ubuntu: sudo apt install wireguard Fedora/RHEL: sudo dnf install wireguard-tools Arch: sudo pacman -S wireguard-tools macOS: brew install wireguard-tools
Authors
- Jason A. Donenfeld (creator)