WireGuard is a communication protocol that implements virtual private networks (VPN) with a focus on high performance and ease of configuration. It operates at Layer 3 and utilizes state-of-the-art cryptography. Unlike legacy protocols, WireGuard's codebase is approximately 4,000 lines, making it significantly easier to audit for security vulnerabilities compared to OpenVPN's massive codebase.
The protocol works by exchanging public keys, similar to the SSH model. It eliminates complex handshakes by using a fixed set of cryptographic primitives: Curve25519, ChaCha20, and Poly1305. WireGuard encapsulates packets in UDP and does not respond to unauthenticated packets, effectively making the server stealthy to unauthorized network scanners.
How it works
- Cryptokey Routing: associates internal tunnel IP addresses with specific public keys for secure and verified routing.
- Kernel Implementation: running in the Linux kernel space allows for direct packet processing without expensive context switching.
- Efficiency: the protocol stays silent when not in use, significantly reducing power consumption on mobile devices.
WireGuard is used for building secure site-to-site tunnels and providing remote access for distributed teams. In benchmark tests, WireGuard consistently outperforms IPsec and OpenVPN, often reaching 95% of the line rate on 10Gbps links while maintaining lower CPU utilization.