← Lessons

quiz vs the machine

Silver1140

Networking

The WireGuard Protocol

A lean modern VPN built on fixed cryptography.

4 min read · intro · beat Silver to climb

A Smaller VPN

WireGuard is a VPN protocol designed to be simple and fast. Where older suites offer many configurable algorithms, WireGuard fixes a single modern set, which shrinks the code and the attack surface.

How Peers Know Each Other

WireGuard identifies peers by public keys, much like an SSH setup.

  • Each peer has a private key and shares its public key.
  • A peer configuration lists allowed public keys and the IP ranges each may use.
  • A packet is only accepted if it is signed by a key mapped to its source range. This mapping is called cryptokey routing.

Connectionless Feel

WireGuard runs over UDP and has no heavy connection setup.

  • There is a short handshake using the Noise framework to derive session keys.
  • After that, encrypted packets simply flow.
  • If a peer goes quiet, no connection lingers, which makes roaming between networks smooth.

Why It Is Praised

The small codebase is easier to audit than large legacy stacks. Fixed algorithms remove insecure downgrade options. The tradeoff is less flexibility, since you cannot swap in a different cipher.

Key idea

WireGuard is a lean VPN that identifies peers by public keys, ties each key to allowed IP ranges through cryptokey routing, and runs over UDP with fixed modern cryptography for a small auditable codebase.

Check yourself

Answer to earn rating on the learn ladder.

1. How does WireGuard identify peers?

2. What is cryptokey routing?