WireGuard is a VPN protocol that was developed with the aim of significantly reducing the complexity of VPNs. This simplification goes so far that functions offered by other VPN protocols are omitted.

An important part of this is that only one set of cryptographic algorithms defined in the protocol is used. There is therefore no negotiation of algorithms when establishing a connection. This simplifies the connection setup and prevents downgrade attacks. X25519 ECDH is used for the key exchange, ChaCha20 for the encryption of the user data and Poly1305 for the authentication of the user data.

As X25519 ECDH could possibly be successfully attacked by quantum computers in the future, WireGuard has an additional layer of protection. For this purpose, the key negotiation is additionally symmetrically encrypted with an identical key (pre-shared key) stored on both sides. According to current knowledge, quantum computers offer no advantage over the symmetric encryption used here.

Encrypting user data using ChaCha20-Poly1305 is less computationally intensive than the AES-GCM often used with other protocols. WireGuard therefore often achieves a higher data throughput than IPSec with AES, for example. However, as many CPUs have acceleration for AES in hardware, but not for ChaCha20-Poly1305, this does not apply in all cases.

Compared to other VPN protocols, establishing a WireGuard connection is particularly lean and fast. Only one UDP packet needs to be sent to and from the other side. This is the so-called handshake. It implements the complete authentication and negotiation of session keys used for the user data.

The UDP packets for the handshake are smaller than 1259 bytes and therefore pass through the vast majority of Internet connections without fragmentation. As some routers and NAT implementations have difficulties with fragmented UDP packets, the absence of UDP fragmentation is an important advantage.

The handshake is only performed if user data actually needs to be transferred or if the so-called keepalive is activated in the configuration. The keepalive keeps the connection open in order to be able to deal with NAT routers in the connection path, for example. The handshake is performed approximately every 2 minutes if user data is constantly being transferred. This is much more frequent than is usual for establishing a connection with other VPN protocols such as IPSec.

As the connection is established so quickly, WireGuard can dispense with more complex management of the connection status. WireGuard only remembers whether the last successful handshake took place within the permitted time frame and starts a new one in good time if a data transfer is pending.

Both the handshakes and the user data are transmitted as UDP packets. The UDP port numbers are used jointly for both. The UDP port numbers are basically freely selectable and can be different on both sides. The port number 51820 is often used for WireGuard. However, Intra2net has observed conflicts with other routers using WireGuard as well as with source ports for outgoing packets of other connections and therefore recommends port 800 for VPN routers and firewalls as well as random port numbers above 1024 for VPN clients.

WireGuard does not require the connection to be set to a specific remote IP. An IP or a DNS hostname can be stored to which the connection is always re-established. However, if the remote peer with valid keys logs in from a different IP via a handshake, this is accepted and the connection continues with the other IP from this moment on. This is useful, for example, for mobile clients that switch between WLAN and mobile communications or for switching to a fallback Internet line.

The WireGuard handshake does not exchange any information about the IP networks to be connected. The configuration only stores which source addresses may be used from a specific remote site (AllowedIPs). Each side blocks incoming IP packets that do not match this configuration. However, this is independent of the handshakes and it is not possible to deduce a correct configuration of the IP networks from successful handshakes.

WireGuard has established a common file format for the transfer of configuration data and keys ("wg-quick" format) and can be used across manufacturers. It can also be displayed as a QR code and photographed with the camera of mobile devices. As a result, the VPN configuration can be transferred to mobile devices particularly easily and securely.