{"id":610,"date":"2025-10-21T10:23:10","date_gmt":"2025-10-21T10:23:10","guid":{"rendered":"https:\/\/devsecopsschool.com\/blog\/?p=610"},"modified":"2025-10-21T10:58:47","modified_gmt":"2025-10-21T10:58:47","slug":"what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol","status":"publish","type":"post","link":"http:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/","title":{"rendered":"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol"},"content":{"rendered":"\n<p>Excellent question \u2014 since <strong>Tailscale<\/strong> is built on top of <strong>WireGuard<\/strong>, understanding WireGuard will help you see the foundation of modern secure networking.<br>Let\u2019s go step by step \ud83d\udc47<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde9 What is WireGuard?<\/h2>\n\n\n\n<p><strong>WireGuard<\/strong> is a modern, lightweight, and open-source <strong>VPN (Virtual Private Network) protocol<\/strong> and implementation.<br>It\u2019s designed to be <strong>simpler, faster, and more secure<\/strong> than traditional VPN protocols like IPSec or OpenVPN.<\/p>\n\n\n\n<p><strong>Key facts:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Created by <strong>Jason A. Donenfeld<\/strong> in 2015.<\/li>\n\n\n\n<li>Officially merged into the <strong>Linux kernel<\/strong> in 2020 (Linux 5.6).<\/li>\n\n\n\n<li>Available for all major platforms \u2014 Linux, macOS, Windows, Android, iOS.<\/li>\n\n\n\n<li>Licensed under the GPLv2 open source license.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2699\ufe0f How WireGuard Works (Simplified Flow)<\/h2>\n\n\n\n<p>WireGuard uses <strong>public key cryptography<\/strong> and a concept called <strong>peers<\/strong> to establish <strong>secure tunnels<\/strong> between devices.<br>Each device that connects to the network is called a <em>peer<\/em>.<\/p>\n\n\n\n<p>Here\u2019s the overall flow:<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">1. \ud83d\udd11 <strong>Key Pair Generation<\/strong><\/h3>\n\n\n\n<p>Each peer generates:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>private key<\/strong> (kept secret)<\/li>\n\n\n\n<li>A <strong>public key<\/strong> (shared with others)<\/li>\n<\/ul>\n\n\n\n<p>This works like SSH:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your private key stays on your device.<\/li>\n\n\n\n<li>Your public key identifies you to others.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2. \ud83d\udcdc <strong>Configuration<\/strong><\/h3>\n\n\n\n<p>Each peer (e.g., a server or client) has a small configuration file specifying:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Its private key<\/li>\n\n\n\n<li>Its internal VPN IP (e.g., <code>10.0.0.2\/24<\/code>)<\/li>\n\n\n\n<li>The public key of the remote peer<\/li>\n\n\n\n<li>The endpoint (IP:port) of the remote peer<\/li>\n\n\n\n<li>Allowed IPs (what traffic should go through the tunnel)<\/li>\n<\/ul>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># On client\n&#91;Interface]\nPrivateKey = &lt;client-private-key&gt;\nAddress = 10.0.0.2\/24\n\n&#91;Peer]\nPublicKey = &lt;server-public-key&gt;\nEndpoint = 203.0.113.5:51820\nAllowedIPs = 0.0.0.0\/0\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">3. \ud83e\udde0 <strong>Handshake Process<\/strong><\/h3>\n\n\n\n<p>When two peers want to communicate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The client initiates a handshake using <strong>Noise Protocol Framework<\/strong>, a modern, minimal cryptographic handshake protocol.<\/li>\n\n\n\n<li>It uses <strong>Curve25519<\/strong> for key exchange, <strong>ChaCha20<\/strong> for encryption, <strong>Poly1305<\/strong> for authentication, and <strong>BLAKE2s<\/strong> for hashing.<\/li>\n\n\n\n<li>The handshake results in <strong>ephemeral session keys<\/strong> (short-lived), adding perfect forward secrecy.<\/li>\n<\/ul>\n\n\n\n<p><strong>Result:<\/strong> Both peers derive symmetric encryption keys and start a secure tunnel.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">4. \ud83d\udd12 <strong>Encryption &amp; Tunnel Creation<\/strong><\/h3>\n\n\n\n<p>Once the handshake is done:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All packets between peers are encrypted using <strong>ChaCha20-Poly1305<\/strong>.<\/li>\n\n\n\n<li>Only packets from authenticated peers (known public keys) are accepted.<\/li>\n\n\n\n<li>Each peer directly sends UDP packets to the other (default port <code>51820<\/code>).<\/li>\n\n\n\n<li>WireGuard sits at Layer 3 (network layer), providing an encrypted IP tunnel.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">5. \u26a1 <strong>Data Transfer<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data moves seamlessly between peers via the tunnel.<\/li>\n\n\n\n<li>WireGuard doesn\u2019t use \u201csessions\u201d \u2014 it\u2019s <em>stateless<\/em> and only keeps minimal state.<\/li>\n\n\n\n<li>If a peer disappears (e.g., changes IP), the other peer can reconnect automatically without restarting.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde0 Architectural Simplicity<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>WireGuard<\/th><th>IPSec<\/th><th>OpenVPN<\/th><\/tr><\/thead><tbody><tr><td>Codebase size<\/td><td>~4,000 lines<\/td><td>400,000+<\/td><td>600,000+<\/td><\/tr><tr><td>Speed<\/td><td>Very fast<\/td><td>Moderate<\/td><td>Slower<\/td><\/tr><tr><td>Security<\/td><td>Modern crypto<\/td><td>Older crypto, complex<\/td><td>Older crypto<\/td><\/tr><tr><td>Config<\/td><td>Simple (few lines)<\/td><td>Complex<\/td><td>Complex<\/td><\/tr><tr><td>OS Support<\/td><td>Kernel-level<\/td><td>Kernel\/user<\/td><td>User space<\/td><\/tr><tr><td>Transport<\/td><td>UDP only<\/td><td>UDP\/TCP<\/td><td>UDP\/TCP<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Because it\u2019s tiny, it\u2019s easier to <strong>audit<\/strong>, <strong>maintain<\/strong>, and <strong>embed<\/strong> in apps and devices.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 Key Security Principles<\/h2>\n\n\n\n<p>WireGuard uses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ChaCha20<\/strong> \u2014 for encryption<\/li>\n\n\n\n<li><strong>Poly1305<\/strong> \u2014 for message authentication<\/li>\n\n\n\n<li><strong>Curve25519<\/strong> \u2014 for key exchange<\/li>\n\n\n\n<li><strong>BLAKE2s<\/strong> \u2014 for hashing<\/li>\n\n\n\n<li><strong>SipHash24<\/strong> \u2014 for hashtable keys<\/li>\n\n\n\n<li><strong>HKDF<\/strong> \u2014 for key derivation<\/li>\n<\/ul>\n\n\n\n<p>It follows a strict \u201ccryptographic minimalism\u201d approach \u2014 no optional algorithms, no negotiation, fewer mistakes.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83c\udf10 Network Topologies Supported<\/h2>\n\n\n\n<p>WireGuard supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Point-to-point<\/strong> (single client \u2194 single server)<\/li>\n\n\n\n<li><strong>Mesh<\/strong> networks (each peer talks directly to others)<\/li>\n\n\n\n<li><strong>Hub-and-spoke<\/strong> setups (many clients connect to one server)<\/li>\n\n\n\n<li><strong>Subnet routing<\/strong> (a peer acts as a gateway for a LAN)<\/li>\n\n\n\n<li><strong>Roaming clients<\/strong> (e.g., mobile devices changing IPs)<\/li>\n<\/ul>\n\n\n\n<p>This flexibility is what allows <strong>Tailscale<\/strong> to build its <em>mesh VPN<\/em> model over WireGuard.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde9 Integration with Tailscale<\/h2>\n\n\n\n<p>Tailscale uses WireGuard\u2019s core tunneling and encryption features, but adds:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automatic key distribution<\/strong><\/li>\n\n\n\n<li><strong>NAT traversal<\/strong><\/li>\n\n\n\n<li><strong>DNS management<\/strong><\/li>\n\n\n\n<li><strong>Access control (ACLs)<\/strong><\/li>\n\n\n\n<li><strong>Single Sign-On (SSO)<\/strong><\/li>\n\n\n\n<li><strong>DERP relay fallback<\/strong><\/li>\n<\/ul>\n\n\n\n<p>So Tailscale handles all the coordination and policy logic, while WireGuard does the packet encryption and secure transport.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\ude80 Advantages<\/h2>\n\n\n\n<p>\u2705 <strong>Blazing fast<\/strong> \u2014 minimal CPU overhead.<br>\u2705 <strong>Secure by design<\/strong> \u2014 modern cryptography only.<br>\u2705 <strong>Tiny codebase<\/strong> \u2014 easier auditing.<br>\u2705 <strong>Cross-platform<\/strong> \u2014 runs almost everywhere.<br>\u2705 <strong>Simple setup<\/strong> \u2014 just a few lines of config.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u26a0\ufe0f Limitations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No built-in user authentication (depends on key pairs).<\/li>\n\n\n\n<li>No built-in key distribution (handled manually or by tools like Tailscale).<\/li>\n\n\n\n<li>UDP-only (some networks block UDP).<\/li>\n\n\n\n<li>Kernel integration may vary by OS.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">flowchart LR\n  %% ===============\n  %% WIREGUARD ARCHITECTURE (COMPONENTS + DATA PATHS)\n  %% ===============\n\n  %% -------- Peer A --------\n  subgraph PeerA[\"Peer A\"]\n    direction TB\n    AOS[\"OS Kernel\"]\n    subgraph A_WG[\"WireGuard Kernel Module (wg)\"]\n      direction TB\n      A_wg0_iface[\"wg0 (virtual interface)\"]\n      A_Crypto[\"ChaCha20-Poly1305\\nCurve25519 key exchange\\nBLAKE2s hashing\\nHKDF KDF\"]\n      A_Keys[\"Key Material\\n- Private key (A)\\n- Remote Public key (B)\\n- Ephemeral session keys\"]\n      A_Route[\"AllowedIPs table\\n(what prefixes go to peer B)\"]\n    end\n    A_Net[\"NIC + UDP 51820\"]\n  end\n\n  %% -------- Peer B --------\n  subgraph PeerB[\"Peer B\"]\n    direction TB\n    BOS[\"OS Kernel\"]\n    subgraph B_WG[\"WireGuard Kernel Module (wg)\"]\n      direction TB\n      B_wg0_iface[\"wg0 (virtual interface)\"]\n      B_Crypto[\"ChaCha20-Poly1305\\nCurve25519 key exchange\\nBLAKE2s hashing\\nHKDF KDF\"]\n      B_Keys[\"Key Material\\n- Private key (B)\\n- Remote Public key (A)\\n- Ephemeral session keys\"]\n      B_Route[\"AllowedIPs table\\n(routes for Peer A)\"]\n    end\n    B_Net[\"NIC + UDP 51820\"]\n  end\n\n  %% -------- Apps --------\n  subgraph AppA[\"User Space Apps (Peer A)\"]\n    direction TB\n    A_App1[\"App (TCP\/UDP)\"]\n  end\n  subgraph AppB[\"User Space Apps (Peer B)\"]\n    direction TB\n    B_App1[\"Service (TCP\/UDP)\"]\n  end\n\n  %% -------- Data path: A -> B --------\n  A_App1 -->|\"IP dst in AllowedIPs(B)\"| AOS\n  AOS -->|\"route decision\"| A_wg0_iface\n  A_wg0_iface -->|\"encrypt packet\"| A_Crypto --> A_Net\n  A_Net -->|\"UDP\/IPv4 or v6 (outer) over Internet\"| B_Net\n  B_Net -->|\"decrypt\"| B_Crypto --> B_wg0_iface\n  B_wg0_iface -->|\"deliver inner packet\"| BOS --> B_App1\n\n  %% -------- Data path: B -> A (return) --------\n  B_App1 --> BOS --> B_wg0_iface --> B_Crypto --> B_Net --> A_Net --> A_Crypto --> A_wg0_iface --> AOS --> A_App1\n\n  %% -------- Styling --------\n  classDef box fill:#f6f6ff,stroke:#6366f1,stroke-width:1px,color:#111;\n  classDef wg fill:#eefbf4,stroke:#10b981,stroke-width:1px,color:#111;\n  classDef net fill:#fff7ed,stroke:#f59e0b,stroke-width:1px,color:#111;\n  classDef app fill:#fafafa,stroke:#9ca3af,stroke-width:1px,color:#111;\n\n  class A_WG,B_WG wg\n  class A_Net,B_Net net\n  class A_App1,B_App1 app\n  class A_wg0_iface,B_wg0_iface,A_Crypto,B_Crypto,A_Keys,B_Keys,A_Route,B_Route box\n<\/pre><img decoding=\"async\" src=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/merpress-1.png\" alt=\"\"\/><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">sequenceDiagram\nparticipant A as Peer_A_Initiator\nparticipant Net as Internet_UDP\nparticipant B as Peer_B_Responder\nA->>B: Initiation (Noise IK): Ae, encrypted static proof, timestamp_counter\nactivate B\nB-->>A: Response: Be, encrypted payload (identity, cookie, etc.)\ndeactivate B\nA->>B: First encrypted data packet (under session key)\nB-->>A: First encrypted data packet (reverse)\nrect rgba(255,248,220,0.5)\nA->>B: Roaming re-initiation from new IP_port tuple\nB-->>A: Validate tuple and rotate keys\nend\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">sequenceDiagram\nparticipant A as Peer_A_Initiator\nparticipant Net as Internet_UDP\nparticipant B as Peer_B_Responder\nNote over A,B: Static public keys are exchanged out of band. Peer A knows public key of B and Peer B knows public key of A. Each peer holds its own private key.\nA->>B: Initiation using Noise_IK pattern. Includes Ae ephemeral key and encrypted static proof with timestamp counter.\nactivate B\nB-->>A: Response with Be ephemeral key and encrypted payload such as identity and cookie.\ndeactivate B\nNote over A,B: Both sides derive session keys using HKDF based on static and ephemeral keys for ChaCha20 Poly1305 encryption.\nA->>B: First encrypted data packet using session key.\nB-->>A: First encrypted data packet in reverse direction.\nNote over A,B: Rekeying happens periodically or by counter timeout. PersistentKeepalive may maintain NAT bindings.\nrect rgba(255,248,220,0.5)\nNote over A,B: When IP or port changes the initiator sends new initiation from updated tuple. Responder validates and rotates keys seamlessly.\nend\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">flowchart TB\n  %% ==========================\n  %% DATA PLANE PACKET FLOW AND ROUTING (IN-DEPTH)\n  %% ==========================\n\n  subgraph A[\"Peer A\"]\n    A_APP[\"App generates packet\\nDst 10.0.0.2:443\"]:::app\n    A_L3[\"Kernel Routing Table\"]:::box\n    A_WG[\"wg0\"]:::wg\n    A_ENC[\"Encrypt inner IP packet -> ChaCha20 Poly1305\"]:::box\n    A_OUT[\"Outer UDP packet\\nSrc A_public_ip:51820\\nDst B_public_ip:51820\"]:::net\n  end\n\n  subgraph WAN[\"Internet \/ NATs \/ Firewalls\"]\n    NATs[\"NAT traversal aided by:\\n- UDP 51820\\n- optional PersistentKeepalive 25s\\n- stateful pinholes\"]:::note\n  end\n\n  subgraph B[\"Peer B\"]\n    B_IN[\"Receive outer UDP\"]:::net\n    B_DEC[\"Decrypt to recover inner IP packet\"]:::box\n    B_WG[\"wg0\"]:::wg\n    B_L3[\"Kernel Routing Table\"]:::box\n    B_APP[\"Service consumes packet\\n10.0.0.2:443\"]:::app\n  end\n\n  A_APP --> A_L3 -->|prefix match 10.0.0.0\/24 in AllowedIPs of B| A_WG --> A_ENC --> A_OUT --> NATs --> B_IN --> B_DEC --> B_WG --> B_L3 --> B_APP\n\n  classDef wg fill:#e8fff5,stroke:#10b981,color:#111;\n  classDef net fill:#fff7ed,stroke:#f59e0b,color:#111;\n  classDef app fill:#f4f4f5,stroke:#9ca3af,color:#111;\n  classDef box fill:#eef2ff,stroke:#6366f1,color:#111;\n  classDef note fill:#ffffff,stroke:#d1d5db,color:#111;\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">flowchart LR\n  %% ==========================\n  %% CONFIG RELATIONSHIPS (wg-quick \/ wg)\n  %% ==========================\n\n  subgraph Local[\"Peer Local Config\"]\n    IFACE[\"Interface\"]:::sec\n    IF_Pri[\"PrivateKey = A_priv\"]:::box\n    IF_Addr[\"Address = 10.0.0.1\/24\"]:::box\n    IF_Port[\"ListenPort = 51820\"]:::box\n    IF_PostUp[\"PostUp \/ PostDown actions such as iptables, routes, sysctl\"]:::box\n  end\n\n  subgraph PeerBConf[\"Peer Entry for B\"]\n    PB_Pub[\"PublicKey = B_pub\"]:::box\n    PB_Endp[\"Endpoint = B_public_ip:51820\"]:::box\n    PB_Allowed[\"AllowedIPs = 10.0.0.2\/32 and 10.10.0.0\/16\"]:::box\n    PB_PSK[\"Optional PresharedKey\"]:::box\n    PB_Keep[\"PersistentKeepalive = 25\"]:::box\n  end\n\n  IFACE --- IF_Pri &amp; IF_Addr &amp; IF_Port &amp; IF_PostUp\n  IFACE --- PeerBConf\n  PeerBConf --- PB_Pub &amp; PB_Endp &amp; PB_Allowed &amp; PB_PSK &amp; PB_Keep\n\n  classDef sec fill:#fef3c7,stroke:#f59e0b,color:#111;\n  classDef box fill:#eef2ff,stroke:#6366f1,color:#111;\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">stateDiagram-v2\n  %% ==========================\n  %% KEY\/TIMER LIFECYCLE (SIMPLIFIED)\n  %% ==========================\n  [*] --> NoSession: No valid session keys\n  NoSession --> Initiating: Send Handshake Initiation\n  Initiating --> Established: Receive valid Handshake Response\\n(Derive session keys)\n  Established --> Rekeying: Timer\/Counter threshold reached\\n(or peer IP\/port changed)\n  Rekeying --> Established: New keys installed (make-before-break)\n  Established --> Idle: No user data for a while\n  Idle --> Rekeying: Rekey to refresh keys on inactivity\n  Idle --> Keepalive: Send PersistentKeepalive (if set) to maintain NAT\n  Keepalive --> Established: Peer responds \/ pinhole intact\n  Established --> [*]: Interface down \/ peer removed \/ keys cleared\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">flowchart TB\n  %% ==========================\n  %% SUBNET ROUTER \/ GATEWAY PEER (HUB-AND-SPOKE EXAMPLE)\n  %% ==========================\n  subgraph Spoke1[\"Spoke Peer A\"]\n    A_IF[[wg0]]:::wg\n    A_Allowed[AllowedIPs includes 10.20.0.0\/16 via Hub]:::box\n  end\n\n  subgraph Hub[\"Hub Peer (also a Subnet Router)\"]\n    H_IF[[wg0]]:::wg\n    H_Forward[IP Forwarding enabled]:::box\n    H_Routes[Routes to on-prem LANs:&lt;br\/>10.20.0.0\/16, 10.21.0.0\/16]:::box\n    LAN1[(On-Prem LAN 10.20\/16)]:::net\n    LAN2[(On-Prem LAN 10.21\/16)]:::net\n  end\n\n  subgraph Spoke2[\"Spoke Peer B\"]\n    B_IF[[wg0]]:::wg\n    B_Allowed[AllowedIPs includes 10.20.0.0\/16 via Hub]:::box\n  end\n\n  A_IF -- encrypted UDP --> H_IF\n  B_IF -- encrypted UDP --> H_IF\n  H_IF --> H_Forward --> H_Routes --> LAN1\n  H_Routes --> LAN2\n\n  classDef wg fill:#e8fff5,stroke:#10b981,color:#111;\n  classDef net fill:#fff7ed,stroke:#f59e0b,color:#111;\n  classDef box fill:#eef2ff,stroke:#6366f1,color:#111;\n<\/pre><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Excellent question \u2014 since Tailscale is built on top of WireGuard, understanding WireGuard will help you see the foundation of modern secure networking.Let\u2019s go step by step \ud83d\udc47 \ud83e\udde9 What is WireGuard? WireGuard is a modern, lightweight, and open-source VPN (Virtual Private Network) protocol and implementation.It\u2019s designed to be simpler, faster, and more secure than &#8230; <a title=\"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol\" class=\"read-more\" href=\"http:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\" aria-label=\"Read more about What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":611,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-610","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School\" \/>\n<meta property=\"og:description\" content=\"Excellent question \u2014 since Tailscale is built on top of WireGuard, understanding WireGuard will help you see the foundation of modern secure networking.Let\u2019s go step by step \ud83d\udc47 \ud83e\udde9 What is WireGuard? WireGuard is a modern, lightweight, and open-source VPN (Virtual Private Network) protocol and implementation.It\u2019s designed to be simpler, faster, and more secure than ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\" \/>\n<meta property=\"og:site_name\" content=\"DevSecOps School\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-21T10:23:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-21T10:58:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Rajesh Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rajesh Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\"},\"author\":{\"name\":\"Rajesh Kumar\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"headline\":\"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol\",\"datePublished\":\"2025-10-21T10:23:10+00:00\",\"dateModified\":\"2025-10-21T10:58:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\"},\"wordCount\":649,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png\",\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\",\"name\":\"What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School\",\"isPartOf\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png\",\"datePublished\":\"2025-10-21T10:23:10+00:00\",\"dateModified\":\"2025-10-21T10:58:47+00:00\",\"author\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"breadcrumb\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage\",\"url\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png\",\"contentUrl\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/devsecopsschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#website\",\"url\":\"http:\/\/devsecopsschool.com\/blog\/\",\"name\":\"DevSecOps School\",\"description\":\"DevSecOps Redefined\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/devsecopsschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\",\"name\":\"Rajesh Kumar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"caption\":\"Rajesh Kumar\"},\"sameAs\":[\"http:\/\/devsecopsschool.com\/blog\"],\"url\":\"http:\/\/devsecopsschool.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/","og_locale":"en_US","og_type":"article","og_title":"What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School","og_description":"Excellent question \u2014 since Tailscale is built on top of WireGuard, understanding WireGuard will help you see the foundation of modern secure networking.Let\u2019s go step by step \ud83d\udc47 \ud83e\udde9 What is WireGuard? WireGuard is a modern, lightweight, and open-source VPN (Virtual Private Network) protocol and implementation.It\u2019s designed to be simpler, faster, and more secure than ... Read more","og_url":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/","og_site_name":"DevSecOps School","article_published_time":"2025-10-21T10:23:10+00:00","article_modified_time":"2025-10-21T10:58:47+00:00","og_image":[{"width":1024,"height":1024,"url":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png","type":"image\/png"}],"author":"Rajesh Kumar","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rajesh Kumar","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#article","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/"},"author":{"name":"Rajesh Kumar","@id":"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"headline":"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol","datePublished":"2025-10-21T10:23:10+00:00","dateModified":"2025-10-21T10:58:47+00:00","mainEntityOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/"},"wordCount":649,"commentCount":0,"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage"},"thumbnailUrl":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png","inLanguage":"en","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/","url":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/","name":"What is WireGuard - a lightweight, and open-source VPN (Virtual Private Network) protocol - DevSecOps School","isPartOf":{"@id":"http:\/\/devsecopsschool.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage"},"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage"},"thumbnailUrl":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png","datePublished":"2025-10-21T10:23:10+00:00","dateModified":"2025-10-21T10:58:47+00:00","author":{"@id":"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"breadcrumb":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/"]}]},{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#primaryimage","url":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png","contentUrl":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/wireguard.png","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-wireguard-a-lightweight-and-open-source-vpn-virtual-private-network-protocol\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/devsecopsschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What is WireGuard &#8211; a lightweight, and open-source VPN (Virtual Private Network) protocol"}]},{"@type":"WebSite","@id":"http:\/\/devsecopsschool.com\/blog\/#website","url":"http:\/\/devsecopsschool.com\/blog\/","name":"DevSecOps School","description":"DevSecOps Redefined","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/devsecopsschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c","name":"Rajesh Kumar","image":{"@type":"ImageObject","inLanguage":"en","@id":"http:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","caption":"Rajesh Kumar"},"sameAs":["http:\/\/devsecopsschool.com\/blog"],"url":"http:\/\/devsecopsschool.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=610"}],"version-history":[{"count":11,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/610\/revisions"}],"predecessor-version":[{"id":635,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/610\/revisions\/635"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media\/611"}],"wp:attachment":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=610"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}