What is WireGuard?

WireGuard is a VPN protocol — the set of rules two computers use to build an encrypted tunnel between them. It was written by Jason Donenfeld, merged into the Linux kernel in 2020, and has since become the default choice for new VPNs because it is dramatically simpler and faster than what came before.

Why WireGuard exists

The older protocols — OpenVPN and IPsec — work, but they are large. OpenVPN is hundreds of thousands of lines of code; that is a lot of surface area for bugs and a lot to audit. WireGuard is about 4,000 lines. Small enough that a single person can read the whole thing, which is exactly why security researchers trust it more.

How it works, briefly

WireGuard uses modern, fixed cryptography (Curve25519 for key exchange, ChaCha20-Poly1305 for encryption). Each side has a key pair. You exchange public keys; the private keys never move. Once each peer knows the other's public key and endpoint, the tunnel comes up almost instantly and stays up with near-zero overhead. There is no negotiation dance like older protocols — the configuration is static and tiny.

Why we built vpn.golf on it

Two reasons that matter for your privacy. First, speed: WireGuard's low overhead means you barely feel the tunnel, so people actually leave it on. Second, and more important — the key model lets us generate your private key on your device. It never reaches our servers. We only ever store your public key to register you on an exit node. A VPN that never holds your private key simply cannot leak it.

The one trade-off to know

WireGuard assigns each device a stable tunnel IP, which is great for performance but means a naive setup could be more identifiable. Good operators handle this with dynamic address allocation and no connection logging. That's table stakes for us, not a feature.