Insights & News
What Is WireGuard? How the Modern VPN Protocol Works
- July 2, 2026
WireGuard is a modern VPN protocol that creates fast, secure, encrypted tunnels between devices using up-to-date cryptography and a remarkably small codebase. It was designed to replace older protocols like OpenVPN and IPsec, and it is now built into the Linux and Windows kernels. If you have used Tailscale, NordVPN's NordLynx, or Mullvad, you have used WireGuard underneath.


Key facts
- WireGuard is an open-source VPN protocol first released in 2016, created by Jason Donenfeld.
- It uses a fixed, modern set of cryptography: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, and BLAKE2s for hashing.
- Its codebase is around 3,800 lines, compared with hundreds of thousands of lines for OpenVPN and IPsec, making it far easier to audit.
- It runs in kernel space and typically delivers around double the throughput of OpenVPN on the same hardware.
- WireGuard runs over UDP and establishes connections almost instantly, often in under 100 milliseconds.
- It is the protocol underneath Tailscale and several major consumer VPN services.
What is WireGuard and where did it come from?
WireGuard is an open-source VPN protocol created by Jason Donenfeld and first released in 2016, designed to be faster, simpler, and more secure than the protocols that came before it. Donenfeld's frustration was straightforward: OpenVPN and IPsec were old, bloated, and hard to configure and audit. WireGuard was his answer, a protocol stripped back to the essentials. It was merged into the Linux kernel in 2020, a rare endorsement that signalled it had arrived as a serious, trusted piece of infrastructure, and it now ships in Windows too.
How does WireGuard work?
WireGuard works by establishing an encrypted UDP tunnel between two devices, each identified by a public key, using a single fast handshake. The model is deliberately similar to SSH keys: each device has a private key and a public key, and you authorise a connection by exchanging public keys. Once that is done, the two devices can send encrypted traffic directly to each other. There is no complex negotiation of cipher options the way older protocols have, which removes a whole category of misconfiguration risk.
The connection is quick to establish, usually under 100 milliseconds, and because WireGuard is stateless and uses a timer-based mechanism to manage sessions, it handles moving between networks gracefully. Your laptop can switch from office Wi-Fi to a mobile hotspot and the tunnel simply continues.
Why is WireGuard faster than OpenVPN?
WireGuard is faster than OpenVPN mainly because it runs in kernel space and uses more efficient cryptography, delivering roughly double the throughput on equivalent hardware. Older protocols like OpenVPN run largely in user space, which means the operating system constantly shuffles data back and forth across the kernel boundary, and that shuffling adds latency and CPU overhead. WireGuard processes packets directly in the kernel and avoids that cost. Its ChaCha20 cipher is also efficient in software, which helps on phones and lower-powered devices. The practical result is a VPN that feels less like a tax on your connection.
Is WireGuard secure?
Yes. WireGuard uses a curated set of modern, well-regarded cryptographic algorithms and provides perfect forward secrecy, meaning past traffic stays protected even if a key is later compromised. Part of its security story is the small codebase: at around 3,800 lines, one person can audit it in an afternoon, whereas OpenVPN and its dependencies run to hundreds of thousands of lines that take a large team days to review. Less code means fewer places for bugs and vulnerabilities to hide. That auditability is a genuine security advantage, not just an engineering nicety.
What is the catch with WireGuard?
WireGuard's main limitation is that on its own it is a protocol, not a complete product, so it lacks the management features a business needs. Raw WireGuard requires you to distribute and manage keys manually, and it has no built-in identity integration, access control, or central management. For a couple of devices that is fine. For a business with staff coming and going, managing keys by hand quickly becomes a headache. This is exactly the gap that tools like Tailscale fill, they build on WireGuard and add the identity, access control, and management layer that turns the protocol into something a business can actually run. We cover that distinction in our comparison of Tailscale, WireGuard, and OpenVPN.
Frequently asked questions
Is WireGuard free?
Yes. WireGuard is free and open-source software, released under the GPL. You can use the protocol at no cost. Commercial products built on top of WireGuard, such as Tailscale or consumer VPN services, may charge for the management, apps, and features they add around it, but the protocol itself is free.
What is the difference between WireGuard and Tailscale?
WireGuard is the underlying VPN protocol; Tailscale is a complete product built on top of it. Tailscale adds the parts raw WireGuard lacks: automatic key management, identity provider integration for single sign-on, access-control policies, and a management console. If WireGuard is the engine, Tailscale is the car built around it.
Does WireGuard work on Windows and Mac?
Yes. WireGuard has official clients for Windows, macOS, Linux, iOS, and Android, and the protocol is now built into the Windows and Linux kernels. It runs on every major platform a business is likely to use.
Is WireGuard good for business use?
The protocol is excellent, but businesses usually want a product built on WireGuard rather than raw WireGuard, because managing keys and access manually does not scale. Tools like Tailscale add the identity integration, access control, and central management that a business needs, while keeping WireGuard's speed and security underneath.
If you are weighing up secure remote access for your business and want to know whether WireGuard-based tools like Tailscale are the right fit, we are happy to help you work it out. Call us on 1800 367 448.


About the author
Brett Muscio is the Director of 4iT Support Pty Ltd, a managed services provider based in Castle Hill, NSW. He works with SME clients across Sydney, Melbourne, and Brisbane on networking, cybersecurity, and secure remote access, with on-site support across the Sydney metro area and remote delivery nationally. Connect on LinkedIn.
Recent Posts
-

Signs Your Business Firewall Is Due for Replacement -

Hardware Firewall vs Firewall as a Service: Which Is Right for Your Business? -

Firewall as a Service Cost for Australian Businesses -

What Is Firewall as a Service (FWaaS)? -

What Is WireGuard? How the Modern VPN Protocol Works -

The Principle of Least Privilege, Explained -

Tailscale vs WireGuard vs OpenVPN: Which Is Right for Your Business? -

What Is Zero Trust? A Plain-English Guide for Australian Businesses -

Which Compliance Frameworks Does Your Business Need? -

PCI DSS for Australian Small Business




