The WireGuard Protocol
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
J. A. Donenfeld · 2022-01
Abstract
WireGuard is a secure network tunnel operating at layer 3, using UDP as the transport protocol. Its cryptography is based on the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2s, SipHash24, and HKDF. This document describes the WireGuard protocol and its cryptographic design decisions.
Why This RFC Matters
RFC 8855 formalized the WireGuard protocol that Jason Donenfeld originally published in a 2017 academic paper and implemented as a Linux kernel module. WireGuard's cryptographic design is radical in its simplicity: a fixed, modern cipher suite (ChaCha20-Poly1305, Curve25519 ECDH, BLAKE2s, HKDF) with no negotiation, a stateless design that reveals no identifying information to unauthenticated parties, and connection setup in a single round trip. Its codebase is orders of magnitude smaller than OpenVPN or IPsec implementations, reducing the attack surface dramatically. WireGuard is now shipped in the Linux kernel (5.6+), macOS, Windows, iOS, and Android, and has displaced OpenVPN as the preferred VPN protocol for new deployments.