In principle, WireGuard is a decentralized, peer-to-peer VPN protocol. Rather than requiring a server, WireGuard can open a tunnel directly between two computers. A WireGuard “server” is simply a machine that contains the connection configurations for multiple peers.
Establishing a connection with WireGuard works in much the same way as Secure Shell (SSH): The users (“peers”) generate public keys with WireGuard and exchange them with one another. Using the keys, the peers mutually authenticate each other and encrypt the data packages for their intended recipient.
In addition to generating the cryptographic keys, different network settings need to be implemented on each peer. For more on this, see our guide on setting up WireGuard below. To exchange data, permitted IP address ranges are linked with the cryptographic key on the peers. Packages that do not come from the permitted address ranges are discarded. With WireGuard, data is transmitted via the User Datagram Protocol (UDP).
On a peer’s machine, the WireGuard command line tool and other resources available on Linux as standard are used for configuration. Although configuring the software is considered relatively easy, WireGuard only serves as a foundation. An app on top of the protocol can help the users through the individual steps of configuration and setting up a connection. Users of commercial VPN services can therefore enjoy the modern VPN protocol without dealing with the command line.