What Is WireGuard?
WireGuard is an open-source VPN protocol designed for simplicity and speed. At roughly 4,000 lines of code (versus hundreds of thousands for OpenVPN/IPsec stacks), it is dramatically easier to audit, connects in milliseconds, and delivers significantly higher throughput using modern cryptography — ChaCha20 for encryption and Curve25519 for key exchange. It has been part of the Linux kernel since version 5.6 (2020).
Why WireGuard replaced OpenVPN as the default
OpenVPN, the previous standard, carries two decades of accumulated complexity: a large codebase, TLS dependency, and performance limited by user-space packet processing. WireGuard was designed from scratch by Jason A. Donenfeld with the opposite philosophy — a minimal, formally-verifiable protocol with fixed, modern cryptographic choices instead of negotiable cipher suites.
The practical results: connections establish near-instantly (critical when your phone hops between WiFi and cellular), throughput is typically 2-4× OpenVPN on the same hardware, and battery cost on mobile devices is significantly lower. In our reference benchmark, every top-performing VPN runs a WireGuard-family protocol.
NordLynx, Lightway, and other WireGuard derivatives
Stock WireGuard has one privacy wrinkle for consumer VPN use: by design it stores connected peers' IP addresses in server memory. Providers address this with engineering on top: NordVPN's NordLynx adds a double-NAT system so user IPs aren't tied to tunnel sessions; other providers wipe peer state aggressively.
ExpressVPN's Lightway is not WireGuard but a parallel effort with the same philosophy — a minimal modern protocol (built on wolfSSL, now open source) optimized for fast reconnection and mobile use. When this site refers to 'WireGuard-family' protocols, it means WireGuard, NordLynx, Lightway, and similar minimal modern designs.
Limitations
WireGuard is UDP-only, which means it can be blocked by networks that allow only TCP — restrictive corporate firewalls and national filtering systems detect and drop it relatively easily. That's why providers keep OpenVPN-TCP (which can masquerade on port 443 as HTTPS) and proprietary obfuscated protocols as fallbacks for hostile networks.
Frequently Asked Questions
Is WireGuard safe?
Yes — its small codebase has been formally analyzed and is widely considered one of the most trustworthy VPN protocols available. Its cryptographic choices (ChaCha20-Poly1305, Curve25519, BLAKE2s) are modern and conservative. The main caveat is the peer-IP memory behavior, which serious providers mitigate with double-NAT or aggressive state clearing.
Is WireGuard faster than OpenVPN?
Substantially. On identical hardware, WireGuard typically delivers 2-4× OpenVPN's throughput and connects in milliseconds rather than seconds. In our benchmark, WireGuard-family protocols retain 75-85% of a 1 Gbps line versus 40-60% for OpenVPN.
Which VPNs use WireGuard?
Nearly all top providers: NordVPN (as NordLynx), Surfshark, Proton VPN, PIA, CyberGhost, and IPVanish all offer WireGuard. ExpressVPN uses Lightway, its own protocol with the same design goals.
When should I NOT use WireGuard?
On networks that block UDP traffic or use deep packet inspection to drop VPN protocols — some corporate networks, and national firewalls in China, Iran, and similar markets. There, OpenVPN-TCP on port 443 or a provider's obfuscated protocol works where WireGuard won't.