WireGuard: Next Generation Secure Network Tunnel

Conference:  BlackHat USA 2018



The presentation discusses the design principles and implementation of the WireGuard protocol, a minimal and efficient VPN solution.
  • WireGuard is a VPN protocol that combines design principles to ensure security and efficiency
  • The key exchange is one round-trip, ensuring authentication and minimal state
  • WireGuard uses Diffie-Hellman key exchange and symmetric encryption for security
  • The protocol does not use certificates or X.509 stuff, but instead relies on short base64 public keys
  • WireGuard does not have plans to add signatures or certificates, but tooling can be built around key distribution
  • WireGuard has a versioning system and can introduce more message types if needed
The presenter explains that WireGuard is designed to be minimal and efficient, with the key exchange being only one round-trip. This ensures authentication and minimal state, making it a compact solution compared to other VPN protocols. The protocol uses Diffie-Hellman key exchange and symmetric encryption for security, and does not rely on certificates or X.509 stuff. Instead, it uses short base64 public keys for key distribution. The presenter also notes that WireGuard does not have plans to add signatures or certificates, but tooling can be built around key distribution. Overall, the presentation emphasizes the importance of keeping the cryptographic core minimal and understandable.


The state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identify hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable.