WireGuard
Modern VPN protocol built into the Linux kernel. Fast, minimal, auditable. The cryptographic foundation under Mullvad, many commercial VPNs, and custom setups.
What should journalists know about WireGuard?
WireGuard is a VPN protocol, not a VPN service. That distinction matters. Created by Jason Donenfeld in 2015 and merged into the Linux kernel in March 2020 (Linux 5.6), it replaced the complexity of IPsec and OpenVPN with roughly 4,000 lines of code — small enough for a single security researcher to audit in an afternoon. The cryptography is modern and opinionated: Curve25519 for key exchange, ChaCha20 with Poly1305 for authenticated encryption, BLAKE2s for hashing, all via the Noise protocol framework. No cipher negotiation, no legacy algorithm support, no configuration knobs that let you accidentally weaken your security. This simplicity is the point. OpenVPN is ~100,000 lines of code. IPsec implementations are larger. More code means more attack surface. WireGuard's minimal codebase has been formally verified by INRIA researchers using the CryptoVerif proof assistant (2019), confirming the protocol's cryptographic soundness. It runs on Linux, Windows, macOS, iOS, and Android. On Linux, it operates in kernel space, which makes it significantly faster than OpenVPN (which runs in userspace). Benchmarks consistently show WireGuard achieving 2-4x the throughput of OpenVPN with lower latency. For journalists, WireGuard matters in two ways. First, if you use Mullvad, IVPN, or ProtonVPN, you're likely already using WireGuard as the underlying protocol. Second, you can run your own WireGuard server on a $5/month VPS and eliminate the commercial VPN provider entirely — no account, no email, no payment trail beyond the server hosting bill. The trade-off: WireGuard by itself doesn't provide anonymity. It's a point-to-point tunnel. IP addresses are stored in memory (cleared after handshake timeout) but there's no built-in traffic obfuscation or multi-hop routing. For anonymity, you still need Tor or a VPN service with a no-logs policy. WireGuard gives you the fastest, most auditable encrypted tunnel available. What you do with that tunnel is up to you.
Running your own VPN server for newsroom remote access. Encrypting traffic on hostile networks (airports, hotels, press centers). Journalists in countries with internet surveillance who need a fast, reliable tunnel. IT staff setting up site-to-site connections between newsroom offices. Understanding what protocol your commercial VPN actually uses.
Non-technical journalists who just want to click a button and be protected — use Mullvad or ProtonVPN instead (both use WireGuard internally). Anyone who needs traffic obfuscation to bypass VPN blocking (WireGuard traffic is identifiable). Users who need anonymity — WireGuard is a tunnel, not an anonymity tool. Use Tor for that.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
WireGuard is a protocol, not a service. There is no company collecting your data. No accounts, no telemetry, no analytics. When self-hosted, the only data that exists is what your server stores — WireGuard itself keeps peer endpoints in memory and clears them after inactivity. The software collects nothing. Commercial VPN services using WireGuard have their own privacy policies.
How to protect yourself:
If running your own WireGuard server, choose a VPS provider in a jurisdiction that aligns with your threat model. Use a provider that accepts cryptocurrency if payment anonymity matters. Generate new key pairs for each device. Keep the server's operating system and WireGuard packages updated. Don't expose the WireGuard management interface to the public internet. For additional privacy, combine WireGuard with a multi-hop setup or route traffic through Tor. Remember that WireGuard doesn't obfuscate traffic — deep packet inspection can identify it.
Formally verified cryptographic protocol with ~4,000 lines of auditable code. Built into the Linux kernel. Uses modern, opinionated cryptography with no legacy cipher negotiation. No central infrastructure, no data collection, no accounts. The minimal attack surface and formal verification by INRIA put WireGuard in a different class than most VPN solutions. Rating reflects the protocol itself — your overall VPN security also depends on server configuration and operational practices.
Who Owns This
Known issues
WireGuard stores peer IP addresses in memory during active connections — this means a server compromise during an active session could reveal which IPs are connected. Most commercial VPN providers mitigate this with NAT and periodic key rotation. No built-in traffic obfuscation — WireGuard connections are identifiable via deep packet inspection, which matters in countries that actively block VPN protocols. The 'cryptokey routing' model assigns fixed internal IPs to each peer, which can make traffic analysis easier in some threat models. No perfect forward secrecy in the traditional IPsec sense, though the Noise protocol's key rotation provides equivalent protection in practice. The protocol is opinionated about its cipher suite — if a vulnerability is found in ChaCha20 or Curve25519, there's no fallback to an alternative algorithm (by design, to avoid downgrade attacks).
Pricing
Free. WireGuard is open-source software with no licensing fees. You pay only for the server you run it on — a basic VPS costs $5-10/month from providers like Hetzner, DigitalOcean, or Linode. Commercial VPNs that use WireGuard internally (Mullvad, IVPN, ProtonVPN) charge $5-10/month.
This is an editorial assessment based on publicly available information as of 2026-04-11, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.