# WireGuard > Modern VPN protocol built into the Linux kernel. Fast, minimal, auditable. The cryptographic foundation under Mullvad, many commercial VPNs, and custom setups. **Source:** https://fieldwork.news/tools/wireguard **Official site:** https://www.wireguard.com **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** Formally verified cryptographic protocol with ~4,000 lines of auditable code. Built into the Linux kernel. Uses modern, opinionated cryptography with no legacy cipher negotiation. No central infrastructure, no data collection, no accounts. The minimal attack surface and formal verification by INRIA put WireGuard in a different class than most VPN solutions. Rating reflects the protocol itself — your overall VPN security also depends on server configuration and operational practices. - **Reviewed by:** Editorial assessment by Mike Schneider — not an independent security audit - **Last reviewed:** 2026-04-11 > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists who need a VPN they can trust at the protocol level. Technical reporters and newsroom IT staff setting up secure remote access. Anyone who wants to run their own VPN server rather than trusting a commercial provider. Security-conscious reporters working from hostile networks, hotel Wi-Fi, or countries with internet surveillance. ## Editorial take WireGuard is a VPN protocol, not a VPN service. That distinction matters. Created by Jason Donenfeld in 2015 and merged into the Linux kernel in March 2020 (Linux 5.6), it replaced the complexity of IPsec and OpenVPN with roughly 4,000 lines of code — small enough for a single security researcher to audit in an afternoon. The cryptography is modern and opinionated: Curve25519 for key exchange, ChaCha20 with Poly1305 for authenticated encryption, BLAKE2s for hashing, all via the Noise protocol framework. No cipher negotiation, no legacy algorithm support, no configuration knobs that let you accidentally weaken your security. This simplicity is the point. OpenVPN is ~100,000 lines of code. IPsec implementations are larger. More code means more attack surface. WireGuard's minimal codebase has been formally verified by INRIA researchers using the CryptoVerif proof assistant (2019), confirming the protocol's cryptographic soundness. It runs on Linux, Windows, macOS, iOS, and Android. On Linux, it operates in kernel space, which makes it significantly faster than OpenVPN (which runs in userspace). Benchmarks consistently show WireGuard achieving 2-4x the throughput of OpenVPN with lower latency. For journalists, WireGuard matters in two ways. First, if you use Mullvad, IVPN, or ProtonVPN, you're likely already using WireGuard as the underlying protocol. Second, you can run your own WireGuard server on a $5/month VPS and eliminate the commercial VPN provider entirely — no account, no email, no payment trail beyond the server hosting bill. The trade-off: WireGuard by itself doesn't provide anonymity. It's a point-to-point tunnel. IP addresses are stored in memory (cleared after handshake timeout) but there's no built-in traffic obfuscation or multi-hop routing. For anonymity, you still need Tor or a VPN service with a no-logs policy. WireGuard gives you the fastest, most auditable encrypted tunnel available. What you do with that tunnel is up to you. ## Best for / not for **Best for:** Running your own VPN server for newsroom remote access. Encrypting traffic on hostile networks (airports, hotels, press centers). Journalists in countries with internet surveillance who need a fast, reliable tunnel. IT staff setting up site-to-site connections between newsroom offices. Understanding what protocol your commercial VPN actually uses. **Not for:** Non-technical journalists who just want to click a button and be protected — use Mullvad or ProtonVPN instead (both use WireGuard internally). Anyone who needs traffic obfuscation to bypass VPN blocking (WireGuard traffic is identifiable). Users who need anonymity — WireGuard is a tunnel, not an anonymity tool. Use Tor for that. ## Pricing - **Pricing:** Free. WireGuard is open-source software with no licensing fees. You pay only for the server you run it on — a basic VPS costs $5-10/month from providers like Hetzner, DigitalOcean, or Linode. Commercial VPNs that use WireGuard internally (Mullvad, IVPN, ProtonVPN) charge $5-10/month. - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** partial - **Data jurisdiction:** Self-hosted: wherever you run your server. WireGuard is a protocol — it has no central infrastructure and sends no data to any company. Peer IP addresses are held in memory during active sessions. No persistent logging by default. **Privacy policy TL;DR:** WireGuard is a protocol, not a service. There is no company collecting your data. No accounts, no telemetry, no analytics. When self-hosted, the only data that exists is what your server stores — WireGuard itself keeps peer endpoints in memory and clears them after inactivity. The software collects nothing. Commercial VPN services using WireGuard have their own privacy policies. **Practical mitigations (operational guidance, not optional):** If running your own WireGuard server, choose a VPS provider in a jurisdiction that aligns with your threat model. Use a provider that accepts cryptocurrency if payment anonymity matters. Generate new key pairs for each device. Keep the server's operating system and WireGuard packages updated. Don't expose the WireGuard management interface to the public internet. For additional privacy, combine WireGuard with a multi-hop setup or route traffic through Tor. Remember that WireGuard doesn't obfuscate traffic — deep packet inspection can identify it. ## Ownership & business - **Owner:** Jason A. Donenfeld (ZX2C4 / Edge Security LLC) - **Funding model:** Open-source project. WireGuard's Linux kernel implementation is maintained as part of the kernel tree. Development funded by Edge Security (Donenfeld's security consultancy) and contributions from companies that use WireGuard commercially. No venture capital. No corporate parent. - **Business model:** Free open-source software (GPLv2 for kernel module, MIT/BSD/Apache for userspace tools). No subscription fees. No commercial entity selling WireGuard itself. Revenue for the creator comes from Edge Security's consulting work. Commercial VPN providers (Mullvad, NordVPN, Surfshark, ProtonVPN, IVPN) use WireGuard as infrastructure and pay nothing for the protocol. - **Open source:** yes **Known issues:** WireGuard stores peer IP addresses in memory during active connections — this means a server compromise during an active session could reveal which IPs are connected. Most commercial VPN providers mitigate this with NAT and periodic key rotation. No built-in traffic obfuscation — WireGuard connections are identifiable via deep packet inspection, which matters in countries that actively block VPN protocols. The 'cryptokey routing' model assigns fixed internal IPs to each peer, which can make traffic analysis easier in some threat models. No perfect forward secrecy in the traditional IPsec sense, though the Noise protocol's key rotation provides equivalent protection in practice. The protocol is opinionated about its cipher suite — if a vulnerability is found in ChaCha20 or Curve25519, there's no fallback to an alternative algorithm (by design, to avoid downgrade attacks). --- Canonical HTML: https://fieldwork.news/tools/wireguard Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology