Fexyn
Fexyn

Glossary

What is WireGuard

A modern VPN protocol with a small codebase, fast handshake, and excellent performance — the default for most consumer VPNs since 2020.

WireGuard is a VPN protocol designed by Jason Donenfeld and merged into the Linux kernel in 2020. It became the default for most consumer VPNs because it does three things better than the older protocols: it's faster, it's much smaller (so easier to audit), and it roams between networks without breaking the tunnel.

Three numbers tell most of the story:

  • ~4,000 lines of core code (vs hundreds of thousands for OpenVPN's stack).
  • One round-trip for the handshake (1-RTT Noise IK pattern).
  • ~5% throughput cost on a typical home connection.

How WireGuard works

WireGuard uses a fixed, modern set of cryptographic primitives:

  • ChaCha20-Poly1305 for symmetric encryption (AEAD).
  • Curve25519 for elliptic-curve key exchange.
  • BLAKE2s for hashing.
  • HKDF for key derivation.

There's no negotiation step — both sides know the algorithms in advance. That cuts attack surface (no downgrade attacks) and removes a round-trip from the handshake. Compare this to OpenVPN's negotiated TLS handshake, which is flexible but slower.

WireGuard is also stateless on the data path. There's no session table, no TCP-style connection state. Packets are routed by their cryptographic identity (peer public key) rather than by an established session. This is why roaming works — your laptop can switch from Wi-Fi to LTE and the tunnel keeps going as long as you can still reach the peer.

Where WireGuard wins

Speed and battery. The encryption is fast, the handshake is fast, the data path is short. On mobile, this translates to less battery drain. On a desktop on a fibre connection, it translates to throughput that's effectively the same as no VPN.

Auditability. 4,000 lines is small enough that a single security researcher can read the whole codebase in a week. OpenVPN has been formally audited several times; WireGuard has been formally analysed as a protocol, not just an implementation, which is a stronger guarantee.

Where WireGuard fails

WireGuard makes no attempt to hide itself. Packets have a distinctive shape — UDP, fixed header structure, message types 1 to 4. A DPI system that wants to recognise WireGuard can do so cheaply. Iran, Russia, and Turkey block WireGuard endpoints by signature regularly.

If your network is censored, WireGuard alone won't get through. You need a protocol designed to be invisible — that's VLESS Reality.

How Fexyn uses WireGuard

Fexyn ships WireGuard as Fexyn Bolt — the default protocol on networks that aren't actively hostile. The implementation uses userspace boringtun on Windows, which makes the kill switch and DNS lock easier to integrate with the helper service.

Read more in the WireGuard protocol page and the VPN protocols comparison.

Try Fexyn free for 7 days — Bolt is the default; the rotation engine handles falling back to Stealth or Secure if your network blocks it.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is WireGuard — What It Is and Why It Matters | Fexyn VPN