WireGuard on Fexyn

What WireGuard is

WireGuard is a modern VPN protocol designed around a small, auditable codebase — about 4,000 lines of core code. It uses ChaCha20-Poly1305 for encryption, Curve25519 for key exchange, and BLAKE2s for hashing. Independent researchers have published formal verification of the WireGuard handshake.

On Fexyn, WireGuard is the engine behind Fexyn Bolt — the protocol the app reaches for first when speed matters.

Why WireGuard is fast

• A simpler handshake than OpenVPN means fewer round-trips before data flows.
• Userspace implementations like the one Fexyn uses (boringtun) avoid expensive kernel context switches on Windows.
• Stateless cryptokey routing skips the per-packet decisions older protocols make.

In practice this means lower latency on a stable connection and throughput closer to your link speed than older protocols can deliver.

When WireGuard is the right choice

• Home or office network with no aggressive filtering. UDP is allowed outbound, no DPI.
• You want the lowest possible latency for video calls, gaming, or large downloads.
• You're on a laptop and want the smallest possible battery hit from the VPN.

When it isn't the right choice

• Networks that block UDP outbound. WireGuard is UDP-only; some hotel and corporate networks only allow TCP/443.
• Networks with DPI that recognises WireGuard's fingerprint. WireGuard makes no attempt to look like other traffic — that's a deliberate design tradeoff for simplicity.
• Restrictive country networks where VPN traffic in general is throttled or blocked.

When any of those apply, Fexyn's rotation engine can switch to Fexyn Stealth (VLESS Reality / XRay) or Fexyn Secure (OpenVPN) automatically.

How Fexyn implements it

The Windows app uses boringtun (a Rust implementation of the WireGuard protocol) wrapped by the SYSTEM-level helper service. Wintun handles the TUN device, and the kill switch uses Windows Filtering Platform rules — both engaged before the handshake completes so there's no traffic outside the tunnel during connect.

Each device gets a per-device tunnel IP allocation, tracked authoritatively in the Fexyn web database, with the agent handling the WireGuard peer registration on the chosen server.

What WireGuard doesn't do

WireGuard is a transport — it encrypts and routes traffic. It doesn't handle credential storage, DNS leak prevention, kill switching, or split tunneling on its own. Those live in the Fexyn helper service around it.

WireGuard also doesn't obfuscate. If your network recognises and blocks VPN traffic patterns, WireGuard alone won't get past — that's what Fexyn Stealth (VLESS Reality) is for.

Related reading

• VLESS Reality / XRay on Fexyn — the censorship-resistant option
• OpenVPN on Fexyn — the compatibility fallback
• VPN for Windows
• Security overview
• Download Fexyn for Windows