What is WireGuard? A Complete Guide to How the Next-Gen VPN Works and How to Use It with Tailscale

WireGuard is a next-generation VPN protocol that achieves fast, secure communication with roughly 1/100th the codebase of IPsec. Built into the Linux kernel, it combines configuration simplicity with robust cryptography.

When you hear "VPN," you might picture an IT administrator wrestling with a mountain of configuration files. WireGuard is a next-generation VPN protocol that turns that assumption on its head. With roughly 1/100th the codebase of IPsec, it delivers fast and secure communication. This article explains how WireGuard works from the ground up, and covers practical implementation methods leveraging managed services such as Tailscale. It is written for infrastructure engineers who feel that "VPN operations are too heavy" or want to "simplify remote access."

The world of VPN had long been a binary choice between IPsec and OpenVPN. Both have proven track records, but they come with inherent complexity in configuration and operational overhead. WireGuard emerged as a protocol designed to fundamentally change this landscape.

IPsec is a suite of protocols designed in the 1990s, involving multiple intertwined sub-protocols such as key exchange via IKE (Internet Key Exchange) and encryption via ESP (Encapsulating Security Payload). The Linux implementation alone spans approximately 400,000 lines of code, with an enormous number of configuration parameters.

OpenVPN is an SSL/TLS-based VPN that runs in user space and is more manageable than IPsec. However, cryptographic processing in user space carries greater overhead compared to kernel space, imposing throughput limitations. Configuration files can run to dozens of lines, and the burden of certificate management is not insignificant.

When I once built a site-to-site VPN using IPsec, a mismatch between the Phase 1 and Phase 2 parameters prevented the tunnel from establishing, and I spent an entire day tracking down the cause. Even after combing through the logs, all they showed was a cryptographic algorithm negotiation failure, leaving me unable to determine which site's configuration was even at fault.

WireGuard's author, Jason A. Donenfeld, designed this protocol with the philosophy that VPNs should be as simple as SSH. The official website even describes it as an "extremely simple yet fast and modern VPN."

This philosophy is reflected in the following design decisions:

• Fixed cryptographic algorithms: Eliminates negotiation. A single combination of Curve25519 (key exchange), ChaCha20 (encryption), Poly1305 (authentication), and BLAKE2s (hashing) is used
• Minimal state: Holds no connection state; processes UDP packets as they arrive. There is no concept of disconnection or reconnection
• Principle of least privilege: Minimizes the attack surface by excluding unnecessary features

The approach of fixing cryptographic algorithms may appear at first glance to sacrifice flexibility. However, it fundamentally eliminates the problem common in IPsec where "connections fail because both sides have mismatched algorithm configurations." Should a vulnerability be discovered in the adopted algorithms in the future, the design calls for addressing it through a protocol version upgrade.

At the core of WireGuard is a simple routing model called Cryptokey Routing. While traditional VPNs "establish" tunnels, WireGuard maps public keys to allowed IPs, much like a routing table.

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = 10.192.122.3/32, 10.192.124.0/24

This configuration means: "packets destined for 10.192.122.3 and 10.192.124.0/24 may be sent to the peer with this public key." When sending a packet, it is encrypted using the public key of the peer that matches the allowed IPs; when receiving, the system verifies that the public key used for decryption matches the allowed IPs. This single mechanism handles both authentication and routing simultaneously.

WireGuard itself has been in development since around 2016, but its adoption has spread rapidly in recent years. Behind this lies a technical turning point and a shift in the way people work.

In March 2020, WireGuard was merged into the kernel tree with Linux 5.6. It also made headlines when Linus Torvalds himself wrote on the mailing list, "Can I just once again state my love for it and hope it gets merged soon?"

Being included in the kernel standard is more than just a stamp of approval. It means distributions can use WireGuard without additional packages, and security patches are delivered alongside kernel updates. It is available out of the box on Ubuntu 20.04 and later, Debian 11 and later, and RHEL 9 and later.

Since COVID-19, VPN usage patterns have changed dramatically. What was once centered around "Site-to-Site from office to branch" has now shifted to a mainstream model of remote access from "home, cafés, and coworking spaces to the cloud."

Traditional VPNs have not kept pace with this change. Accommodating 100 remote workers with OpenVPN requires significant server CPU resources and tuning. WireGuard, operating in kernel space, can achieve several times the throughput on the same hardware.

As multi-cloud configurations combining AWS, GCP, and Azure become the norm, the complexity of connections spanning each cloud's VPN services (such as AWS VPN Gateway) continues to grow. WireGuard can build mesh connections simply by deploying a lightweight agent on each node, with no dependency on any cloud vendor.

Let's look at the technical backing for why WireGuard is fast and secure.

WireGuard intentionally eliminates "cryptographic agility." In other words, the cryptographic algorithms used cannot be chosen. This is not a drawback, but a deliberate and strong design choice.

ChaCha20-Poly1305 has been widely adopted as an alternative to AES-GCM. AES is fast in environments with hardware acceleration (AES-NI), but ChaCha20 is often faster on ARM mobile devices and low-end routers.

The WireGuard kernel module is implemented in approximately 4,000 lines of C code. For comparison, OpenVPN has around 100,000 lines, and IPsec's strongSwan has around 400,000 lines.

The smaller codebase directly translates to lower security audit costs. At 4,000 lines, a single security researcher can read through the entire codebase in a matter of days. In fact, WireGuard has undergone formal verification by France's INRIA, with the correctness of its cryptographic protocol mathematically proven.

WireGuard has no concept of a "connection." Because it is a UDP-based stateless protocol, even if the client's IP address changes (e.g., switching from Wi-Fi to a mobile network), the endpoint is automatically updated as soon as the next packet arrives.

This is the same design philosophy as SSH's Mosh. When the author used WireGuard aboard a Shinkansen, even as the mobile network handed over between base stations mid-tunnel, server work continued without any interruption. In the same situation, OpenVPN would take 10–30 seconds to reconnect.

WireGuard is an excellent protocol, but operating it at scale requires building your own mechanisms for key distribution and access control. Tailscale is a service that solves these "remaining challenges."

When trying to mesh-connect 50 servers with WireGuard alone, you need to configure the public keys and AllowedIPs for the other 49 nodes on each node. Every time a node is added or removed, the configuration on every machine must be updated.

Tailscale automates this key management with a central coordination server. Once the Tailscale agent is installed on each node, key exchange and configuration distribution happen in the background. The data plane (actual traffic) communicates directly peer-to-peer via WireGuard and does not pass through Tailscale's servers.

As the official website claims, "Installation takes minutes" — the process from installation to building a mesh network is completed in just a few minutes. On my team, when onboarding new developers, simply sending them a Tailscale invite link is all it takes to grant access to internal resources. We no longer need to hand out a VPN configuration manual.

Traditional VPNs use a hub-and-spoke model where all traffic passes through a VPN gateway. This configuration makes the gateway prone to becoming a bottleneck and also creates a single point of failure.

Tailscale adopts a full-mesh model in which each node communicates directly via WireGuard tunnels. For NAT traversal, it uses STUN/DERP (Designated Encrypted Relay for Packets) servers, relaying traffic only when a direct connection cannot be established.

From a Zero Trust perspective, Tailscale implements the following:

• Identity-based access: Integrates with IdPs such as Google Workspace, Okta, and Azure AD to control access on a per-user basis
• ACL (Access Control List): Uses JSON-based policies to define "who" can access "which resources"
• Device authentication: Issues a unique WireGuard key pair to each device, enabling per-device management

There are other WireGuard-based services besides Tailscale. They can be used selectively depending on the use case.

Tailscale has an advantage in ease of setup and the richness of its IdP integration. Netmaker is an option when you want to host the control plane in-house, while Firezone is a candidate for those looking to gradually migrate from an existing OpenVPN environment.

WireGuard is relatively easy to set up, but there are still a few pitfalls to be aware of.

WireGuard key pair generation is completed in a single line: wg genkey | tee privatekey | wg pubkey > publickey. This very convenience can backfire, as some teams end up managing public keys indefinitely in Excel spreadsheets or wikis.

This approach may be manageable for around 10 machines, but once you exceed 50, issues such as missed key rotations and forgotten peer deletions start to occur. Introducing automated key management tools like Tailscale or Netmaker should be considered at an early stage.

WireGuard uses a UDP port (default 51820). In corporate networks, UDP may be strictly restricted, which can lead to situations such as "it connects from home, but not from the client's office."

As countermeasures, there are tools such as Tailscale's DERP relay and wstunnel, which wraps WireGuard over HTTPS (TCP 443). It is important to identify network requirements before deployment and to prepare fallback measures for environments where UDP is blocked.

Immediately removing IPsec as soon as WireGuard is introduced is a risky approach. Especially when migrating a site-to-site VPN to WireGuard, there will be a period during the transition where both protocols coexist. It is necessary to plan ahead to ensure there are no overlapping IP address ranges or routing conflicts.

We have adopted WireGuard as the foundation for connectivity between our Thailand and Japan offices, as well as for remote development team access.

Before the introduction, the Bangkok office and the Japanese development environment were connected via IPsec VPN. The Thai ISP frequently changed IP addresses, requiring VPN reconfiguration each time. The tunnel would go down two to three times a month, with recovery taking 30 minutes to an hour.

As the number of remote work developers grew, the cost of issuing and managing OpenVPN client certificates for individual developers had become impossible to ignore.

The current setup operates with the following configuration.

• Between sites: Linux servers with Tailscale installed are deployed as subnet routers, exposing the existing network at each site to the Tailscale network.
• Remote access: Development team members install the Tailscale client and access it via Google Workspace authentication.
• Server management: SSH access to the production environment is restricted to Tailscale only, eliminating SSH port exposure on public IPs.

ACLs are used to separate permissions between the development team, infrastructure team, and management, with a design where developers can only access the development environment while the infrastructure team has access to all environments.

The biggest change of all is that we no longer think of the VPN as something to "manage" — it has simply become part of the infrastructure.

Answering frequently asked questions about WireGuard and Tailscale.

Sufficiently resilient. The fact that it is included as a standard component of the Linux kernel guarantees long-term support from OS vendors. Cloudflare has adopted WireGuard for its own VPN service (WARP), where it has a proven track record operating at a scale of hundreds of millions of users. However, for large-scale environments, it is strongly recommended to use it in conjunction with a key management and access control mechanism (such as Tailscale).

The Personal plan allows free usage for up to 100 devices and 3 users (as of March 2026). This is more than sufficient for small teams and individual developers. The Starter plan for businesses is available from $6/user per month, enabling SSO integration and advanced ACL. Please check the official Tailscale website for the latest pricing details.

Taking it step by step makes it manageable. The recommended approach is to first migrate a subset of remote access users to WireGuard (or Tailscale), allowing for a period of parallel operation. The migration of site-to-site VPNs can come after that. WireGuard and IPsec can coexist on the same server, operating on different ports and interfaces, which makes for a structure that lends itself well to phased migration.

WireGuard represents a major paradigm shift in the history of VPNs. A simple codebase of approximately 4,000 lines, high-speed processing in kernel space, and a stateless design through Cryptokey Routing — it fundamentally eliminates the complexity and operational overhead that traditional VPNs have long struggled with.

By combining it with a managed service like Tailscale, challenges around key management and access control can be resolved, bringing you significantly closer to achieving a zero-trust network.

Start by taking the following steps:

1. Try it out: Set up WireGuard between a personal PC and a cloud server to experience its simplicity firsthand
2. Adopt Tailscale: Build remote access for a small team using the free tier
3. Run it alongside your existing VPN: Migrate gradually, starting with a subset of users, and see the reduction in operational costs for yourself