WireGuard

WireGuard is a modern VPN protocol designed for simplicity, speed, and a small, auditable codebase. It creates an encrypted tunnel between devices over UDP, letting a sovereign Bitcoiner reach a home node, dashboard, or private network securely from anywhere as though they were on the local network. Its lean design has made it a popular alternative to older, heavier VPN protocols, and it now ships in the Linux kernel.

Cryptography

Rather than negotiating from a menu of options, WireGuard fixes a single modern cryptographic suite. It uses the Noise protocol framework for its handshake, Curve25519 for key exchange, ChaCha20 with Poly1305 for authenticated encryption, BLAKE2s for hashing, and SipHash for internal table keys. This deliberate lack of configurability removes whole categories of misconfiguration. By default it communicates over UDP, commonly on port 51820.

Cryptokey routing

WireGuard's defining idea is cryptokey routing: each peer is identified by its public key, and that key is bound to a list of IP addresses it is allowed to use inside the tunnel. A packet is sent to whichever peer owns its destination address, and an incoming packet is only accepted if it is encrypted by the key authorized for its source. Identity and routing are thus the same thing, which keeps the model compact and secure.

Use for sovereignty

A common pattern is to expose only the WireGuard port at home and tunnel into everything else, so a node's web interface never touches the public internet directly. This sidesteps exposing many services and works even where address translation complicates inbound access.

WireGuard is an alternative to exposing services through Port Forwarding, and the encrypted private overlays it builds are related to a mesh VPN.