WireGuard is a VPN (virtual private network) protocol that builds an encrypted link between machines over the public internet, so they can reach each other as if on one private local network. It is deliberately small and fast, using modern cryptography and a tiny codebase, and it underpins mesh tools that connect scattered hardware into one tailnet.
At a glance
What it is
A VPN (virtual private network) protocol, encrypted and lightweight
Why it matters
It joins scattered machines into one private network over the internet
Design goal
A small codebase and modern cryptography, easier to audit and trust
Where you meet it
Under mesh networks like Tailscale and Headscale, which build on it
Flow
Two machines, one private link
WireGuard wraps the path between machines in an encrypted tunnel. To the machines at each end, the far box looks local, even though the traffic crosses the public internet.
1
Machine at homehas a private address on the tunnel
2
Encrypted WireGuard tunnelcarries traffic across the public internet
3
Remote machinereachable as if on the same local network
What problem does WireGuard solve?
Your machines are scattered: a box at home, a rented server elsewhere, maybe a
laptop that moves. They are on different networks, behind different routers, and
none of them can reach the others directly without opening ports to the world.
WireGuard joins them into one private network. It builds an encrypted tunnel
between machines so that, once connected, the far machine looks like it is on the
same local network as you, even though the traffic crosses the public internet to
get there.
That is the trick that makes a hybrid setup work: a public front-end box can talk
to home hardware over the tunnel, so the home hardware never has to expose itself
to the open internet at all.
Why is “small” the selling point?
WireGuard’s reputation rests on what it leaves out. The codebase is deliberately
tiny compared to older VPN software, it uses a fixed set of modern cryptography
rather than a sprawl of options, and the configuration is short enough to read in
one sitting. Less code and fewer choices mean fewer places for bugs and
misconfiguration to hide, which is exactly what you want from the thing guarding
your private network.
In practice you often do not configure it by hand. Mesh tools build on top of
WireGuard and handle the key exchange and address assignment for you, so you get
the small, fast tunnel without managing every peer yourself. Underneath the
friendly tooling, the encrypted link is WireGuard doing the work.
Check it yourself
wg show
Lists the active tunnels, peers, and the time of the last handshake. A recent handshake means the link is up; a stale one means the peer is unreachable.
WireGuard is good for
Linking your own machines into one private network
Reaching home hardware from a remote box without exposing ports
An encrypted path that is fast and simple to reason about
Building blocks under mesh tools that handle key exchange for you
WireGuard is not for
Anonymising your browsing; that is a different goal entirely
Replacing TLS for public web traffic that strangers must reach
Routing public visitors to a site; that is a reverse proxy's job
Filtering what the network allows; that remains a firewall's job