WireGuard Modern kernel-speed VPN, ~4,000 lines of code
A VPN protocol small enough to audit in an afternoon and fast enough to saturate a gigabit link.
A modern VPN protocol designed by Jason Donenfeld, merged into the mainline Linux kernel in version 5.6 (2020). Uses a fixed, opinionated cryptographic suite — Curve25519, ChaCha20, Poly1305, BLAKE2s — runs entirely over UDP, and authenticates peers by static public keys. The reference implementation is under 4,000 lines of code, an order of magnitude smaller than OpenVPN or IPsec.
A "personal VPN on a VPS" is our most common entry use-case.
A meaningful share of new customers buy a 1 GB entry-tier VPS for exactly one job: spin up WireGuard, point their laptop and phone at it, and stop trusting whichever consumer VPN brand they were paying €12 a month to. The math is unanswerable — a VPS at €4/month routes the customer's traffic from an IP that belongs to them, not from a pool shared with thousands of strangers and pre-flagged on every captcha gauntlet on the web.
WireGuard is the right protocol for this job because it is fast, simple and ships inside the kernel of every modern Linux distribution. There is no PKI to manage, no certificate authority to babysit, no obscure cipher negotiation. Two public keys, two endpoints, an allowed-IPs line, and the tunnel is up. The configuration file is short enough to commit to a git repo without embarrassment.
Operationally we recommend WireGuard for: personal browsing privacy, remote access to home or office networks, secure links between VPSes in different regions, and split-tunnel setups where only specific destinations transit the VPN. The use-case page and the walk-through guide cover the wallet of common patterns.
The pages that lean on this term.
The questions people actually ask.
How is WireGuard different from OpenVPN?
WireGuard runs in kernel space, uses a fixed modern cryptographic suite, and has a codebase about ten times smaller than OpenVPN. The practical result is throughput that saturates a gigabit link with modest CPU, single-digit-millisecond handshake latency and a configuration file you can read in one sitting. OpenVPN remains useful for environments that require certificate-based PKI or TCP fallback over port 443; WireGuard wins on raw performance, audit surface and operational simplicity.
Is WireGuard private?
WireGuard encrypts and authenticates all traffic between peers using modern cryptography (Curve25519 for key exchange, ChaCha20-Poly1305 for the data channel). A passive observer on the wire sees only UDP packets between two IPs and cannot read the contents. WireGuard does not, however, hide that two specific peers are talking; tooling like obfsproxy or Tor is required for that layer of privacy.
Can I run my own WireGuard server on a NordBastion VPS?
Yes — this is one of the most popular use-cases for entry-tier VPS plans on the site. A 1 GB RAM, single-vCPU node will comfortably terminate WireGuard for a small team or a household. The walk-through guide takes about fifteen minutes from "I just received my root password" to "my phone is browsing through the VPS".
Does WireGuard work on mobile?
Yes. Official WireGuard apps are published for iOS and Android, both well-maintained and free of trackers. The roaming behaviour — keeping the tunnel alive across Wi-Fi/cellular transitions and IP changes — is one of the protocol's standout properties and works essentially transparently on modern phones.