WireGuard on Linux: Setting Up a Minimal, Modern VPN

Before you understand why WireGuard matters, it is important to understand what preceded it. Traditional VPN stacks often combine multiple protocols, multiple implementations, and a comparatively large amount of code. OpenVPN operates as a user-space daemon typically paired with a full TLS stack and cryptographic library. IPsec deployments commonly involve IKE (often IKEv2), the kernel XFRM/IPsec transform layer, and user-space keying daemons such as strongSwan or Libreswan. This layered, standards-driven architecture is powerful and flexible, but it also increases configuration complexity and expands the overall implementation and audit surface.

In their published cryptographic evaluation of IPsec, security researchers Niels Ferguson and Bruce Schneier wrote that “IPsec was a great disappointment to us,” arguing that its complexity made it difficult to analyze and reason about securely. Their critique focused on protocol design and negotiation machinery rather than on specific implementations, but it highlighted a recurring theme in security engineering: complexity increases the likelihood of subtle flaws. Over time, vulnerabilities have appeared not only in cryptographic primitives, but in protocol parsing, negotiation logic, state handling, and implementation edge cases across IPsec/IKE stacks and supporting components.

WireGuard, written by Jason A. Donenfeld and formally presented at the Network and Distributed System Security Symposium (NDSS) in 2017, set out to answer a different question: what is the minimum viable secure VPN protocol? The resulting design centers on a comparatively small codebase — roughly a few thousand lines of core cryptographic and protocol logic in the Linux kernel implementation — excluding surrounding integration and tooling. This reduction in protocol surface and implementation size makes manual review and formal analysis substantially more tractable compared to historically larger VPN stacks.

That philosophy of radical minimalism is not cosmetic. It is the load-bearing structure of WireGuard's entire security model.

Kernel Integration: Why "In the Kernel" Means Everything

On March 29, 2020, WireGuard was incorporated into the Linux 5.6 kernel release tree -- having been merged into Linus Torvalds' mainline tree on January 28 of that year after years of development and review. This matters far more than the typical announcement of a software release. When a networking component lives inside the kernel, it operates in a fundamentally different execution context than user-space software.

Consider what OpenVPN does when it encrypts a packet. A packet arrives from the network stack in kernel space. The kernel copies it across the user-space/kernel-space boundary into OpenVPN's process. OpenVPN encrypts it via OpenSSL, then copies the encrypted result back across that boundary into the kernel, which transmits it. That crossing is called a context switch, and it is not free. Each transition involves saving and restoring CPU state and may incur cache and TLB-related overhead depending on architecture and kernel configuration, introducing latency that compounds under high throughput scenarios.

WireGuard eliminates the user-space cryptographic processing path used by user-space VPN daemons such as OpenVPN. Encryption and decryption occur inside the kernel, avoiding repeated user/kernel boundary crossings for bulk packet processing. However, control-plane tooling (for example, wg or wg-quick) still executes in user space and communicates with the kernel via Netlink. The result is measurably lower latency and higher throughput -- particularly on multi-core systems, where WireGuard benefits from the Linux networking stack’s per-CPU processing model and lockless queue design, allowing cryptographic operations to scale efficiently with available cores under load.

To verify WireGuard is loaded on your system:

lsmod | grep wireguard

If it returns nothing, load it:

sudo modprobe wireguard

On kernels 5.6 and later, this is all that is needed. The module is part of the mainline tree under drivers/net/wireguard/. To observe what the kernel is actually doing at runtime, you can enable dynamic debug for the module:

sudo modprobe wireguard && echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control

The kernel will then emit verbose output to dmesg showing handshake events, packet processing, and key derivation steps in real time. This is a level of introspectability that is invaluable when troubleshooting or conducting a security audit.

The Cryptography: Opinionated by Design

One of the most controversial and, ultimately, most defensible decisions in WireGuard is what Donenfeld called "cryptographic opinionism." WireGuard does not negotiate ciphers. It does not present a menu of options. It uses exactly one cryptographic construction, and that construction is named precisely in the protocol specification:

Breaking it down: Noise provides formally analyzed authenticated key exchange via the IK pattern. IK means the initiator's static key is transmitted to the responder during the handshake; the responder's static key is already known to the initiator -- providing mutual authentication with identity hiding for the initiator. psk2 -- a pre-shared symmetric key optionally mixed into the key derivation at position 2, providing a post-quantum security layer. 25519 -- Curve25519 for all Diffie-Hellman operations. ChaChaPoly -- ChaCha20-Poly1305 for all authenticated encryption. BLAKE2s -- for all hashing and key derivation operations.

Curve25519 (designed by Daniel J. Bernstein) performs Elliptic-Curve Diffie-Hellman over a 255-bit prime field. Its implementation is deliberately constant-time, meaning the execution path does not vary based on key values. This eliminates an entire class of timing-based side-channel attacks that have plagued RSA and even some ECDSA implementations.

ChaCha20-Poly1305 serves as the Authenticated Encryption with Associated Data (AEAD) scheme for all data transport. Crucially, ChaCha20 performs competitively with AES-256-GCM even on processors that lack AES hardware acceleration -- making WireGuard appropriate for embedded systems, IoT devices, and older hardware without the performance cliff that AES-dependent VPNs suffer. Session keys are rotated every few minutes regardless of traffic volume to ensure perfect forward secrecy over time.

SipHash24 is used for hashtable keys within the kernel's data structures. Without a keyed hash for table lookups, an attacker who can predict hash collisions could force O(n) worst-case lookups in the peer table, enabling a CPU exhaustion attack. SipHash24 closes this vector entirely.

In 2019, researchers at INRIA produced a machine-checked security analysis of the WireGuard handshake using the CryptoVerif proof assistant. Their work modeled the Noise_IK-based construction used by WireGuard and verified its security properties under standard cryptographic assumptions, including the hardness of the Computational Diffie–Hellman (CDH) problem in the Curve25519 elliptic curve group and the security of ChaCha20-Poly1305 and BLAKE2s as ideal primitives. The proof applies to the formal protocol model rather than to the Linux kernel implementation, but it establishes that the handshake achieves mutual authentication, session key indistinguishability under chosen-ciphertext attack (IND-CCA), forward secrecy and resistance to certain key compromise scenarios within the formal protocol model, even under concurrent session execution. While other VPN technologies have undergone academic analysis, few have protocol designs this compact paired with a publicly documented, machine-verified proof of comparable scope and clarity.

The Handshake: 1-RTT Authentication Without State Accumulation

WireGuard's handshake was designed around a single principle: avoid allocating long-lived or expensive session state in response to unauthenticated packets. The server allocates no long-lived session state until the initiator has been cryptographically verified. This is achieved by a modified Noise_IK handshake construction (from the Noise protocol framework), optionally mixing in a preshared symmetric key, along with a cookie mechanism for DoS mitigation.

The initiator sends a MessageInitiation message of 148 bytes in the current protocol version (excluding UDP/IP headers):

msg = handshake_initiation {
    u8  message_type
    u8  reserved_zero[3]
    u32 sender_index
    u8  unencrypted_ephemeral[32]
    u8  encrypted_static[AEAD_LEN(32)]
    u8  encrypted_timestamp[AEAD_LEN(12)]
    u8  mac1[16]
    u8  mac2[16]
}

The unencrypted_ephemeral is a fresh Curve25519 public key generated for this handshake. The encrypted_static contains the initiator's long-term public key, encrypted using an AEAD key derived via the Noise handshake’s HKDF chaining process, which incorporates the Diffie–Hellman result between the ephemeral key and the responder's static public key. This means the initiator's identity is encrypted in the first message -- a passive network observer without prior knowledge of the initiator’s static key cannot directly determine who is calling. The encrypted_timestamp carries a TAI64N timestamp, which prevents replay of handshake initiation messages: the responder compares the timestamp against the most recently accepted value for that peer and rejects stale or replayed initiation attempts.

mac1 is computed using BLAKE2s keyed with a hash of the responder's public key. It allows the responder to verify that the sender knows the responder's public key without decrypting the message -- a fast outer check before expensive cryptographic processing. After two messages total, both sides have derived matching session keys using HKDF over the accumulated DH results.

Cryptokey Routing: Identity Fused with the Network Layer

WireGuard introduces an architectural concept that is genuinely novel among VPN implementations: the Cryptokey Routing Table. Every other VPN maintains some separation between "who authenticated" and "what IP addresses they use." WireGuard collapses these into a single, authoritative structure.

Each peer is identified by exactly one thing: its Curve25519 public key. That public key is then associated with a list of IP addresses -- the AllowedIPs field. This association is bidirectional and binding. When sending, the kernel looks up the destination IP in the cryptokey routing table and encrypts using the matching key or returns -ENOKEY. When receiving, after decryption, the kernel checks whether the inner packet's source IP matches the AllowedIPs entry for the peer whose key decrypted it -- if not, the packet is silently dropped.

The architectural consequence is significant: iptables rules written against a WireGuard interface benefit from cryptographic source-IP binding via the AllowedIPs mechanism. After decryption, packets are accepted only if their inner source address matches the configured cryptokey routing entry for that peer. While IPsec can also enforce policy using XFRM state and Security Policy Database (SPD) selectors, WireGuard tightly couples identity and routing in a simpler, directly inspectable structure that reduces configuration ambiguity.

[Interface]
PrivateKey = <server_private_key>
ListenPort = 51820

[Peer]
PublicKey = <peer_A_public_key>
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <peer_B_public_key>
AllowedIPs = 10.0.0.3/32, 192.168.100.0/24

Peer B, by virtue of having 192.168.100.0/24 in its AllowedIPs, is acting as a gateway for that subnet. Any decrypted traffic arriving with a source IP in that range is accepted only if it came from Peer B's key. There is no ambiguity and no way to forge this association. The cryptokey routing table is implemented as a trie (radix tree) in the kernel, supporting O(log n) longest-prefix-match lookups.

Step-by-Step: Building a Minimal Server-Client Tunnel

Kernel and Tools Verification

# Confirm kernel 5.6+
uname -r

# Debian/Ubuntu
sudo apt install wireguard-tools

# RHEL/Fedora
sudo dnf install wireguard-tools

# Arch Linux
sudo pacman -S wireguard-tools

Key Generation

# Generate server keypair
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

# Generate client keypair
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

# Generate optional pre-shared key for post-quantum protection
wg genpsk | sudo tee /etc/wireguard/psk_client1.key

# Lock down private key files immediately
sudo chmod 600 /etc/wireguard/server_private.key /etc/wireguard/client_private.key /etc/wireguard/psk_client1.key

The private key file must be readable only by root. At interface creation time, the private key is passed from user space to the kernel via Netlink and then stored in kernel memory as part of the WireGuard interface state. User-space tooling does not display it (wg show prints (hidden)), but administrators must still treat configuration files and key material in /etc/wireguard/ as sensitive. The key exists in user space prior to interface activation and must be protected accordingly.

Server Configuration

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <contents of /etc/wireguard/server_private.key>

# Routing prerequisites (runtime). For persistent settings, prefer /etc/sysctl.d/*.conf.
# Enable IPv4 forwarding (required for NAT/routed clients)
PostUp = sysctl -w net.ipv4.ip_forward=1

# Optional troubleshooting: strict reverse-path filtering can drop tunneled traffic on some hosts.
# Prefer loose mode (2) over disabling (0) if you need to adjust it.
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=2

# NAT and forwarding rules (legacy iptables). Replace eth0 with your egress interface.
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <contents of /etc/wireguard/client_public.key>
PresharedKey = <contents of /etc/wireguard/psk_client1.key>
AllowedIPs = 10.10.0.2/32

# If your firewall uses nftables (common on modern distros)
sudo nft add rule inet filter input udp dport 51820 accept

# Legacy systems using iptables
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

# Bring up the interface
sudo wg-quick up wg0

# Enable persistence across reboots
sudo systemctl enable --now wg-quick@wg0

Client Configuration

[Interface]
Address = 10.10.0.2/32
PrivateKey = <contents of /etc/wireguard/client_private.key>
DNS = 1.1.1.1

[Peer]
PublicKey = <contents of /etc/wireguard/server_public.key>
PresharedKey = <contents of /etc/wireguard/psk_client1.key>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

DNS = 1.1.1.1 is a wg-quick convenience setting: it updates the system resolver only when your distribution uses a compatible integration (for example, systemd-resolved or resolvconf). It does not enforce DNS containment by itself; verify resolver behavior on your system and consider firewall-based egress controls if DNS confidentiality is part of your threat model.

PersistentKeepalive = 25 instructs WireGuard to send an authenticated keepalive packet if no traffic has been sent within the last 25 seconds. This is necessary when the client is behind NAT: without it, the NAT state table entry can expire and the server loses the ability to initiate contact with the client. The value 25 seconds is intentionally conservative -- consumer-grade NAT devices frequently use UDP mapping timeouts shorter than the two-minute minimum recommended in RFC 4787.

MTU: The Silent Performance Killer

WireGuard encapsulates each inner packet inside UDP and applies fixed transport framing with authenticated encryption. For IPv4 outer transport, encapsulation adds 20 bytes for the IPv4 header and 8 bytes for UDP, followed by WireGuard’s 32-byte transport data message (which already includes the Poly1305 authentication tag) — a total of 60 bytes of overhead. For IPv6 outer transport, the 40-byte IP header increases total overhead to 80 bytes.

MTU calculation (assuming 1500-byte Ethernet):
IPv4 outer transport → 1500 − 60 = 1440 maximum no-fragment MTU (assuming a 1500-byte path)
IPv6 outer transport → 1500 − 80 = 1420 maximum no-fragment MTU (assuming a 1500-byte path)

In real deployments, additional encapsulation layers (PPPoE, VLAN tagging, cloud overlay fabrics, GRE/IPIP tunnels, MPLS) can further reduce effective path MTU. For this reason, many operators intentionally select slightly smaller conservative values to provide headroom. 1420 is a widely used IPv4 default, while IPv6 deployments commonly use values in the 1400–1404 range depending on upstream characteristics.

Because WireGuard uses UDP as its outer transport, fragmentation behavior depends on the underlying network path and the Linux IP stack. Many middleboxes drop fragmented UDP packets or suppress ICMP “Fragmentation Needed” (IPv4) or “Packet Too Big” (IPv6) messages, resulting in silent black-holing rather than clean failure. WireGuard does not implement a separate encapsulation-layer path MTU discovery mechanism and instead relies on standard kernel IP behavior. Proper interface MTU selection — or TCP MSS clamping at the firewall layer in routed deployments — is therefore critical to prevent subtle throughput collapse and intermittent connectivity failures.

[Interface]
MTU = 1420

If you are operating over a path with a non-standard MTU (some cloud providers, PPPoE connections), a practical starting point is to set the WireGuard interface MTU to roughly path_MTU - 60 for IPv4 outer transport or path_MTU - 80 for IPv6 outer transport (IP + UDP + WireGuard transport overhead, excluding any additional encapsulation or IPv6 extension headers). You can discover path MTU using:

# IPv4 path MTU discovery (Linux DF-bit)
ping -M do -s 1450 <remote_ipv4>

# IPv6 path MTU discovery (no DF-bit; use ICMPv6 PTB)
ping -6 -s 1430 <remote_ipv6>

Decrease the payload size until probes succeed. For IPv4, if you see “Frag needed,” reduce -s until it works; the working payload size plus 28 bytes (20-byte IPv4 header + 8-byte ICMP) yields the path MTU. For IPv6, you’ll typically see “Message too long”; the working payload size plus 48 bytes (40-byte IPv6 header + 8-byte ICMPv6) yields the path MTU.

Verifying the Tunnel

sudo wg show wg0

A healthy, active tunnel looks like this:

interface: wg0
  public key: <server_pub_key>
  private key: (hidden)
  listening port: 51820

peer: <client_pub_key>
  preshared key: (hidden)
  endpoint: 203.0.113.42:54127
  allowed ips: 10.10.0.2/32
  latest handshake: 47 seconds ago
  transfer: 1.24 MiB received, 834.27 KiB sent

latest handshake should typically be recent during active traffic. WireGuard initiators rekey after roughly 120 seconds of key age (or upon certain counter thresholds), but only when traffic is flowing. If latest handshake shows (none), the peer has never completed a successful handshake. If it is stale (for example, many minutes or hours old) while you expect the tunnel to be active, treat it as a connectivity or configuration problem: the peer may be offline, UDP/51820 may be blocked, the NAT’s UDP mapping may have expired (common for clients behind NAT without PersistentKeepalive, preventing the server from initiating packets until the client sends traffic again), or the endpoint IP:port may no longer be reachable.

The endpoint field is not fixed. WireGuard supports endpoint roaming: when a peer receives a valid, authenticated packet from the other side, it may update the stored outer source IP:port and use it for subsequent transmissions. This allows a client to move between networks (for example, Wi-Fi to cellular) without manual reconfiguration. Roaming does not eliminate cryptographic freshness requirements — handshakes and rekeys still occur as normal — but endpoint updates are driven strictly by authenticated traffic rather than out-of-band signaling.

# In a full-tunnel configuration (AllowedIPs = 0.0.0.0/0, ::/0), this should return your VPN server IP
curl ifconfig.me

# Inspect kernel routing
ip route show table main
ip route show dev wg0

Silence is a Virtue: WireGuard's Probe Surface

WireGuard does not respond to unauthenticated or invalid handshake messages. In typical configurations, this results in no application-layer response to arbitrary UDP probes — no banner, no connection refusal, no identifiable handshake traffic of the kind OpenVPN’s control channel emits when probed. Scanners generally report the port as “filtered,” though actual results depend on host firewall rules and network path behavior. This silence reduces opportunistic discovery, but it is not a concealment mechanism in the cryptographic sense.

nmap -sU -p 51820 <server_ip>

Expect no response and a “filtered” result. If the port shows “open” or returns any application-layer data, verify your firewall rules — something in the path is responding when it should not be.

The Pre-Shared Key: Hybrid Keying for Forward-Looking Resilience

The optional pre-shared key (PSK) is a 256-bit symmetric key mixed into the HKDF key derivation during the handshake. Its security contribution is additive: session keys depend on both the elliptic-curve Diffie–Hellman exchange and the PSK. This provides hybrid keying — an attacker must compromise both the public-key exchange and the symmetric secret to decrypt traffic. While this does not make WireGuard a formally standardized post-quantum protocol, it strengthens resilience against future public-key breakthroughs as well as certain classes of implementation or key-compromise failure.

The threat model addressed here is commonly described as “harvest now, decrypt later.” An adversary with large-scale passive collection capability can record encrypted traffic today and retain it indefinitely, with the expectation that future advances in quantum computing — specifically large-scale implementations of Shor’s algorithm — could compromise elliptic-curve Diffie–Hellman and expose archived session keys. By mixing a 256-bit pre-shared symmetric key into the HKDF during the handshake, WireGuard adds an additional secret that is not dependent on public-key assumptions. While symmetric cryptography is not immune to quantum speedups, Grover’s algorithm provides at most a quadratic reduction in brute-force search complexity, so in theory a 256-bit symmetric key would require on the order of 2^128 quantum operations to exhaust. This is a theoretical bound rather than a formal security classification, but it remains far beyond any currently plausible quantum capability. As a result, even if Curve25519 were someday rendered vulnerable to quantum attacks, previously captured traffic would remain confidential unless the pre-shared key were also compromised.

wg genpsk

The generated value is a base64-encoded 32-byte (256-bit) random key. Add it to both server and client configurations under the [Peer] block as PresharedKey = <value>. This pre-shared key (PSK) is mixed into the handshake key derivation as an additional symmetric secret, so it must be distributed securely and independently of the public keys — ideally via an out-of-band channel such as an encrypted password manager, a secure file transfer mechanism, or physically transferred media. Store PSKs with restrictive file permissions (for example, chmod 600 on key files) and rotate them if compromise is suspected. Updating a PSK requires coordinated changes on both peers; mismatched PSKs will prevent successful handshakes.

Namespace Isolation: The Advanced Pattern

For production deployments where strict traffic containment is required, WireGuard interfaces can be isolated inside a dedicated Linux network namespace. A network namespace maintains its own interfaces, routing table, firewall rules, ARP/neighbor tables, and connection tracking state. When properly configured, this prevents applications running inside the namespace from bypassing the tunnel by using routes available in the host (default) namespace.

It is critical to understand the boundary: namespaces isolate networking state, not processes automatically. Only applications explicitly executed inside the namespace (for example via ip netns exec or systemd namespace binding) will use the namespace’s routing table; processes started outside the namespace will continue using the host network stack. DNS resolution must also be handled explicitly. Unless you provide a namespace-scoped resolver configuration, applications may continue consulting the host’s resolver settings (via /etc/resolv.conf or a local stub resolver), which can leak DNS queries outside the tunnel.

# Create a dedicated network namespace
sudo ip netns add vpn

# Provide namespace-specific DNS configuration (used by processes launched with ip netns exec)
sudo mkdir -p /etc/netns/vpn
echo "nameserver 1.1.1.1" | sudo tee /etc/netns/vpn/resolv.conf

# Create WireGuard interface in default namespace
sudo ip link add dev wg0 type wireguard

# Configure keys and peers
sudo wg setconf wg0 /etc/wireguard/wg0.conf

# Move interface to vpn namespace
sudo ip link set wg0 netns vpn

# Configure IP address inside namespace
sudo ip netns exec vpn ip address add 10.10.0.2/32 dev wg0

# Set default route inside namespace through the tunnel
sudo ip netns exec vpn ip route add default dev wg0

# Bring up interface
sudo ip netns exec vpn ip link set wg0 up

Applications launched with sudo ip netns exec vpn <command> will route exclusively through the WireGuard tunnel as long as they are started inside the namespace. This pattern eliminates split-tunnel bypass for those processes and, when paired with a namespace-scoped resolv.conf, prevents DNS queries from leaking via the host resolver. Validate containment by checking both egress IP and DNS behavior from inside the namespace (for example, curl ifconfig.me and a DNS lookup using your preferred tooling).

A Note on CVE-2024-26861 and Kernel Security

WireGuard's small codebase does not make it immune to bugs. In early 2024, CVE-2024-26861 was discovered and patched — a data race condition in WireGuard's packet receive path. The issue involved keypair->receiving_counter.counter being accessed concurrently from interrupt context and a workqueue without proper memory ordering annotations. The fix applied READ_ONCE() and WRITE_ONCE() macros to enforce correct memory visibility semantics across CPU cores.

The disclosure is instructive. The bug was found by KCSAN (the Kernel Concurrency Sanitizer) and Syzkaller — automated kernel fuzzing tools, not an attacker. There was no public evidence at the time of disclosure that this race condition was being exploited in the wild or that it was reliably weaponizable for code execution. The patch was delivered through the standard upstream kernel security process. And the smallness of WireGuard's codebase means the fix was a matter of adding two annotations to a handful of lines, verifiable in minutes by anyone reading the diff. Compare this to the OpenVPN or OpenSSL CVE history and the gap in organizational risk becomes clear.

# Check current kernel
uname -r

# Debian/Ubuntu
sudo apt update && sudo apt upgrade

# RHEL/Fedora
sudo dnf upgrade kernel

Quick Reference: Essential Commands

# Generate keys
wg genkey | tee private.key | wg pubkey > public.key
wg genpsk > preshared.key

# Interface management
sudo wg-quick up wg0
sudo wg-quick down wg0
sudo systemctl enable --now wg-quick@wg0

# Status and diagnostics
sudo wg show
sudo wg show wg0
sudo wg showconf wg0
ip link show wg0
ip address show wg0

# Runtime peer management (no config file restart needed)
sudo wg set wg0 peer <pubkey> allowed-ips 10.10.0.3/32 endpoint 203.0.113.50:51820
sudo wg set wg0 peer <pubkey> remove

# Debug kernel output
sudo dmesg | grep wireguard
echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control

# MTU discovery
ping -M do -s 1450 <destination>

The Deeper Lesson

VPN technology spent three decades accumulating complexity under the assumption that flexibility and negotiation were virtues. IKEv2 can negotiate dozens of cipher suites. OpenVPN supports multiple backends, multiple transports, and a certificate authority model inherited from web TLS. Each of these options represented a decision point -- and every decision point is a potential misconfiguration, a negotiation downgrade, an exploitable state machine transition.

WireGuard's contribution to the field is not just technical. It is philosophical. It demonstrates that security software can be minimal by design, not by accident. It demonstrates that you can formally verify a protocol, fit it in kernel space, achieve higher performance than all predecessors, and still have the whole thing auditable by a skilled individual rather than a committee. The willingness to restrict -- to say "there is one cipher suite, one handshake pattern, one routing model" -- is what made all of this possible.

When you run sudo wg show wg0 and see a handshake timestamp, transfer counters, and a peer key, you are looking at the output of a system designed from first principles to be nothing more than it needs to be. In a field where complexity has historically been weaponized against defenders, that is not a limitation. That is the point.