SecureFox logo[SECUREFOX]
//09WireGuard

Modern UDP-based VPN, tiny attack surface.

The protocol the security community standardised on for clean networks. Lowest latency, lowest CPU overhead, kernel-accelerated where supported.

//01Why this matters

Old VPN protocols are old for a reason.

OpenVPN was designed in 2001. IKEv2 in 2005. Both work, but both also have known issues — large codebases (50,000+ lines for OpenVPN), TCP-over-TCP performance penalties, intricate negotiation that's been the source of repeated CVEs. WireGuard is from 2018, written in <4000 lines of audited code, uses modern crypto primitives only, runs over UDP for lowest latency, and is now upstreamed into the Linux kernel. When your network isn't being actively censored, WireGuard is the right choice — fast, simple, hard to misconfigure.

//02How it works

Stateless, UDP-only, kernel-fast.

WireGuard performs a 1-RTT handshake using Curve25519 + Blake2s + ChaCha20-Poly1305, then payload packets are stateless authenticated encryptions — no session resumption, no state to corrupt. On Linux (Android, server-side macOS), it runs inside the kernel for zero context-switch overhead. On iOS, it uses NetworkExtension's WireGuard implementation. On Windows, the official WireGuard-NT driver. We layer ML-KEM-768 on top for post-quantum protection (see the PQC page).

CipherChaCha20-Poly1305
HandshakeCurve25519 + Blake2s + Noise framework
TransportUDP, 1-RTT
PQ layerML-KEM-768 hybrid (see PQC page)
//03Use cases

Where WireGuard shines.

01

Home and mobile networks without DPI

Most users, most of the time. WireGuard gives you the lowest possible latency and the smallest CPU footprint.

02

Battery-constrained mobile

Lower CPU = lower battery drain. WireGuard is the most efficient choice for always-on VPN on phones.

03

Site-to-site / always-on tunnels

Stateless design means no session expiry to handle, no reconnect overhead. Set it up once and forget it.

//04What you get

Modern crypto, minimal complexity.

  • <4000 lines of audited code (vs 50k+ for OpenVPN)
  • Kernel-accelerated on supported platforms
  • 1-RTT handshake — fastest possible reconnect
  • Modern crypto only: ChaCha20, Curve25519, Blake2s, no legacy algorithms
  • Layered with ML-KEM-768 for post-quantum protection
//05WireGuard FAQ

Common questions about WireGuard.

When does SecureFox use WireGuard vs VLESS?+

WireGuard by default when the network allows UDP and isn't running deep packet inspection that targets WireGuard handshakes. VLESS + REALITY when DPI is in the way. The engine probes for 200ms at connect time and picks.

Is WireGuard blocked in some countries?+

Yes — China, Iran, and others have learned WireGuard's handshake signature and actively block it. That's exactly when we fall back to VLESS + REALITY.

Can WireGuard leak my real IP?+

Not when kill switch is on. WireGuard itself can briefly emit packets during handshake, but our kill switch blocks any non-tunnel traffic at the OS firewall level, so even handshake re-tries can't leak.

Is WireGuard slower than no VPN?+

Slightly — physical routing distance adds latency. The encryption overhead itself is under 3% throughput loss in our tests on modern devices.

//06Features

Related features

Built for Speed

WireGuard for clean networks, VLESS + XTLS-Vision when DPI is in the way. Zero-copy splice on the data path means near-line-rate throughput.

READ MORE

Post-Quantum Cryptography

ML-KEM-768 + X25519 hybrid key exchange on every connection. Your sessions stay private against tomorrow's quantum computer.

READ MORE
[ Ready ]

Try it free.

Anonymous mode gives you 1 GB every week, no account required. Sign up later for 2 GB.

Get the app