Skip to content

Conceptual overview

Before we get started with installing a wireguard server, we'll quickly give a general conceptual overview of what WireGuard is about. You can skip this section if you already know what is going on under the hood or don't care (and just want to have it running).

WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.

WireGuard works by adding a network interface, like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc). This interface acts as a tunnel interface. Routes for this network interface will be added automatically based on the configuration file you will learn about below. All aspects of this virtual interface will be configured automatically by the wg-tools.

WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:

  1. This packet is meant for Is this peer configured?

    1. Yes: peer adams-laptop. Continue with step 2.
    2. No: Not for any configured peer, drop the packet and end here.
  2. Encrypt the IP packet using peer adams-laptop's public key.

  3. What is the remote endpoint of peer adams-laptop? Let me look... Okay, the endpoint is host (UDP).
  4. Send encrypted data over the Internet to this host.

When the interface receives a packet from a peer, this happens:

  1. Received a packet from host Let's decrypt it!
  2. It decrypted and authenticated properly for peer evas-android. Okay, let's remember that peer evas-android's most recent Internet endpoint is (UDP).
  3. Once decrypted, the plain-text packet is from Is peer evas-android allowed to be sending us packets as
    1. Yes: accept the packet on the interface and process it (forwarding to further local client, into the Internet, etc.)
    2. No: drop it.

Behind the scenes there is much happening to provide proper privacy, authenticity, and perfect forward secrecy, using state-of-the-art cryptography.

If you're interested in the internal inner workings, you might be interested in reading through the various articles on their official website which is also where we took the vast majority of content in this guide from.