WireGuard,
visually.

How a modern VPN builds an encrypted tunnel — the handshake, the routing, and a single packet's journey — stepped through one move at a time.

runs entirely in your browser illustrative crypto, faithful mechanics no server, no install
01 · The mental model

A peer is its public key.

WireGuard is famously small (~4,000 lines in the kernel) because it throws out negotiation. There are no cipher suites to agree on, no certificates, no connection states to manage. Each side is configured with one thing about the other: its static public key. Knowing a peer means knowing its public key — plus, optionally, where to reach it (an endpoint).

Initiator
💻 your laptop
public  
private  never leaves the device
tunnel   10.0.0.2/32
knows each
other's
public key
Responder
🖥️ VPN server
public  
private  never leaves the server
endpoint 198.51.100.7:51820
a keypair is the entire identity — rotate it and you are a different peer
That's the whole trust model. No CA, no PKI. If a packet decrypts cleanly with the key tied to a peer, it is that peer. Everything below builds on this: the handshake proves both sides hold the matching private keys, and routing decides which key a packet belongs to.
02 · The handshake

One round-trip, and the tunnel is live.

WireGuard uses the Noise IK handshake pattern. In exactly two messages, both peers authenticate each other and independently derive the same pair of session keys. The trick: every key exchange and every field gets folded into a running chaining key C and transcript hash H — so if anything differs, the final keys won't match. Step through it below.

Noise_IKpsk2 · Curve25519 (DH) · ChaCha20-Poly1305 (AEAD) · BLAKE2s (hash)
💻 Initiator
your laptop
🖥️ Responder
VPN server
— no message yet —
Press Next to begin.
chaining key  C
transcript hash  H
Ready
Both peers already hold each other's static public key. Step through the two-message handshake to see how they reach a shared secret.
step 0 / 11
Why this is clever. Four Diffie–Hellman operations combine every pairing of long-term and ephemeral keys. The ephemeral keys give forward secrecy (recording today's traffic is useless once they're discarded); the static keys give authentication. All four results feed one chaining key, so both sides converge on identical transport keys without ever transmitting a secret.
03 · Cryptokey routing

The routing table is keyed by public key.

Here is WireGuard's second big idea. Each peer carries an AllowedIPs list: the set of destination IP ranges that belong to it. To send a packet, WireGuard looks up the destination in this table by longest-prefix match — the winning entry names the peer, and therefore the key, to encrypt with. No match means no route: the packet is dropped. Inbound, the same table is a filter: a decrypted packet is only accepted if its source falls in that peer's AllowedIPs.

Your laptop's peer table. Type any destination IP (or pick one) to see where the packet goes.

peerendpointAllowedIPs
Enter a destination IP and route a packet.
One table, two jobs. The same AllowedIPs set is both the outbound routing table (which key encrypts this packet?) and the inbound access-control list (is this peer even allowed to claim this source IP?). That symmetry is why WireGuard needs no separate firewall rules to enforce which peer owns which addresses.
04 · A packet's journey

Wrap, send, unwrap.

Now put it together. A normal IP packet leaves an app on your laptop bound for 10.0.0.5 inside the tunnel. Watch it get routed to a peer, encrypted with that session key, wrapped in an ordinary UDP datagram, sent across the public internet, and reassembled on the far side. Press play.

💻
10.0.0.2
🖥️
198.51.100.7
outer UDP / IP datagram
src198.51.100.99:34512
dst198.51.100.7:51820
WireGuard transport message
type4 · data
receiver index0x3f1a­c2d8
counter (nonce)7
payload
inner IP packet (your real traffic)
src10.0.0.2
dst10.0.0.5
dataGET /status
Ready
A plaintext IP packet is sitting on your laptop, waiting to be sent into the tunnel.
step 0 / 8
It's just UDP. To any router in between, this is an unremarkable UDP datagram — no special protocol number, no handshake to fingerprint mid-stream. The receiver index tells the far side which session to use without an expensive key lookup, and the ever-increasing counter is the AEAD nonce and the replay-protection sequence number in one.
05 · Worth knowing

A few things that fall out for free.

Because identity is a key and routing is a lookup, several properties that are bolted-on complexity in other VPNs come naturally here.

Roaming

A peer is its key, not its IP. If your laptop jumps from Wi-Fi to cellular, the next valid packet simply updates the stored endpoint. The tunnel never drops.

Silence by default

An unauthenticated packet gets no reply at all. To a port scanner, a WireGuard endpoint is indistinguishable from a closed port — there's nothing to talk to.

Persistent keepalive

An optional tiny packet every N seconds keeps NAT mappings on stateful firewalls alive, so a peer behind NAT stays reachable without re-handshaking.

1-RTT, stateless-ish

The tunnel is usable after a single round-trip, and under load a cookie reply (MAC2) lets the responder stay stateless until a client proves it can receive.

The one-breath summary. Configure peers by public key, prove possession of the matching private keys in a two-message Noise handshake, derive symmetric session keys, then route every packet to a peer by longest-prefix match and ship the ciphertext inside plain UDP. That's WireGuard.