WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity. It performs nearly as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.
Due to this simplicity, WireGuard lacks many of the conveniences of more complicated VPN types which can help automate large deployments. Thus, while its performance scales well, the management can become cumbersome for large numbers of peers.
WireGuard behaves unlike other traditional VPN types in several ways:
It operates completely in the kernel
Configuration is placed directly on the interfaces
It has no concept of connections or sessions
There is no “status” of the VPN (e.g. it isn’t considered up or down, it has no visible timers, etc.)
It has no facilities for user authentication
There is no service daemon to stop or start
There is minimal logging from the kernel
It does not bind to a specific interface or address on the firewall, it accepts traffic to any address on the firewall on its specified port
That said, due to the simplicity of the configuration, there is little to go wrong and thus little need for logging or status.
WireGuard instances consist of a tunnel and one or more peer definitions which contain of the necessary keys and other configuration data.
WireGuard interfaces carry Layer 3 information and above.