WireGuard
WireGuard is the modern minimalist VPN. No separate handshake animation here because peers are pre-keyed at config time — there is no handshake-to-show. Instead the animation renders 3 peers in a mesh with packets bouncing between them on always-encrypted channels.
Animation
Engineering pitfalls
Endpoint roaming and persistent keepalive
WireGuard supports endpoint roaming, but only the peer behind NAT learns the new endpoint via keepalive. Without `PersistentKeepalive`, NAT bindings expire and roaming breaks silently.
Allowed-IPs is also a routing rule
Each peer's AllowedIPs config doubles as "what subnets to route to this peer" AND "what subnets to accept FROM this peer". Misalign and you'll see asymmetric routing or dropped packets.
No revocation — rotate keys to revoke
WireGuard has no CRL or OCSP equivalent. To revoke a peer, remove its public key from the server config. Plan key rotation for the whole mesh if you suspect any compromise.
References
Primary sources
- Donenfeld, J. — WireGuard: Next Generation Kernel Network Tunnel (2017 whitepaper).
- RFC 7748 — Elliptic Curves for Security (Curve25519 used by WireGuard).
- RFC 7539 — ChaCha20 and Poly1305 for IETF Protocols.