WireGuard Terminology

Here’s a quick primer on some common terms you’ll run across in the WireGuard world:

Host

Computer or other networked computing device, such as a server, laptop, mobile phone, tablet, or Internet of Things (IoT) device.

VPN

Acronym for Virtual Private Network: a logical network of hosts layered on top of other, physical networks (such as the physical networks that make up the Internet). Typically the communication between hosts in a VPN is encrypted, and is routed via private network addresses. This enables applications running on two hosts separated by multiple insecure, physical networks to communicate as if they had a direct, secure connection to one another.

Sometimes “VPN” is also used as shorthand for a VPN server.

VPN Server

Host that can route traffic from other hosts in a VPN to hosts outside of the VPN. For consumer-oriented VPNs, a VPN server usually routes traffic from the VPN to the Internet; for business VPNs, a VPN server usually routes traffic from the VPN to other private networks of the business.

With WireGuard, any host (if so configured) can act as a VPN server — the WireGuard protocol (and WireGuard software in general) does not have built-in server or client roles.

VPN Client

Host that is part of a VPN, but does not route traffic for other hosts in the VPN. Also may refer to the VPN software program itself.

Network Device

Generally any component that is physically or logically part of a network. From a software perspective, this may be a physical hardware device, such as an Ethernet card, or a virtual device that emulates the behavior of a physical network device.

WireGuard presents a virtual network device to each Host on which it runs, allowing the host’s software to interact with it exactly the same as if it were a physical network device.

Network Interface

Generally the connection point between two components of a network. From a software perspective, this is the connection point between a Network Device and the host’s software, allowing the Host to interact with the device. For example, the network interface for a physical network device, like an Ethernet card, allows a host to interact with the card, and access the network to which the card is connected.

The network interface for a WireGuard device allows the host to interact with the VPN the device represents, exactly the same as if it were the interface to a physical network device.

IP Address

Identifier assigned to each Network Interface (eg 10.0.0.1). An IP address uniquely identifies the interface both to the Host itself, as well as to other hosts to which it is connected.

Network Port

Identifier assigned to a specific remote process or service available at an IP Address. For example, a well-known DNS resolution service is available from Cloudflare on port 53 at IP address 1.1.1.1.

The default network port for WireGuard is 51820.

TCP

Acronym for Transmission Control Protocol (and also sometimes referred to as “TCP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.

UDP

Acronym for User Datagram Protocol (and also sometimes referred to as “UDP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.

WireGuard uses UDP, so if you are prompted to choose between TCP and UDP when setting up or troubleshooting firewalls or other network configuration for WireGuard, make sure you choose UDP for anything that’s supposed to identify or otherwise select WireGuard traffic.

Public Key Pair

AKA asymmetric key pair: A pair of cryptographic keys, one of which is called the “public” key, and the other the “private” or “secret” key. The pair can be used two ways: 1) one party can use the public key to encrypt data that only the party with the private key can decrypt; and 2) the party with the private key can use it to sign data such that another party can use the public key to verify that the data was signed with the private key.

The security of data encrypted or signed rests entirely with the private key being kept secret, and nothing else. The public key and data encrypted or signed by the private key can be exposed to the world without risk of the data being decrypted or forged, provided the private key remains secret.

WireGuard generates public key pairs via Curve25519. These pairs form the basis of WireGuard’s secure communication between members of a WireGuard VPN.

WireGuard

A state-of-the-art VPN technology. May refer to the WireGuard protocol, which is used to communicate between two hosts in a WireGuard VPN, or to software which implements the WireGuard protocol.

A WireGuard Virtual Private Network

WireGuard VPN Diagram

WireGuard VPN

A VPN built on WireGuard.

WireGuard Host

A Host running WireGuard.

WireGuard Interface

A Network Interface for a WireGuard virtual network device. Each WireGuard interface has a unique IP Address within a WireGuard VPN (and note that it is also different than any of the IP addresses used by other network interfaces on the same host).

WireGuard Endpoint

External IP Address and Network Port by which a WireGuard Interface can be reached on a remote Host. The IP Address for this endpoint is not in the WireGuard VPN of the peer — it is the public IP address of the remote host as it appears to the local host.

WireGuard Peer

Logical member of a WireGuard VPN. Each peer has its own Public Key Pair, and the public key from this pair is used to uniquely identify the peer.

A peer resides on a Host, and is exposed internally to the host through a WireGuard Interface. It’s exposed externally as a WireGuard Endpoint.

Multiple peers may reside on the same host; and a host may be part of multiple distinct WireGuard VPNs. The same peer may in fact be exposed through multiple different interfaces of the same host, or even on different hosts, as long as the peer appears only once per VPN. The general best practice, however, is to expose a peer through only one interface on only one host.

WireGuard Tunnel

The logical connection between one WireGuard Peer and another. From the perspective of software running on the connected hosts, network traffic from one peer to the other appears to be sent out the WireGuard Interface on one host, directly into the WireGuard Interface of the other host.

In reality, the traffic is encrypted and wrapped by the WireGuard interface on the first host, and sent out some other physical Network Interface on the host; is forwarded from host to host through various physical networks; is finally received on some physical interface of the destination host (matching the WireGuard Endpoint for destination peer); and is unwrapped, decrypted, and handed off to the network stack on the destination host as if it had come into its WireGuard interface from a direct physical connection.