Here’s a quick primer on some common terms you’ll run across in the WireGuard world:
Computer or other networked computing device, such as a server, laptop, mobile phone, tablet, or Internet of Things (IoT) device.
Acronym for Virtual Private Network: a logical network of hosts layered on top of other, physical networks (such as the physical networks that make up the Internet). Typically the communication between hosts in a VPN is encrypted, and is routed via private network addresses. This enables applications running on two hosts separated by multiple insecure, physical networks to communicate as if they had a direct, secure connection to one another.
Sometimes “VPN” is also used as shorthand for a VPN server.
Host that can route traffic from other hosts in a VPN to hosts outside of the VPN. For consumer-oriented VPNs, a VPN server usually routes traffic from the VPN to the Internet; for business VPNs, a VPN server usually routes traffic from the VPN to other private networks of the business.
With WireGuard, any host (if so configured) can act as a VPN server — the WireGuard protocol (and WireGuard software in general) does not have built-in server or client roles.
Host that is part of a VPN, but does not route traffic for other hosts in the VPN. Also may refer to the VPN software program itself.
Generally any component that is physically or logically part of a network. From a software perspective, this may be a physical hardware device, such as an Ethernet card, or a virtual device that emulates the behavior of a physical network device.
Generally the connection point between two components of a network. From a software perspective, this is the connection point between a Network Device and the host’s software, allowing the Host to interact with the device. For example, the network interface for a physical network device, like an Ethernet card, allows a host to interact with the card, and access the network to which the card is connected.
Identifier assigned to a specific remote process or service available at an IP Address. For example, a well-known DNS resolution service is available from Cloudflare on port 53 at IP address 220.127.116.11.
The default network port for WireGuard is 51820.
Acronym for Transmission Control Protocol (and also sometimes referred to as “TCP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.
Acronym for User Datagram Protocol (and also sometimes referred to as “UDP/IP”): a standard protocol for exchanging network traffic. Most network traffic takes the form of either TCP or UDP packets.
WireGuard uses UDP, so if you are prompted to choose between TCP and UDP when setting up or troubleshooting firewalls or other network configuration for WireGuard, make sure you choose UDP for anything that’s supposed to identify or otherwise select WireGuard traffic.
Public Key Pair
AKA asymmetric key pair: A pair of cryptographic keys, one of which is called the “public” key, and the other the “private” or “secret” key. The pair can be used two ways: 1) one party can use the public key to encrypt data that only the party with the private key can decrypt; and 2) the party with the private key can use it to sign data such that another party can use the public key to verify that the data was signed with the private key.
The security of data encrypted or signed rests entirely with the private key being kept secret, and nothing else. The public key and data encrypted or signed by the private key can be exposed to the world without risk of the data being decrypted or forged, provided the private key remains secret.
A Network Interface for a WireGuard virtual network device. Each WireGuard interface has a unique IP Address within a WireGuard VPN (and note that it is also different than any of the IP addresses used by other network interfaces on the same host).
External IP Address and Network Port by which a WireGuard Interface can be reached on a remote Host. The IP Address for this endpoint is not in the WireGuard VPN of the peer — it is the public IP address of the remote host as it appears to the local host.
Multiple peers may reside on the same host; and a host may be part of multiple distinct WireGuard VPNs. The same peer may in fact be exposed through multiple different interfaces of the same host, or even on different hosts, as long as the peer appears only once per VPN. The general best practice, however, is to expose a peer through only one interface on only one host.
The logical connection between one WireGuard Peer and another. From the perspective of software running on the connected hosts, network traffic from one peer to the other appears to be sent out the WireGuard Interface on one host, directly into the WireGuard Interface of the other host.
In reality, the traffic is encrypted and wrapped by the WireGuard interface on the first host, and sent out some other physical Network Interface on the host; is forwarded from host to host through various physical networks; is finally received on some physical interface of the destination host (matching the WireGuard Endpoint for destination peer); and is unwrapped, decrypted, and handed off to the network stack on the destination host as if it had come into its WireGuard interface from a direct physical connection.