WireGuard is a free and open-source software application and communication protocol
It’s stealth and has mitigation for DOS attacks.
Wireguard doesn’t answer to scans and offers better latency.
It implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.
If you have a router that allows it, put wireguard on port 53. That’s one of the most common “Always Open”-ports in any network.
Allowing any :53 is a common error in a captive portal/hotspot setup and is usually exploited to have free internet. People can exploit public Wifi and pass gigs over UDP:53
lots of places actually block random UDP ports and you can’t establish a connection.
OpenVPN can have that same problem, and the solution in Wireguard is the same as OpenVPN; run it on a well-known service port, such as 443 or 53.
It’s peer to peer, so you don’t have to give any particular node power over the whole network.
Flavors
Wireguard userspace? kernel?
Wireguard over TCP: not obfuscated, hence it can be easily censored
Wireguard over TLS
Only UDP. Does not do TCP by default but there are implementations
WireGuard benefits greatly from DNS-over-QUIC on hardware accelerated devices, even without hardware acceleration, DNS-over-QUIC further improve its base security/privacy/efficiency/performance, using WireGuard with DNS-over-HTTPS or DNS-over-TLS will slightly reduce its effectiveness in the privacy area to OpenVPN TCP/UDP
Cryptography
Encryption: ChaCha20
Authentication: Poly1305
Key exchange algorithm: Curve25519
Resources
wg-access-server, it’s wireguard with a web UI to add devices via qr code or config files