WireGuard support and deployment

Updated: October 24, 2024

Here's a list of software and things that use or support the state of the art WireGuard VPN by Jason A. Donenfeld.

Under the hood, WireGuard uses Noise Protocol, X25519, ChaCha20-Poly1305, BLAKE2 and SipHash.

Official WireGuard Software

Android: WireGuard/Android
FreeBSD: included in release 13.2
Go: wireguard-go
iOS: WireGuard/iOS
Linux: included in kernel 5.6 or later; backports available for older kernels
macOS: WireGuard/macOS
NetBSD: included in release 10.0 and later; please note that Jason Donenfeld in 2020 stated that this code "simply is not a WireGuard implementation" and I don't know what has changed since then. NetBSD users may consider using the Golang userspace implementation or working with Jason to improve the code.
OpenBSD: included in release 6.8 and later
Rust: wireguard-rs
Windows: Windows 7, 8.1, 10, 11, 2008R2, 2012R2, 2016, 2019, 2022 (the installer chooses the correct 64 or 32-bit MSI)
Ubiquiti: wireguard-vyatta-ubnt
Apple developers: WireGuardKit — Swift PM package for easily building macOS/iOS apps that use WireGuard tunnels
wgctrl-go — enables control of WireGuard devices on multiple platforms
Embedding: Most platforms — Embedding WireGuard in Custom Applications

Operating Systems: package management

Always prefer the base-system implementations where possible as listed above, but the following operating systems provide WireGuard as an easily installable port or binary package:

FreeBSD: pkg install wireguard # this is wireguard-go
OpenWRT: opkg install wireguard
Linux: wide support; see official installation docs for more

3rd party WireGuard software

It is recommended to use official WireGuard software whenever possible. The below apps are included for posterity and developer interest.

3rd party: TunSafe — userspace C++ client for Windows, Linux, macOS, FreeBSD, Android (3rd party)
3rd party: WireSep — userspace WireGuard for OpenBSD with privsep and tight pledge(2) (3rd party)
3rd party: BoringTun — a userspace WireGuard implementation in Rust (3rd party)

Other WireGuard goodies

Wintun — a very simple and minimal TUN driver for the Windows kernel
Wireshark support for WireGuard — the world's most popular network protocol analyzer
fly.io — run full-stack apps with WireGuard mesh backhaul
Tailscale — Connect all your devices using WireGuard, without the hassle
Headscale — An open source implementation of the Tailscale coordination server
Iptables WireGuard obfuscation extension — see also this enthusiastic response from Jason
Wiretap — a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run
Rosenpass — adds post-quantum secure keys to WireGuard
WireGuard Implementation for ESP32 Arduino
innernet — A private network system that uses WireGuard under the hood
wireguard-vanity-address — generate WireGuard keypairs with a given prefix string
wireguard-lwip — WireGuard Implementation for lwIP
wireproxy — A wireguard client that exposes itself as a socks5 proxy or tunnel
NetBird — Zero configuration VPN for fast-moving teams
pq-wireguard — Quantum resistant implementation of the WireGuard protocol
Wireguard-Vanity-Key-Searcher — A Python script to create Curve25519 keys with a given b64
kilo — a multi-cloud network overlay built on WireGuard and designed for Kubernetes
Wg Gen Web — Simple Web based configuration generator for WireGuard
Subspace — A simple WireGuard VPN server GUI

Miscellaneous

Thomas Ptacek: "WireGuard is much faster than OpenVPN, much simpler to set up than OpenVPN (except for having to set up IP addresses it's approximately as easy to get working as SSH), and it's much, much more secure than OpenVPN."
Jim Salter, Ars Technica: "WireGuard weighs in at around 4,000 lines of code; this compares to 600,000 total lines of code for OpenVPN + OpenSSL or 400,000 total lines of code for XFRM+StrongSwan for an IPSEC VPN. Two orders of magnitude fewer lines of code mean a lot less attack surface to find flaws in."
Thomas Ptacek: IPv6 WireGuard Peering: "WireGuard is amazing. It will likely replace all other VPN protocols. But it's so lightweight and performant that I think it's going to change the role VPNs have. It's just as easy to set up a WireGuard connection as it is an SSH account. And you pay practically no performance penalty for using it. So you end up using VPNs for new things."

Timeline notes

2016-06-28: WireGuard Launched!
2017-03-10: Mullvad announces WireGuard testing
2017-12-29: 34C3 WireGuard Workshop
2018-05-16: Alpha Snapshots of WireGuard for Android and macOS
2018-12-20: WireGuard for iOS - now in the App Store
2019-02-16: WireGuard for macOS is announced
2019-03-23: Wintun: Layer 3 TUN Driver for Windows
2019-05-08: download Windows pre-alpha for testing
2019-07-18: OPNsense 19.7 supports WireGuard
2019-12-03: Mozilla announces Firefox Private Network, using WireGuard
2019-12-08: WireGuard merged into net-next
2020-01-19: WireGuard is now in Linus' tree
2020-03-20: ANDROID: GKI: enable CONFIG_WIREGUARD
2020-03-29: Linux kernel 5.6 is released, including WireGuard
2020-05-12: WireGuard patches for OpenBSD posted
2020-06-21: WireGuard Merged Into OpenBSD
2020-08-20: "Today I imported Ozaki-san's WireGuard code into NetBSD proper."
2020-08-21: MikroTik RouterOS 7.1beta2 adds WireGuard support
2020-10-18: OpenBSD 6.8 includes WireGuard support
2021-03-17: WireGuard for FreeBSD snapshot 0.0.20210317 is available
2021-08-02: WireGuardNT, a high-performance WireGuard implementation for the Windows kernel
2021-09-13: WireGuardNT is now default on Windows
2021-10-07: Full WireGuard Support in ProtonVPN for Android
2021-10-17: WireGuardNT is fully WHQL Certified
2021-11-15: WireGuard on FreeBSD Stabilizes, Eyes Upstreaming
2021-12-06: MikroTik RouterOS 7.1 supports WireGuard
2022-10-28: FreeBSD: Import the WireGuard driver from zx2c4.com
2022-10-28: Mitmproxy 9 adds WireGuard Mode
2023-04-11: FreeBSD 13.2 includes WireGuard support
2023-04-13: Surpassing 10Gb/s over Tailscale

WireGuard support coming soon!

Who will support it next?!