WireGuard is an open-source VPN protocol created by Jason A. Donenfeld and first released in 2015. It is the fastest VPN protocol available today, and it powers Fast mode in the NymVPN app. NymVPN runs a censorship-resistant fork of it called AmneziaWG, so you get WireGuard's speed plus protection against VPN blocking.
Why WireGuard is fast
WireGuard's speed comes from two things: a tiny codebase and modern cryptography. The protocol is built from roughly 4,000 lines of code, compared to around 100,000 for OpenVPN. Less code means less processing overhead, fewer places for bugs to hide, and far easier public auditing. In real-world use, WireGuard can be upwards of 50% faster than OpenVPN.
It is also stateless by design. If your connection drops, for example when your phone switches from Wi-Fi to cellular, WireGuard picks up where it left off without re-establishing a session. That is why reconnections in NymVPN feel close to instant.
The cryptography inside
WireGuard uses a fixed set of state-of-the-art cryptographic primitives, each reviewed by leading cryptographers:
- Noise protocol framework (Noise_IK) for the handshake, which protects against key-compromise impersonation and replay attacks and provides perfect forward secrecy.
- Curve25519 for key exchange.
- ChaCha20-Poly1305 for encryption and authentication, generally faster than AES-GCM.
- BLAKE2 for hashing and SipHash24 for hashtable keys.
Unlike OpenVPN, there are no cipher choices to configure. That removes a whole class of misconfiguration risks.
WireGuard's one weakness, and how NymVPN fixes it
WireGuard has no built-in obfuscation. Its packets have a recognizable signature, so networks using deep packet inspection (DPI) can detect and block standard WireGuard traffic. This matters in countries and on networks that restrict VPN use.
NymVPN addresses this with AmneziaWG, a fork of WireGuard that sends decoy packets before the connection handshake. These decoys disrupt the patterns DPI relies on, making the connection much harder to identify and block, while keeping WireGuard's speed. AmneziaWG is the default protocol for all Fast mode traffic. Read more in the AmneziaWG announcement or see how to use NymVPN in restricted regions.
How NymVPN uses WireGuard differently
Most VPNs route WireGuard through a single company-owned server, which means one party can see both who you are and what you do. NymVPN routes Fast mode traffic through two independent nodes with an extra layer of encryption, so no single node can link your identity to your activity. For the full picture, see How does NymVPN implement WireGuard?
Related questions
Is WireGuard secure?
Yes. Its cryptographic primitives are currently considered unbreakable, and its small open-source codebase has been audited extensively by the global security community.
Does NymVPN support OpenVPN instead?
No. NymVPN uses AmneziaWG exclusively in Fast mode. See Does NymVPN support OpenVPN or other protocols?
Which mode uses WireGuard?
Fast mode. Anonymous (mixnet) mode uses the Nym mixnet with the Sphinx packet format instead, trading some speed for maximum privacy. See What's the difference between NymVPN Fast & Anonymous mode?
For a deeper technical walkthrough, read What is WireGuard VPN and how does it work? on the Nym blog.