NymVPN uses WireGuard to power Fast mode, but not in the way traditional VPNs do. Instead of routing your traffic through a single company server, NymVPN runs WireGuard through a decentralized 2-hop setup with an extra layer of encryption, and hardens it against censorship with AmneziaWG. The result: everyday speed, with no single node able to see both who you are and what you do.
The 2-hop design
In Fast mode your traffic passes through two independent WireGuard nodes run by different operators:
- The first node can see your IP address, but none of your online activity. Everything passing through it is fully encrypted.
- The second node can see where your traffic is going, but not who you are. It only ever sees the first node's address, never yours.
With a traditional single-server VPN, the provider's server sees both sides at once. NymVPN's architecture means that link cannot be made by any single node in the chain. Read more about how the Nym network compares to traditional VPNs.
Tunnel-in-a-tunnel encryption
A standard 2-hop WireGuard chain still reveals more than necessary to the first node. NymVPN closes that gap with an "onion" model: your device encrypts traffic twice, one WireGuard tunnel wrapped inside another. The first node can only decrypt the outer layer, which tells it where to forward the still-encrypted inner tunnel. The second node decrypts the final layer and sends your traffic to its destination.
AmneziaWG: censorship resistance built in
Standard WireGuard traffic has a recognizable packet signature, which lets censors using deep packet inspection (DPI) detect and block it. NymVPN integrates AmneziaWG, a fork of WireGuard, on the client side. It sends configurable decoy packets before the connection handshake, disrupting the simple rules used to spot WireGuard traffic. This makes connections more reliable on restrictive networks while keeping WireGuard's speed. AmneziaWG is the default for all Fast mode traffic. See the AmneziaWG announcement for the technical detail.
What about Anonymous mode?
Anonymous (mixnet) mode does not use WireGuard. It routes traffic through the 5-hop Nym mixnet using the Sphinx packet format, which adds cover traffic and timing protections for maximum privacy on sensitive tasks. Fast mode with WireGuard is the right choice for everyday browsing, streaming, and downloads. See What's the difference between NymVPN Fast & Anonymous mode?
Related questions
Does the double encryption slow things down?
The overhead is small. WireGuard's cryptography is extremely efficient, and Fast mode is designed for everyday speeds. Packet sizes are tuned per platform to avoid fragmentation; see How is the MTU set for NymVPN?
Can I get a WireGuard config file for my router?
There are no static config files, since NymVPN's rotating zk-nym credentials work differently. But OpenWRT routers can run the full NymVPN client via a community-built package. See Where can I find the NymVPN WireGuard configuration files?
Where can I read more?
The Nym blog covers the design in depth: Building a decentralized WireGuard VPN and What is WireGuard VPN?