WireGuard: modern VPN in the Linux kernel for home office and remote admin

What is WireGuard?

WireGuard is a modern open-source VPN protocol published by Jason A. Donenfeld in 2015 and delivered as integral part of the mainline Linux kernel since kernel 5.6 (March 2020). The code base totals only about 4000 lines -- less than a hundredth of the OpenVPN or IPsec code bases. The license is GPL-2; through kernel integration it is available on all modern Linux servers without additional installation in May 2026.

The decisive advantage over classic VPN solutions is simplicity and performance. WireGuard uses a small, well-audited crypto suite: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing, SipHash24 for hash tables. There is no TLS negotiation, no certificate chains, no configurable crypto suites -- only a modern standard selection. That eliminates mass configuration errors common in OpenVPN.

Configuration model: per peer (server or client) a public/private key pair (Curve25519). Public keys are entered mutually -- that is the entire configuration. On the server container a wg0.conf like:

```ini [Interface] PrivateKey = <server-private-key> Address = 10.8.0.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer] PublicKey = <employee-vitalij-public-key> AllowedIPs = 10.8.0.2/32 ```

On the client (laptop, phone) accordingly wg0.conf with the server's opposite public key and server IP/port. Connection establishment with wg-quick up wg0. A connection comes up in under 100ms -- with OpenVPN 1-5 seconds are normal.

Performance is significantly better on multi-Gbit lines. In Linux kernel implementation WireGuard runs at 95 percent line rate on 10-Gbit networks; OpenVPN manages 1-3 Gbit/s. On mobile, battery impact is lower because WireGuard only sends packets when traffic is present (no keepalive heartbeat).

Mobile client apps are available in May 2026 for iOS, Android, macOS, Windows, Linux, FreeBSD -- all Apache 2.0 or GPL-2 OSS. iOS app uses Apple's Network Extension framework, Android app uses VpnService API. Configuration usually via QR code scan of the client's wg0.conf.

Why it matters for Swiss SMEs and fiduciaries

WireGuard solves three concrete problems for Swiss SMEs.

Home office remote access under revFADP: since the pandemic shift many fiduciary employees and law-firm staff work 1-3 days per week from home office. Access to the internal client server, file system, accounting DB must not be openly reachable over the internet -- that violates Art. 8 revFADP. WireGuard delivers an encrypted tunnel with minimal overhead and simple distribution via QR code to employees. The employee scans the QR with the WireGuard app and is immediately connected to the internal network.

Hide SSH and admin access: instead of SSH port 22 (or 2847) open on the internet, the SSH daemon is bound only to the WireGuard interface (ListenAddress 10.8.0.1). Brute-force attempts from the internet never reach the SSH daemon -- they see a closed port. That is defense in depth over CrowdSec/Fail2ban: in addition to brute-force detection comes structural invisibility to the open internet. In May 2026 this is the recommended configuration for all fiduciary servers with professional-secrecy duty.

Client VPN as service: a law firm with clients in the banking sector can deliver clients a WireGuard access to a shared file area. The client builds the tunnel, sees only folders released for them, all other resources are invisible. That is significantly safer than email attachments with client files or shared cloud folders without audit trail.

Performance and scaling: a Hetzner server with WireGuard handles several hundred simultaneous VPN connections without CPU limit. OpenVPN was often at 50-100 simultaneous connections on the same hardware at the limit. For a 100-staff law firm with 80 percent home office share, that is the difference between a dedicated VPN server and a container next to other workloads.

Regulatory link: revFADP Art. 8 demands state-of-the-art protective measures. The FDPIC guideline lists VPN access explicitly as technical minimum measure for remote access. ISO 27001 Annex A.13.1 (network security) is covered. Cyber insurance demands VPN for all external accesses.

Setup and employee onboarding

We show a productive WireGuard setup with the tool wg-easy (Apache 2.0 web UI for WireGuard configuration) we deploy at Fairlane for client deployments.

Docker Compose setup: ```yaml version: "3.8" services: wg-easy: image: ghcr.io/wg-easy/wg-easy:14 container_name: wg-easy restart: unless-stopped environment: - LANG=de - WG_HOST=vpn.treuhand-müller.ch - WG_PORT=51820 - WG_DEFAULT_ADDRESS=10.8.0.x - WG_DEFAULT_DNS=10.8.0.1 - WG_PERSISTENT_KEEPALIVE=25 - WG_ALLOWED_IPS=10.8.0.0/24,192.168.100.0/24 - PASSWORD_HASH=<bcrypt-of-admin-password> ports: - "51820:51820/udp" - "127.0.0.1:51821:51821/tcp" cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 volumes: - ./wg-config:/etc/wireguard ```

On the Hetzner server: nginx or Caddy as reverse proxy in front of wg-easy UI (port 51821), secured via Authelia or Authentik. Open UDP 51820 in UFW.

Per-employee onboarding takes less than 5 minutes: 1. Admin logs into wg-easy UI (vpn.treuhand-müller.ch/admin), authenticates via Authelia/Authentik. 2. Click "New Client", enter name "vitalij-laptop". wg-easy generates key pair, assigns 10.8.0.7/32. 3. QR code is shown. Employee scans with WireGuard app (iOS/Android), profile is immediately available. 4. Alternatively: download .conf file, send to employee via secure channel, import on laptop. 5. Toggle "Active" -- connection comes up.

Make SSH reachable only via WireGuard: in /etc/ssh/sshd_config: ListenAddress 10.8.0.1 (only WireGuard interface). UFW: ufw delete allow 22; ufw delete allow 2847. SSH is then no longer reachable from the internet -- only through the VPN tunnel.

Combined setup with Authentik: Authentik delivers SSO for wg-easy UI. Employee logs into wg-easy via Authentik identity, gets own WireGuard profile, can scan as QR. When the employee leaves the fiduciary office, their Authentik account is deactivated -- their WireGuard profile is automatically deactivated. Single source of truth for identity plus VPN access.

Routing options: split tunneling -- only 10.8.0.0/24 plus 192.168.100.0/24 via VPN, normal internet traffic direct. Recommended for performance. Full tunneling -- 0.0.0.0/0 via VPN, all traffic encrypted. Recommended for public WiFi protection or geo-blocking circumvention.

May 2026 best practice: WireGuard plus FIDO2 in Authentik plus PAM OTP for SSH plus encryption at rest on the laptop (BitLocker/FileVault). That is the mandatory layer for client data access from home office.

WireGuard setup in 5 steps

1. 01Server setup: deploy wg-easy via Docker Compose, open UDP 51820 in UFW, activate ip_forward sysctl, configure DNS resolver.
2. 02Secure admin UI: wg-easy UI on port 51821 behind nginx reverse proxy with Authelia/Authentik SSO; reachable only internally via WireGuard or office IP.
3. 03Generate employee profiles: per employee a WireGuard client in wg-easy UI; scan QR code at onboarding or distribute via Authentik self-service portal.
4. 04Hide SSH over WireGuard: sshd_config ListenAddress 10.8.0.1, close SSH port from internet in UFW; SSH only reachable through VPN tunnel.
5. 05Routing and monitoring: split tunneling for performance (only internal networks via VPN), set persistent-keepalive 25s, Prometheus wireguard-exporter for connection monitoring.

When to deploy WireGuard

WireGuard is the right choice in five constellations in May 2026 -- practically for every Swiss SME with remote access need.

Home office employees: every employee with laptop accessing internal systems from home. WireGuard plus Authentik plus FIDO2 is the mandatory layer for client data access from home office under professional-secrecy duty.

Mobile workforce: lawyers on the road, fiduciaries at client sites, consultants in hotels. WireGuard mobile app on iOS/Android, profile loaded via QR code, always-on auto-connect over insecure WiFi networks. May 2026 standard.

Site-to-site between multiple offices: Zurich headquarters plus Geneva branch plus Zug office. WireGuard tunnel between routers (e.g. OPNsense or Mikrotik with WireGuard support). Persistent connection, automatic reconnect, both offices see each other as one network.

Client VPN as service: law firm provides clients in banking/pharma sector a WireGuard access so they can securely access shared files. Per client an own WireGuard profile, isolated from other clients via firewall rules.

Hide admin access: make SSH and all admin tools reachable only via WireGuard. CrowdSec/Fail2ban no longer sees brute-force attempts because the SSH port is invisible from the internet. Defense-in-depth layer.

Performance-relevant setups: on 10-Gbit Hetzner lines or multi-site connection with latency requirements, WireGuard is 3-10x faster than OpenVPN. Practically relevant for database replication between sites or large file transfers.

WireGuard is the right default choice in May 2026. Alternatives like OpenVPN or IPsec only make sense in specific legacy setups where migration is not worthwhile (e.g. existing Cisco IPsec infrastructure with hardware concentrators).

When WireGuard does not fit

Three cases where WireGuard is not the right choice in May 2026.

Legacy hardware VPN concentrators with IPsec: anyone with existing Cisco ASA, Juniper SRX, or Fortigate infrastructure with IPsec tunnels not wanting to replace stays with IPsec. Migration is possible but expensive. WireGuard has no official Cisco IPsec replacement path when corporate compliance requirements specifically demand IPsec.

Strict compliance with FIPS 140-2 duty: WireGuard uses ChaCha20/Poly1305, which is not on the NIST FIPS 140-2 list. For US government contractors or certain US defense compliance requirements this is a stopper. Solution: OpenVPN or strongSwan with FIPS-certified crypto modules. For Swiss SMEs practically irrelevant -- FIPS duty does not apply in Switzerland.

Browser-based remote apps without VPN client: anyone needing browser-only access for clients or employees (no client installed) is difficult with WireGuard. Alternative: Authentik RAC (remote access via browser) as enterprise feature, or Apache Guacamole as OSS solution -- delivers RDP/SSH/VNC over HTML5 without VPN client.

General pitfalls in WireGuard deployments: (a) private keys in wg-easy container without backup -- on container loss all employee profiles are lost. Back up wg-config volume regularly. (b) Leaving persistent-keepalive at 0 with NAT traversal -- the tunnel drops after 5 minutes idle. Set to 25 seconds. (c) Setting AllowedIPs to 0.0.0.0/0 without performance check -- full tunneling can slow office internet. (d) Forgetting WireGuard port 51820 in CrowdSec whitelist -- UDP flood detection locks out legitimate employees. (e) Public-key distribution over insecure channels (email attachment) -- better: QR code scan in presence or via Authentik self-service portal.

Trade-offs

FAQ

Related topics

Sources

1. WireGuard -- whitepaper and benchmarks · 2026-02
2. WireGuard -- official documentation · 2026-05
3. wg-easy GitHub -- v14 release notes · 2026-04
4. EDÖB -- Technische und organisatorische Massnahmen · 2026-04
5. ISO/IEC 27001:2022 -- Annex A.13 network security · 2026-02