W
- Category
- Network · Self-host
- Cost
- Self-host
- Country
- community
- Licensing
- FOSS
# PROS AND CONS
+ what works
- +Small codebase and minimal attack surface compared to OpenVPN or IPsec
- +In-tree Linux kernel module since 5.6, plus first-party clients on macOS, iOS, Android, Windows, FreeBSD
- +Solid base for a personal VPN back into a home network or to encrypt traffic on hostile wifi
- +Configs and keys are simple text; no PKI server required
− watch out for
- −Self-hosting does not give you exit-IP anonymity; the server's IP is yours
- −No built-in user management or web UI; key rotation and client provisioning are manual unless you add tooling like wg-easy
- −Operator of the host can observe plaintext traffic after decapsulation, so trust assumptions just shift to whoever runs the server
- −UDP-only, which some restrictive networks block outright
# PRIVACY NOTES
Self-hosting a WireGuard server keeps tunnel traffic on infrastructure you operate, so no third-party VPN provider sees your sessions or IPs. The catch is that the exit IP is your server's IP; destination sites still see you, and the operator (you) can in principle observe traffic on the host. WireGuard itself transmits no telemetry. The kernel module has been in mainline Linux since 5.6 (March 2020) and the protocol uses modern primitives (Curve25519, ChaCha20-Poly1305, BLAKE2s, Noise framework).
# REPLACES
icloud-private-relay
# TAGS
#foss · #vpn-protocol · #kernel-module · #wg-quick · #license: GPLv2 kernel, mixed userspace
# DOES THIS WORK FOR YOU
# NOTES FROM PEOPLE WHO TRIED IT
Comments (0)
No comments yet. Be the first.