What is a VPN (and how does WireGuard do it)?

The one-sentence definition

A VPN — Virtual Private Network — is a virtual network interface that encrypts your traffic and carries it over an untrusted network, so two machines (or a device and a network) behave as if they were on the same private LAN, no matter where they actually sit.

What "virtual" and "private" mean here

The network is virtual because it is not made of cables — it is a software interface (like wg0) that looks like a normal network card to the operating system, but everything sent through it is encrypted and tunnelled inside ordinary packets to the other end. It is private because only the endpoints holding the right keys can read what flows through it; to anything in between, it is opaque encrypted traffic.

The result: a server in a datacentre and a box behind your home router can be given tunnel addresses like 10.8.0.1 and 10.8.0.2 and talk to each other directly, as though they shared a switch — even though one is behind NAT with no public address.

Two different things both called "VPN"

The word covers two uses that share technology but not purpose:

	Privacy-product VPN	Infrastructure VPN
Goal	Hide your traffic / change your apparent location	Link machines or networks privately
Shape	Your device → provider's exit node → internet	Point-to-point or site-to-site link you run
Examples	Commercial "VPN" subscriptions	WireGuard/OpenVPN tunnels, homelab edge

This reference is about the infrastructure sense — building your own private links — not the commercial exit-node products, though both rely on the same kind of encrypted tunnel.

The two common shapes

Remote-access — a single device joins a remote network (a laptop dialling into the office, your phone reaching home services).
Site-to-site / point-to-point — two networks or two hosts are linked so machines on each side reach the other. The VPS-to-homelab tunnel is this shape: two hosts, one encrypted link.

flowchart LR
    A["Host A<br/><i>10.8.0.1</i>"] -. "encrypted tunnel<br/>over the public internet" .- B["Host B<br/><i>10.8.0.2</i>"]
    A --- NIC1["wg0<br/><i>virtual interface</i>"]
    B --- NIC2["wg0<br/><i>virtual interface</i>"]

Each side has a virtual wg0 interface; traffic between the tunnel addresses is encrypted and carried over whatever real network sits underneath.

How WireGuard does it

WireGuard is a modern VPN that lives inside the Linux kernel and is deliberately tiny — a few thousand lines, against the hundreds of thousands in OpenVPN or IPsec. Its model is stripped down to essentials:

Peers, not client/server. The protocol has no built-in notion of client or server — just peers that recognise each other.
Keypairs. Each peer has a private key (never leaves the machine) and a public key (shared with the other peer), exactly like SSH keys. A peer only accepts traffic from public keys it knows.
AllowedIPs. Each peer is told which tunnel addresses sit behind the other, which doubles as the routing rule.
One UDP port. All encrypted traffic rides a single UDP port — no session chatter, no certificate authority, no daemon to babysit.
Modern crypto, fixed. It uses Curve25519, ChaCha20-Poly1305, and BLAKE2s — no negotiable cipher suites to misconfigure or downgrade.

The practical wins over older VPNs are a far simpler config, much faster throughput and lower latency (kernel datapath), and near-instant reconnect. For joining two machines over an encrypted link, it is close to ideal — which is why the homelab edge tunnel is built on it.

The short version

A VPN is a software network interface that encrypts traffic and tunnels it over an untrusted network, making distant machines act local. WireGuard does this with a small, fast, kernel-level design: peers identified by keypairs, addresses governed by AllowedIPs, all over one UDP port — the cleanest way to build the private link a self-hosted homelab edge needs.