English

Русский
Deutsch

English

Русский
Deutsch

Appearance

WireGuard. How the service works

The WireGuard module in the BeAdmin panel brings up a fast, lightweight VPN tunnel based on the modern WireGuard protocol. The protocol is designed around minimalism: one vetted set of cryptographic algorithms, one message exchange to establish a connection, very little code — which translates into low server load, gentle behaviour towards mobile batteries, and wide support across every modern operating system.

The problem WireGuard solves

VPN protocols that came before WireGuard were designed for maximum configurability: many ciphers, several handshake modes, flexible options. The price for that is a large code base, slow audits, and a heavy connection setup that mobile clients feel as a delay.

WireGuard was written with the opposite goal. The Linux kernel implementation fits in roughly 4000 lines, it has one fixed set of cryptographic primitives and one handshake scenario. A code base that small is easy to audit end‑to‑end, the connection sets up quickly, and the tunnel calmly survives a client switching from Wi‑Fi to a cellular network.

How WireGuard works

The protocol stands on three things, and all of them serve the same idea — simplicity.

One set of cryptography. The algorithms are baked into the protocol and are not picked at session time — both peers know upfront which ones to use. There is nothing to negotiate, nothing to bargain over, nowhere to "misconfigure". Simplicity here is itself a security property.

Authentication by keys, without logins or certificates. Every peer is known by its public key. The server accepts only peers whose keys it was told about in advance, and addresses them by the same key in return — the client's IP address can change, the key stays the same. That is why the tunnel does not fall apart when a phone moves from Wi‑Fi to cellular.

The server stays silent until it recognises a packet. WireGuard does not answer foreign traffic — no "rejected", no "error", no "port open". To a port scanner the server looks like a machine with nothing running on it, and detecting the VPN from the outside without knowing the keys is impossible.

What WireGuard cannot do

It is worth naming what WireGuard does not do — common expectations that this protocol does not cover.

  • It does not mask traffic against DPI. The first packet is always recognisable — it has a fixed size (148 bytes for the first packet, 92 bytes for the reply) and an identifiable type byte. Any Deep Packet Inspection system spots WireGuard within the first packets and can block or throttle it. For hostile networks you need a different module — Amnezia does exactly the same job but with masking on top.
  • UDP only, no TCP fallback. If the network blocks UDP wholesale, WireGuard does not work — it has no fallback TCP transport. Xray helps in those cases because it runs over TCP.
  • It does not hide the fact of the connection itself. Cryptography protects packet contents, but an observer can still see that there is a VPN tunnel between your client and your server. Hiding that fact requires switching to a masking protocol.
  • It is not Tor or anonymity routing. A tunnel to your own server hides traffic from the ISP and the local network, but the destination server still sees the client's IP. WireGuard does not introduce extra hops or onion routing.
  • It does not make VPN legal. If using a VPN is restricted or prohibited in your jurisdiction, WireGuard does not change that. It is a technical tool, not a legal workaround.

WireGuard in BeAdmin

The WireGuard module in BeAdmin installs in one click. The panel generates the server keys, picks the address range and UDP port, and configures forwarding of client traffic to the outside on its own — there is no need to edit configuration files or work in the command line.

Once installed, the module is ready to go: you have a working VPN immediately, you can add users and issue connections to them. For each user the panel generates a key pair, a ready configuration file, and a QR code. The client scans the QR from the official WireGuard app or imports the file — apps are available on every modern system (Windows, macOS, Linux, iOS, Android), on many routers and TV boxes.

What the server needs: a regular VPS or a physical machine. On container‑based servers (LXC, OpenVZ without full virtualisation) the module will not start — full access to the network stack is required. Modern Ubuntu and Debian are supported.

When to choose WireGuard

Choose WireGuard when:

  • Your users connect from ordinary networks without active VPN blocking — at home, in the office, in most mobile networks. Here WireGuard is the fastest and lightest of the available options.
  • Wide client compatibility matters. WireGuard apps exist on iOS, Android, Windows, macOS, Linux, many routers and embedded systems — almost everywhere a VPN may be needed.
  • Battery life on mobile devices matters. A fast handshake and quiet idle behaviour are noticeably gentler on the phone than OpenVPN or IPsec.

WireGuard is not a good fit when:

  • Your network actively blocks or throttles WireGuard. Use Amnezia — the same cryptography with handshake masking on top.
  • You need TCP transport in a network without active VPN blocking — a corporate tunnel, for example. Use OpenVPN.
  • You also need to disguise the traffic as ordinary HTTPS. Use Xray.

If in doubt — install WireGuard in BeAdmin and try it for free.

If you don't have a server yet, you can get one from our partners — they offer virtual and dedicated servers with the BeAdmin panel pre‑installed.

Proven over 15 years in hosting. Your VPS with BeAdmin is ready to go out of the box.

  • Germany
  • Netherlands
  • Sweden
  • Switzerland
  • Spain
  • USA
Select server

European reliability made simple. Launch BeAdmin with your VPS in just one click.

  • Germany
  • Netherlands
  • Sweden
  • Estonia
  • Romania
  • Switzerland
  • Spain
  • United Kingdom
  • USA
Sign up

What's next

BeAdmin © 2025. All rights reserved.