WireGuard VPN: The Protocol Powering Pivot VPN

Pivot VPN is built on WireGuard. Not bolted on, not optional, not a “legacy fallback” you have to dig through settings to find. It is the default tunnel that carries your traffic on every platform we ship: Android, iOS, Windows, macOS, Linux and Android TV. One subscription, one account, the same modern protocol everywhere.

This page explains what WireGuard actually is, why it is the right choice for a consumer VPN in 2026, and how we implement it inside Pivot VPN so you get the benefits without having to think about cryptography, key rotation or MTU values.

What WireGuard actually is

WireGuard is a VPN protocol designed by Jason Donenfeld and released as open source. It is a deliberately small piece of software. The reference implementation is around 4,000 lines of code, compared to several hundred thousand lines for older protocols. That small surface area is not a marketing line, it is the entire point. Less code means fewer bugs, faster audits, and a tunnel that can be reasoned about end to end.

The protocol uses a fixed, modern cryptographic suite: ChaCha20 for symmetric encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing and HKDF for key derivation. There is no negotiation phase where the client and server argue over which cipher to use. They both already know. That removes a whole class of downgrade attacks and shaves milliseconds off every handshake.

WireGuard runs over UDP. It does not maintain a long-lived stateful connection in the way older protocols do. Instead, each peer is identified by a public key, and the tunnel is essentially a cryptographic routing table. This is what makes WireGuard so resilient when you walk between Wi-Fi and mobile data, or when your laptop wakes from sleep.

Why the protocol matters for a VPN you actually use

A VPN protocol is the engine. You can have the prettiest app in the world, but if the protocol underneath is slow, chatty or fragile, the product will feel slow, chatty and fragile. WireGuard changes the baseline in four concrete ways.

Speed. Because the cipher suite is fixed and the code path is short, WireGuard adds very little overhead between your device and our servers. On a fast home connection you should see the vast majority of your link speed preserved while connected. On mobile you typically see throughput close to the carrier’s native speed.

Connection time. A WireGuard handshake is a single round trip. Tap connect in Pivot VPN and the tunnel is usually live in under a second, often faster than your screen finishes the animation. Older protocols can take five to fifteen seconds to negotiate, which is why people used to leave their VPN off “just for a quick search”. With WireGuard that excuse goes away.

Battery. This is the unglamorous benefit that matters most on phones. WireGuard’s small code path runs efficiently in the kernel on Linux and Android, and through tight userspace implementations on iOS, Windows and macOS. The tunnel does not constantly chatter keepalives the way some legacy protocols do. On Android and iOS, leaving Pivot VPN on for a full day costs you a single-digit percentage of battery in typical use.

Roaming. WireGuard is connection-less at the network layer. If your phone switches from Wi-Fi to 5G, or your laptop moves between two Wi-Fi networks, the tunnel does not have to be torn down and rebuilt. The next packet from your new IP simply continues the session. In practice you walk out of your home, the Wi-Fi drops, mobile data takes over, and Pivot VPN keeps streaming without a hitch.

How Pivot VPN implements WireGuard

We did not invent WireGuard, and we are honest about that. What we did do is build the layer that turns a raw protocol into a product you can actually live with.

Server side, every Pivot VPN location runs WireGuard with hardened kernel modules, short-lived peer entries and no persistent logs of your traffic. Keys are generated per session. When you disconnect, the peer entry on the server expires. There is no long-lived record tying a public key to your account in the traffic path.

Client side, we ship native apps for Android, iOS, Windows, macOS, Linux and Android TV. Each app uses the platform’s best available WireGuard integration. On Android we use the kernel implementation where the device supports it, falling back to the well-audited userspace go implementation. On iOS and macOS we use the Network Extension framework so the tunnel survives backgrounding and device sleep. On Windows we use the official WireGuardNT driver. On Linux we use the in-kernel module. On Android TV the same core runs, tuned for the longer-lived sessions a TV typically has.

Key management is automatic. You do not paste config files, you do not manage peers, you do not edit allowed IPs. You sign in, you tap a country, and the app does the rest. Keys rotate on a schedule and on every reconnect, so the same public key is not reused across sessions.

What you actually experience

Most users will never see the word WireGuard in the Pivot VPN app unless they go looking for it. That is intentional. Here is what you do see.

You see a connect button that turns green in under a second. You see your real IP swap to one in the country you picked, with no five-second pause where the app says “Connecting…”. You see streams keep playing when you walk from the living room to the kitchen and your phone hands off Wi-Fi to mobile data. You see your battery percentage at the end of the day looking almost identical to a day when the VPN was off. You see the same behavior whether you are on a flagship phone, a five-year-old laptop, a Mac, or the Android TV box in the bedroom.

You also see honest indicators. If the handshake fails, the app tells you immediately rather than spinning for thirty seconds. If a server is under load, the app suggests a nearby alternative. If your network blocks UDP, which is rare but real on some corporate and hotel Wi-Fi, Pivot VPN automatically switches to an obfuscated transport that wraps WireGuard in a TCP-friendly disguise so you can still get out.

Cross-device behavior on one subscription

One Pivot VPN subscription covers all your devices simultaneously. You can be connected on your phone, your laptop and your Android TV at the same time, all using WireGuard, all under one account. The protocol is identical across platforms, which means the experience is too. A server that streams smoothly on your Mac will stream smoothly on your iPhone. A location that feels fast on Windows will feel fast on Linux.

This consistency is a direct consequence of using WireGuard everywhere. Older VPN stacks often shipped one protocol on desktop and a different one on mobile, with different performance characteristics and different bugs. We avoid that by standardizing on a single modern protocol with mature implementations on every operating system we support.

Edge cases we have actually thought about

Real networks are messy. Here is what we do when things are not ideal.

Restrictive networks that block UDP. Some workplace, school and hotel networks drop UDP traffic, which would normally break WireGuard. Pivot VPN detects this and switches to a TCP-based obfuscation layer transparently. You stay connected, throughput drops slightly, and you can still load your bank, your email and your video calls.

IPv6-only or dual-stack networks. WireGuard handles IPv6 natively. Pivot VPN tunnels both IPv4 and IPv6 traffic so there is no leakage on dual-stack networks, and no broken sites on IPv6-only mobile carriers.

Sleep and lock screens. On iOS and macOS the Network Extension framework keeps the tunnel alive across screen lock and app suspension. On Android the VPN service runs as a foreground service with the system’s VPN privilege, which means Android will not silently kill it. On Windows we use the service model rather than a per-user process, so the tunnel survives user logout.

Kill switch and DNS. Because WireGuard is essentially a routing decision, our kill switch works at the OS network layer rather than as a hack on top of the protocol. If the tunnel drops, no traffic leaves the device until it is back. DNS is forced through the tunnel by default to prevent leaks, and our resolvers do not log your queries.

Long-running sessions on TV. Android TV sessions can run for many hours uninterrupted while you binge. WireGuard’s lightweight keepalive model means a TV left on overnight does not generate gigabytes of protocol overhead, and a single rekey happens silently without dropping your stream.

Why we picked WireGuard and stayed with it

We picked WireGuard because it is the rare piece of infrastructure that is both newer and simpler than what it replaced. We stayed with it because three years of running it in production across six platforms has confirmed the original promise. It is faster. It uses less battery. It reconnects more cleanly. It has fewer bugs. And it gives our users an experience that finally matches what a VPN was always supposed to feel like: invisible when it should be, instant when you need it, and the same on every device you own.