Does WireGuard encrypt the source and destination IP addresses of packets?

I suspect that the source and destination IP addresses are not encrypted because it seems Endpoint can be changed.

WG endpoints


If you’re talking about the tunnel itself, they cannot be encrypted because they need to be routed on the public internet. The traffic that flows within the tunnel is of course encrypted, but it must emerge unencrypted on the other end to reach its destination.


My 2 cents: and that's why some of the VPN providers have eg:

  • multi-hop (vpn to Germany, exit in Finland)
  • double vpn (vpn to G, encrypt again in G, decrypt in F, exit in F)
  • double nat (obfuscates source ip of the connection)

So it all depends on what you want to use it for and if its applicable to your situation.

You list good advanced cases of VPNs.

And I think that's a good reason to ask the the OP to better explain the use case. It's seem possible that they're expecting dynamic, ephemeral or mesh, P2P or some other type of connectivity. It also seems they may merely refer to the ability to edit the configuration.

  • All VPNs I'm aware of require you to know the destination IP of where encrypted traffic can be sent, ora method to get a list of such peers
  • In Wireguard, the user configures the Public Key of the remote host and the remote host knows the Public Key of the local host and the Internal IP it assigned/allows, therefore editing the Public Endpoint IP of the Peer is useless - as the traffic is indeed encrypted, except in the one case it's a globally dispersed GeoDNS-based VPN system (e.g. Cloudflare WARP) - I assume in that case, you could theoretically find the IP of a server in another region, your connection to that IP should work :wink:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.