Double VPN — How It Works

NetBird's double VPN creates two independent WireGuard tunnels — one inside the other — using different encryption algorithms and independent key management. This page explains the data path, interface architecture, and how the two layers interact.

Data Path

Every packet from an application traverses two full WireGuard encryption layers before reaching the network:

Application (e.g. SSH, HTTPS)
    │
    │  cleartext
    ▼
┌─────────────────────────────────────────────────────┐
│  aes0 — AES WireGuard Interface                     │
│  Cipher: AES-256-GCM                                │
│  Noise: Noise_IKpsk2_25519_AESGCM_BLAKE2s           │
│  PSK: Injected by DSKE (rotated every 120s)          │
│  Listen port: 51830                                  │
└─────────────────────────────────────────────────────┘
    │
    │  AES-encrypted WireGuard packet
    ▼
┌─────────────────────────────────────────────────────┐
│  wg0 — Standard WireGuard Interface                  │
│  Cipher: ChaCha20-Poly1305                           │
│  Noise: Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s        │
│  Keys: Standard WireGuard DH exchange                │
└─────────────────────────────────────────────────────┘
    │
    │  double-encrypted packet
    ▼
Network (internet, LAN, cellular, satellite, etc.)

On the receiving side, the process is reversed: wg0 decrypts the outer layer, then aes0 decrypts the inner layer, delivering cleartext to the application.

Two Interfaces, One Network

NetBird manages both interfaces transparently. Each peer receives two IP addresses:

Interface	IP Range	Purpose
`wg0`	`100.64.0.0/10`	Standard WireGuard tunnel — carries AES tunnel traffic + infrastructure
`aes0`	Configurable subnet	AES WireGuard tunnel — carries application traffic

The AES IP is allocated by the management server and distributed to all peers via the network map. Both IPs are resolvable via DNS:

DNS Query	Resolves To
`my-server.netbird.cloud`	WireGuard IP (e.g. `100.64.0.1`)
`my-server.aes.netbird.cloud`	AES IP (e.g. `100.64.128.1`)

Route Steering

The client automatically routes traffic through the correct interface:

AES-capable peers: Application traffic routes via aes0 (double encrypted)
AES-exempt peers: Traffic routes via wg0 (single WireGuard encryption)
Security hubs: Always communicate via wg0 (they provide key management, not data transport)

This happens transparently — applications connect to the AES IP and the routing table handles the rest.

Firewall and Access Control

Users create access policies against peer groups as a single logical network. The client locally decides which interface to enforce rules on:

Local Peer	Remote Peer	Firewall Behavior
AES-capable	AES-capable	User policies on `aes0`, infrastructure-only on `wg0`
AES-capable	AES-exempt	User policies on `wg0` (standard mode)
AES-exempt	Any	User policies on `wg0` (standard mode)

When both peers use AES, the wg0 interface is locked down to only allow:

Protocol	Port	Purpose
ICMP	—	Diagnostics (ping)
UDP	51830	AES WireGuard tunnel endpoint
TCP	51831	DSKE key exchange

All other application traffic must flow through the AES tunnel.

AES WireGuard Implementation

The AES WireGuard interface uses a fork of the standard wireguard-go implementation with a single modification: the Noise protocol cipher suite is changed from ChaCha20-Poly1305 to AES-256-GCM.

Everything else — the Noise IKpsk2 handshake pattern, session key derivation, UAPI interface, timers, peer management — is identical to standard WireGuard. The interface is verified at startup to confirm the correct cipher:

Noise_IKpsk2_25519_AESGCM_BLAKE2s

Key Properties

Same WireGuard private key as the primary interface — no additional key management for the tunnel itself
Independent PSK from DSKE — this is the additional key material that enables the second encryption layer
Automatic MTU: Derived from the primary WireGuard MTU minus 60 bytes (IPv4 overhead)
Userspace implementation: Runs entirely in userspace for portability

PSK Security Gate

When a new AES peer is added, the interface initializes with a random PSK that is different from the remote peer's random PSK. This means:

The WireGuard handshake on aes0 will intentionally fail — both sides have different PSKs
No application traffic can flow over the AES tunnel
DSKE must establish a shared secret before the tunnel becomes operational
Once DSKE injects the agreed-upon PSK on both sides, the handshake succeeds within seconds

This is a deliberate security gate: the AES path is blocked until DSKE establishes governance. There is never a window where the AES tunnel operates without DSKE-managed keys.

Key Rotation

DSKE rotates the PSK every 120 seconds. Rotation is seamless:

DSKE generates a new secret and both peers inject it
The existing WireGuard session continues with its current session keys
At the next natural WireGuard rekey (every 120 seconds), the new PSK is used
No traffic interruption, no forced handshake on rotations

The AES WireGuard interface is currently Linux-only. Other platforms use the standard WireGuard tunnel.

DSKE (Key Exchange)

Operations

Platforms

Peers

Access Control

Networks

Network Routes

DNS

Team

Activity

Settings

Integrations

Public API

For Partners

Maintenance

Authentication

Migration Guides