In a secure WireGuard connection, each of two devices has a unique pair of cryptographic keys; one public (shared openly with peers) and one private (not shared with anyone else). When establishing a tunnel, the handshake between the two devices is based on a combination of the private and public keys, and individual ephemeral keys. The random ephemeral keys provide forward secrecy. If private keys are stolen by third parties, they cannot be used to decrypt previously-encrypted traffic, because the ephemeral keys cannot be reproduced.
WireGuard was authored by security engineer Jason Donenfeld beginning in 2016. It has gained attention in part because of its minimalist design, written with only 4000 lines of code. Donenfeld's intention was that a security researcher could feasibly read and audit the code in a single weekend.
WireGuard utilizes "fails safe," meaning that if something goes wrong, no data is transferred. It is "quiet" instead of "chatty," meaning that it sends minimal data, preserving network bandwidth and battery life on mobile devices. Also, its endpoints can roam, so if you establish a connection on one network, you can move to another network and the secure connection is not broken. For example, you can establish a secure connection at home, then go to a café and connect to a public Wi-Fi network, and your traffic is still encrypted.