Privacy-preserving VPN handshakes with Schnorr-based zero-knowledge proofs

Modern Virtual Private Network (VPN) protocols rely on public-key-based handshakes that authenticate peers but can inadvertently reveal identifying or linkable information across sessions or network observers. This paper presents a privacy-preserving handshake framework that integrates Schnorr-based zero-knowledge proofs into existing VPN key-exchange mechanisms, allowing each party to prove key ownership without disclosing longterm identifiers such as static public keys. The framework is expressed as a generic extension layer applicable to a wide class of VPN protocols employing Diffie-Hellman-based mutual authentication (e.g., IKEv2/IPsec, OpenVPN, and WireGuard). To demonstrate feasibility, we integrate the scheme into WireGuard as a case study, yielding WireGuard-ZK. Implementation results show that the added privacy protection incurs modest computational and latency overhead while maintaining WireGuard's lightweight performance characteristics. The proposed design thus provides a generalizable cryptographic handshake model for privacy-preserving VPNs, combining theoretical soundness with practical deployability across modern tunneling frameworks.