Yüce, Mehmet FatihErtürk, Mehmet AliAydın, Muhammed Ali2026-03-232026-03-2320260167-40481872-620810.1016/j.cose.2026.1048872-s2.0-105032353596https://doi.org/10.1016/j.cose.2026.104887https://hdl.handle.net/11501/2663Modern Virtual Private Network (VPN) protocols rely on public-key-based handshakes that authenticate peers but can inadvertently reveal identifying or linkable information across sessions or network observers. This paper presents a privacy-preserving handshake framework that integrates Schnorr-based zero-knowledge proofs into existing VPN key-exchange mechanisms, allowing each party to prove key ownership without disclosing longterm identifiers such as static public keys. The framework is expressed as a generic extension layer applicable to a wide class of VPN protocols employing Diffie-Hellman-based mutual authentication (e.g., IKEv2/IPsec, OpenVPN, and WireGuard). To demonstrate feasibility, we integrate the scheme into WireGuard as a case study, yielding WireGuard-ZK. Implementation results show that the added privacy protection incurs modest computational and latency overhead while maintaining WireGuard's lightweight performance characteristics. The proposed design thus provides a generalizable cryptographic handshake model for privacy-preserving VPNs, combining theoretical soundness with practical deployability across modern tunneling frameworks.eninfo:eu-repo/semantics/closedAccessNIZKPrivacy-Preserving AuthenticationVPN HandshakeWireGuardArticleQ1166WOS:001716996900001Q1