WireGuard uses UDP based communication which means the last IP addresses of the clients have to be known by the server in order to send information, such are the cases when you receive a chat message or any type of push notification while your VPN is active yet you do not actively use your device.


On a TCP based VPN service, it is easy to understand when the client ends the connection and all data related to that connection can be purged.
On the other hand, for a UDP based service such as WireGuard, the system does not work with a connection but it works by sending blind packages to last known IP addresses of clients. This means that unless a precaution is taken, the last IP address of a client can be held as an active address indefinitely, which makes these IPs "involuntary logs".

In order to mitigate the risk of having client IPs involuntarily stored and/or exposed, we take the following actions :

1- We use blind operator mode supplied by WireGuard team to mask the active IPs.
2- We detect all inactive IPs and purge them. This effectively kills communication until further packets are received from the client.