They operate the same way as most modern encryption schemes. There is a private and public key on your device and on the server. You send your public key, the server sends its public key, and then they both use an algorithm, either Diffie-Hellman or Elliptic Curve Diffie-Hellman depending on what type of key you use, into which they input their private key and the other device’s public key. The output of the algorithm will be the same for both despite the fact that they have different inputs. Then, they will just use the output normally as a regular key.
Wireguard also has ephemeral keys that change constantly, so even if police get your keys and those of the specific server you connected to (they’d need both in order to derive the shared secret), they will not get your data (if you’re using Wireguard). Also, it uses Curve25519, which is a non-NIST elliptic curve (NIST is the US government’s standards agency. Who knows if their elliptic curves have backdoors)
Mullvad uses Wireguard and OpenVPN.
They operate the same way as most modern encryption schemes. There is a private and public key on your device and on the server. You send your public key, the server sends its public key, and then they both use an algorithm, either Diffie-Hellman or Elliptic Curve Diffie-Hellman depending on what type of key you use, into which they input their private key and the other device’s public key. The output of the algorithm will be the same for both despite the fact that they have different inputs. Then, they will just use the output normally as a regular key.
Wireguard also has ephemeral keys that change constantly, so even if police get your keys and those of the specific server you connected to (they’d need both in order to derive the shared secret), they will not get your data (if you’re using Wireguard). Also, it uses Curve25519, which is a non-NIST elliptic curve (NIST is the US government’s standards agency. Who knows if their elliptic curves have backdoors)