Yep thats correct. All based on wireguard-go. It is growing in what it can do now but at its core its just a Wireguard wrapper that coordinates with Pangolin to get the tunnel up. It also runs in netstack user space so it does not need kernel permissions to open a port and it's only egress is proxied out with TCP/UDP reverse proxies built in to access what is needed on the network.