Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Secure tunneling tech hopes to move from module to resident

Steampunk alchemist holding a potion

The developer of WireGuard has laid the groundwork for plugging his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

"Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers," said Donenfeld in the notes accompanying his patches. "There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux."

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as "overwhelmingly difficult." WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

"This is in a sense sort of blasphemous," said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, "because in achieving this simplicity we've done away with all the academically pure layering assumptions."

It's not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it's still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits' Algo (which now supports WireGuard), Jigsaw's Outline and Streisand (which also supports WireGuard). ®




Biting the hand that feeds IT © 1998–2018