Security

Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Secure tunneling tech hopes to move from module to resident

By Thomas Claburn in San Francisco

39 SHARE

The developer of WireGuard has laid the groundwork for plugging his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

"Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers," said Donenfeld in the notes accompanying his patches. "There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux."

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as "overwhelmingly difficult." WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

"This is in a sense sort of blasphemous," said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, "because in achieving this simplicity we've done away with all the academically pure layering assumptions."

It's not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it's still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits' Algo (which now supports WireGuard), Jigsaw's Outline and Streisand (which also supports WireGuard). ®

Sign up to our NewsletterGet IT in your inbox daily

39 Comments

More from The Register

Take your pick: Linux on Windows 10 hardware, or Windows 10 on Linux hardware

We can't see the Arm in having a little tinker

Open sourcerers drop sick Fedora Remix to get Windows Subsystem for Linux pumping

You'll have to pay for the privilege, though

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Linux.org domain hacked, plastered with trolling, filth and anti-transgender vandalism

Web admin blames public Whois and lack of 2FA

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

Scaling up Azure Service Fabric Linux Clusters using Ubuntu Xenial? Not so fast, friend

Workaround needed if you suddenly run into trouble with latest Linux OS update

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

Linux reaches the big five (point) oh

Torvalds has run out of fingers and toes, so version 5.0 RC1 is here

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

Patches pending for distros to deal with threat of local privilege escalation to root

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed