Security

Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Secure tunneling tech hopes to move from module to resident

By Thomas Claburn in San Francisco

39 SHARE

The developer of WireGuard has laid the groundwork for plugging his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

"Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers," said Donenfeld in the notes accompanying his patches. "There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux."

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as "overwhelmingly difficult." WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

"This is in a sense sort of blasphemous," said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, "because in achieving this simplicity we've done away with all the academically pure layering assumptions."

It's not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it's still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits' Algo (which now supports WireGuard), Jigsaw's Outline and Streisand (which also supports WireGuard). ®

Sign up to our NewsletterGet IT in your inbox daily

39 Comments

More from The Register

The Year Of Linux On The Desktop – at last! Windows Subsystem for Linux 2 brings the Linux kernel into Windows

Build Also: A new Windows Terminal is here and on GitHub

Linux kernel-bypassing Quobyte plug-in goes with the TensorFlow for faster file access

Skip it, it's a Google thing

Unbreakable Enterprise Kernel R5, update 2 plops from Oracle's Linux-shaped orifice

Bruce Willis thankfully not involved

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

Take your pick: Linux on Windows 10 hardware, or Windows 10 on Linux hardware

We can't see the Arm in having a little tinker

Open sourcerers drop sick Fedora Remix to get Windows Subsystem for Linux pumping

You'll have to pay for the privilege, though

Windows Subsystem for Linux distro gets a preening, updated version waddles into Microsoft's app store

If you're feeling a little bit Linux, p-p-p-pick up a p-p-p-Pengwin...1.2

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Linux.org domain hacked, plastered with trolling, filth and anti-transgender vandalism

Web admin blames public Whois and lack of 2FA

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead