Security

Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Secure tunneling tech hopes to move from module to resident

By Thomas Claburn in San Francisco

39 SHARE

The developer of WireGuard has laid the groundwork for plugging his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

"Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers," said Donenfeld in the notes accompanying his patches. "There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux."

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as "overwhelmingly difficult." WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

"This is in a sense sort of blasphemous," said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, "because in achieving this simplicity we've done away with all the academically pure layering assumptions."

It's not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it's still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits' Algo (which now supports WireGuard), Jigsaw's Outline and Streisand (which also supports WireGuard). ®

Sign up to our NewsletterGet IT in your inbox daily

39 Comments

More from The Register

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

Hole opens up remote-code execution to miscreants – or a crash, if you're lucky

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

Amazon adds cloudy Linux desktops to encourage developers to code for EC2

Running Amazon Linux 2, which just scored long-term support

App-y, app-y, joy, joy: Pain-free software installer Flatpak (kinda) works on Windows Subsystem for Linux

'This is just a bit of fun to see if it can work' says dev

make all relocate... Linux kernel dev summit shifts to Scotland – to fit Torvald's holiday plans

Edinburgh's in Canada, right? No? Oh … umm … sorry?

Arm cozies up to Intel for second time in a week – this time to borrow tools from Yocto Project for Mbed Linux

Aww, ain't that sweet

Penguins in a sandbox: Google nudges Linux apps toward Chrome OS

While keeping things safe