WireGuard

WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel, and aims for better performance and more power saving than the IPsec and OpenVPN tunneling protocols.[3] It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2.[4] The Linux version of the software has reached a stable production release and was incorporated into the Linux kernel release in late March 2020.[2]

WireGuard
Original author(s)Jason A. Donenfeld
Developer(s)Jason A. Donenfeld
Repository
Written inC (Linux kernel module, OpenBSD kernel driver), Go (userspace implementation)
Operating system
[1][2][lower-alpha 1]
TypeVirtual private network
LicenseGPLv2
Websitewww.wireguard.com

Features

WireGuard aims to provide a VPN that is both simple and highly effective. A 2018 review by Ars Technica observed that popular VPN technologies such as OpenVPN and IPsec are often complex to set up, disconnect easily (in the absence of further configuration), take substantial time to negotiate reconnections, may use outdated ciphers, and have relatively massive code (over 400,000 and 600,000 lines of code, respectively, according to Ars Technica) which makes it harder to find bugs.[5]

WireGuard's design seeks to reduce these issues, making the tunnel more secure and easier to manage by default. By using versioning of cryptography packages, it focuses on ciphers believed to be among the most secure current encryption methods, and at the time of the Ars Technica review had a codebase of around 4000 lines of pure kernel code, about 1% of either OpenVPN or IPsec, making security audits easier, and praised by the Linux kernel creator Linus Torvalds compared to OpenVPN and IPsec as a "work of art".[6] Ars Technica reported that in testing, stable tunnels were easy to create with WireGuard, compared to alternatives, and commented that it would be "hard to go back" to long reconnection delays, compared to WireGuard's "no nonsense" instant reconnections.[5]

Protocol

WireGuard utilizes the following:.[4]


In May 2019, researchers from INRIA published a machine-checked proof of WireGuard, produced using the CryptoVerif proof assistant.[8]

Encryption

WireGuard only supports ChaCha20.

Optional Pre-shared Symmetric Key Mode

WireGuard supports Pre-shared Symmetric, which is included to mitigate any future advances in quantum computing. In the shorter term, if the pre-shared symmetric key is compromised, the Curve25519 keys still provide more than sufficient protection.

Networking

WireGuard only works over UDP.

WireGuard fully supports IPv6, both inside and outside of tunnel. It supports only layer 3 for both IPv4 and IPv6 and can encapsulate v4-in-v6 and vice versa.[9]

WireGuard supports multiple topologies:

  • Point-to-point
  • Star (Server/client)
    • A client endpoint does not have to be defined before the client start sending data
    • Client endpoints can be statically predefined.
  • Mesh

Since Point-to-point is supported, other topologies can be made, but not on the same tunnel.

Extensibility

WireGuard is designed to be extended by third-party programmes and scripts. This has been used to augment WireGuard with various features including more user-friendly management interfaces (including easier setting up of keys), logging, dynamic firewall updates, and LDAP integration.

Excluding such complex features from the minimal core codebase improves its stability and security.

History

Earliest snapshots of the code base exist from June 30, 2016.[10] Four early adopters of WireGuard were the VPN service providers Mullvad,[11] AzireVPN,[12] IVPN[13] and cryptostorm.[14] WireGuard has received donations from Mullvad, Private Internet Access, IVPN and the NLnet Foundation.[15] Now also by OVPN.[16]

As of June 2018 the developers of WireGuard advise treating the code and protocol as experimental, and caution that they have not yet achieved a stable release compatible with CVE tracking of any security vulnerabilities that may be discovered.[17][18]

On 9 December 2019, David Miller - primary maintainer of the Linux networking stack - accepted the WireGuard patches into the "net-next" maintainer tree, for inclusion in an upcoming kernel.[19][20][21]

On 28 January 2020, Linus Torvalds merged David Miller's net-next tree, and WireGuard entered the mainline Linux kernel tree.[22]

On 20 March 2020, Debian developers enabled the module build options for WireGuard in their kernel config for the Debian 11 version (testing).[23]

On 29 March 2020 WireGuard was incorporated into the Linux 5.6 release tree. The Windows version of the software remains at beta.[2]

On 30 March 2020, Android developers added native kernel support for WireGuard in their Generic Kernel Image.[24]

On 22 April 2020, NetworkManager developer Beniamino Galvani merged GUI support for WireGuard. [25]

On 12 May 2020, Matt Dunwoodie proposed patches for native kernel support of WireGuard in OpenBSD.[26]

On 22 June 2020, After the work of Matt Dunwoodie and Jason A. Donenfeld, WireGuard support has been imported into OpenBSD.[27]

Reception

Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard as a replacement for existing technologies like IPsec and OpenVPN.[28]

Implementations

Implementations of the WireGuard protocol include:

User space programs supporting WireGuard

User space programs supporting WireGuard include:

See also

Notes
  1. Not all platforms may have a currently released version and some may be at beta.

References
  1. "Installation". WireGuard. Retrieved 23 April 2020.
  2. Salter, Jim (30 March 2020). "WireGuard VPN makes it to 1.0.0—and into the next Linux kernel". Archived from the original on 31 March 2020. Retrieved 23 April 2020.
  3. Preneel, Bart; Vercauteren, Frederik, eds. (11 June 2018). Applied Cryptography and Network Security. Springer. ISBN 978-3-319-93387-0. Archived from the original on 18 February 2019. Retrieved 25 June 2018.
  4. "WireGuard: fast, modern, secure VPN tunnel". WireGuard. Archived from the original on 28 April 2018. Retrieved 28 April 2018.
  5. Salter, Jim (26 August 2018). "WireGuard VPN review: A new type of VPN offers serious advantages". Ars Technica. Archived from the original on 20 September 2018.
  6. "Linux-Kernel Archive: Re: [GIT] Networking".
  7. Donenfeld, Jason A. "Known Limitations - WireGuard". www.wireguard.com. Retrieved 1 June 2020.
  8. Lipp, Benjamin; Blanchet, Bruno; Bhargavan, Karthikeyan (2019), A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, Research Report RR-9269, Paris: Inria, p. 49, hal-02100345
  9. Donenfeld, Jason A. "Introduction & Motivation" (PDF). WireGuard: Next Generation Kernel Network Tunnel (PDF). Archived (PDF) from the original on 4 March 2018.
  10. "Index of /Monolithic-historical/".
  11. Mason, John (13 February 2019). "Mullvad Review". thebestwpn. 2. Strong Tunneling Protocols – OpenVPN & WireGuard. Archived from the original on 24 June 2019. Retrieved 8 April 2019.
  12. Mason, John (19 February 2019). "AzireVPN Review". thebestvpn. 2. Impressive Protocols and Encryption. Archived from the original on 8 May 2019. Retrieved 8 April 2019.
  13. Pestell, Nick (11 December 2018). "Introducing Wireguard". Retrieved 22 September 2019.
  14. "WireGuard support added!". cryptostorm blog. 5 April 2019. Archived from the original on 9 December 2019. Retrieved 9 December 2019.
  15. "Donations". WireGuard. Archived from the original on 28 April 2018. Retrieved 28 April 2018.
  16. "OVPN donates to support WireGuard". OVPN. 23 March 2020.
  17. "About The Project". WireGuard. Work in Progress. Archived from the original on 25 June 2018. Retrieved 25 June 2018.
  18. "Installation". WireGuard. Archived from the original on 26 June 2018. Retrieved 26 June 2018.
  19. "e7096c131e5161fa3b8e52a650d7719d2857adfd - pub/scm/linux/kernel/git/davem/net-next - Git at Google". kernel.googlesource.com.
  20. "LKML: David Miller: Re: [PATCH net-next v2] net: WireGuard secure network tunnel". lkml.org.
  21. "[ANNOUNCE] WireGuard merged to net-next, on its way to Linux 5.6". 9 January 2020. Archived from the original on 9 January 2020.
  22. Torvalds, Linus. "index : kernel/git/torvalds/linux.git". Linux kernel source tree. Kernel.org. Retrieved 2 February 2020.
  23. "drivers/net: Enable WIREGUARD as module".
  24. "ANDROID: GKI: enable CONFIG_WIREGUARD".
  25. "merge branch 'bg/wireguard' (d321d0df) · Commits · GNOME / network-manager-applet". gitlab.gnome.org. Retrieved 30 May 2020.
  26. "WireGuard for OpenBSD Kernel Patches Posted".
  27. "add wg(4), an in kernel driver for WireGuard vpn communication".
  28. "US Senator Recommends Open-Source WireGuard To NIST For Government VPN". Phoronix. 30 June 2018. Archived from the original on 5 August 2018. Retrieved 5 August 2018.
  29. Donenfeld, Jason (7 June 2019). "WireGuard: fast, modern, secure VPN tunnel". Retrieved 16 June 2019.
  30. Krasnov, Vlad (18 December 2018). "BoringTun, a userspace WireGuard implementation in Rust". Cloudflare Blog. Archived from the original on 4 April 2019. Retrieved 29 March 2019.
  31. "CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation". phoronix.com. Retrieved 29 March 2019.
  32. Haller, Thomas (15 March 2019). "WireGuard in NetworkManager". GNOME Blogs.
  33. Poettering, Lennart (28 January 2018). "[ANNOUNCE] systemd v237". systemd-devel (Mailing list).
  34. Larabel, Michael (18 February 2020). "Intel ConnMan 1.38 Released With WireGuard Support". Phoronix.
  35. "Firefox Private Network: VPN to Protect Your Entire Device".
  36. "pivpn/pivpn". GitHub. Retrieved 30 May 2020.
  37. "Ascrod/pfSense-pkg-wireguard". github. 27 May 2020. Retrieved 1 June 2020.


Further reading
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.