WireGuard will “come” to the Linux kernel - why?
At the end of July, WireGuard VPN tunnel developers proposed a set of patches that will make their VPN tunnel management software part of the Linux kernel. However, the exact date of implementation of the "ideas" remains unknown. Under the cut talk about this tool in more detail.
/ photo Tambako The Jaguar CC
WireGuard is a new-generation VPN tunnel created by Jason A. Donenfeld, head of Edge Security. The project was developed as a simplified and smart alternative to OpenVPN and IPsec. The first version of the product contained only 4 thousand lines of code. For comparison, in OpenVPN about 120 thousand lines, and in IPSec - 420 thousand.
According to the developers, WireGuard is easy to configure, and protocol security is achieved through proven cryptographic algorithms . When changing networks : Wi-Fi, LTE or Ethernet, you need to reconnect to the VPN server every time. WireGuard servers do not break the connection, even if the user has received a new IP address.
Despite the fact that WireGuard was originally designed for the Linux kernel, the developers also took care of the portable version of the tool for Android devices. The application is still flawed, but you can try it now. To do this, you need to become one of the testers .
In general, WireGuard is quite popular and has even been implemented by several VPN providers, such as Mullvad and AzireVPNB. A large number of tutorials has been published online to customize this solution. For example, there are guides that users create, and there are guides prepared by the authors of the project .
In the official documentation (p. 18), it is noted that the bandwidth of WireGuard is four times higher than that of OpenVPN: 1011 Mbit / s against 258 Mbit / s, respectively. WireGuard is ahead of the standard Linux IPsec solution - 881 Mb / s. He surpasses it in simplicity of setting.
After key exchange (the VPN connection is initialized almost as in SSH) and the connection is established, WireGuard solves all other tasks on its own: there is no need to worry about routing, status monitoring, etc. Additional configuration efforts will need to be made only if you want to use symmetric encryption.
/ photo by Anders Hojbjerg CC
To install, you will need a distribution with a “older” Linux kernel 4.1. It can be found in the repositories of the main Linux distributions.
As the editors of xakep.ru note, self-assembly from source texts is also simple. Enough to raise the interface and generate public and private keys:
WireGuard does not use the interface for working with CryptoAPI crypto-provider . Instead, it uses the ChaCha20 stream cipher , the Poly1305 cryptographic imitation and its own cryptographic hash functions.
The secret key is generated using the Diffie-Hellman protocol based on the elliptic curve Curve25519 . During hashing, the hash functions BLAKE2 and SipHash are used . Due to the timestamp format, the TAI64N protocol discards packets with a lower timestamp value, thereby preventing DoS and replay attacks .
At the same time, WireGuard uses the ioctl function to control I / O (previously used Netlink ), which makes the code cleaner and simpler. You can verify this by looking at the configuration code .
So far, WireGuard is an out-of-tree kernel module. But project author Jason Donenfeld says that the time has come for a full-fledged implementation in the Linux kernel. Since it is simpler and more reliable than other solutions. Even Linus Torvalds himself supports Jason in this regard - he called the WireGuard code "a work of art."
But no one is talking about the exact dates of introduction of WireGuard into the core. And this is unlikely to happen with the release of the August Linux kernel 4.18. However, it is likely that this will happen in the very near future: in version 4.19 or 5.0.
When WireGuard is added to the core, developers want tomodify the application for Android devices and start writing an application for iOS. In addition, it is planned to complete the implementation of Go and Rust and port them to macOS, Windows and BSD. We also plan to implement WireGuard for more “exotic systems”: DPDK , FPGA , as well as many other interesting things. All of them are listed in the to-do-list of authors of the project.
PS A few more articles from our corporate blog:
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage
/ photo Tambako The Jaguar CC
Briefly about the project
WireGuard is a new-generation VPN tunnel created by Jason A. Donenfeld, head of Edge Security. The project was developed as a simplified and smart alternative to OpenVPN and IPsec. The first version of the product contained only 4 thousand lines of code. For comparison, in OpenVPN about 120 thousand lines, and in IPSec - 420 thousand.
According to the developers, WireGuard is easy to configure, and protocol security is achieved through proven cryptographic algorithms . When changing networks : Wi-Fi, LTE or Ethernet, you need to reconnect to the VPN server every time. WireGuard servers do not break the connection, even if the user has received a new IP address.
Despite the fact that WireGuard was originally designed for the Linux kernel, the developers also took care of the portable version of the tool for Android devices. The application is still flawed, but you can try it now. To do this, you need to become one of the testers .
In general, WireGuard is quite popular and has even been implemented by several VPN providers, such as Mullvad and AzireVPNB. A large number of tutorials has been published online to customize this solution. For example, there are guides that users create, and there are guides prepared by the authors of the project .
Technical details
In the official documentation (p. 18), it is noted that the bandwidth of WireGuard is four times higher than that of OpenVPN: 1011 Mbit / s against 258 Mbit / s, respectively. WireGuard is ahead of the standard Linux IPsec solution - 881 Mb / s. He surpasses it in simplicity of setting.
After key exchange (the VPN connection is initialized almost as in SSH) and the connection is established, WireGuard solves all other tasks on its own: there is no need to worry about routing, status monitoring, etc. Additional configuration efforts will need to be made only if you want to use symmetric encryption.
/ photo by Anders Hojbjerg CC
To install, you will need a distribution with a “older” Linux kernel 4.1. It can be found in the repositories of the main Linux distributions.
$ sudo add-apt-repository ppa:hda-me/wireguard
$ sudo apt update
$ sudo apt install wireguard-dkms wireguard-tools
As the editors of xakep.ru note, self-assembly from source texts is also simple. Enough to raise the interface and generate public and private keys:
$ sudo ip link add dev wg0 type wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey
WireGuard does not use the interface for working with CryptoAPI crypto-provider . Instead, it uses the ChaCha20 stream cipher , the Poly1305 cryptographic imitation and its own cryptographic hash functions.
The secret key is generated using the Diffie-Hellman protocol based on the elliptic curve Curve25519 . During hashing, the hash functions BLAKE2 and SipHash are used . Due to the timestamp format, the TAI64N protocol discards packets with a lower timestamp value, thereby preventing DoS and replay attacks .
At the same time, WireGuard uses the ioctl function to control I / O (previously used Netlink ), which makes the code cleaner and simpler. You can verify this by looking at the configuration code .
Developer Plans
So far, WireGuard is an out-of-tree kernel module. But project author Jason Donenfeld says that the time has come for a full-fledged implementation in the Linux kernel. Since it is simpler and more reliable than other solutions. Even Linus Torvalds himself supports Jason in this regard - he called the WireGuard code "a work of art."
But no one is talking about the exact dates of introduction of WireGuard into the core. And this is unlikely to happen with the release of the August Linux kernel 4.18. However, it is likely that this will happen in the very near future: in version 4.19 or 5.0.
When WireGuard is added to the core, developers want tomodify the application for Android devices and start writing an application for iOS. In addition, it is planned to complete the implementation of Go and Rust and port them to macOS, Windows and BSD. We also plan to implement WireGuard for more “exotic systems”: DPDK , FPGA , as well as many other interesting things. All of them are listed in the to-do-list of authors of the project.
PS A few more articles from our corporate blog:
- Cloud technologies in the financial sector: the experience of Russian companies
- Testing the disk system in the cloud
- What is hidden behind the term vCloud Director - an inside view
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage