WireGuard

From Wikipedia, the free encyclopedia

WireGuard
Logo of WireGuard.svg
Original author(s)Jason A. Donenfeld
Developer(s)Jason A. Donenfeld
Stable release
1.0.20210219[1] / 19 February 2021; 6 months ago (19 February 2021)
Repository
Written inC (Linux, FreeBSD kernel modules, NetBSD, OpenBSD kernel drivers), Go (userspace implementation)
Operating system
[2][3][a]
TypeVirtual private network
Licensevarious free and open-source
Websitewww.wireguard.com

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.[4] It aims for better performance and more power than IPsec and OpenVPN, two common tunneling protocols.[5] The WireGuard protocol passes traffic over UDP.[6]

In March 2020, the Linux version of the software reached a stable production release and was incorporated into the Linux 5.6 kernel, and backported to earlier Linux kernels in some Linux distributions.[3] The Linux kernel components are licensed under the GNU General Public License (GPL) version 2; other implementations are under GPLv2 or other free/open-source licenses.[4]

Protocol[]

WireGuard uses the following:[4]

In May 2019, researchers from INRIA published a machine-checked proof of WireGuard, produced using the CryptoVerif proof assistant.[7]

Encryption[]

WireGuard uses ChaCha20.[4]

Optional Pre-shared Symmetric Key Mode[]

WireGuard supports pre-shared symmetric key mode, which provides an additional layer of symmetric encryption to mitigate any future advances in quantum computing. The risk being, that traffic is stored until quantum computers are capable of breaking Curve25519; at which point traffic could be decrypted. Pre-shared keys are "usually troublesome from a key management perspective and might be more likely stolen", but in the shorter term, if the symmetric key is compromised, the Curve25519 keys still provide more than sufficient protection.[8]

Networking[]

WireGuard only[9] uses UDP[4] and thus does not work in networks that block UDP traffic. This is unlike alternatives like OpenVPN because of the many disadvantages of TCP over TCP routing.[9][10]

WireGuard fully supports IPv6, both inside and outside of tunnel. It supports only layer 3 for both IPv4 and IPv6 and can encapsulate v4-in-v6 and vice versa.[11]

WireGuard supports multiple topologies:[citation needed]

  • Point-to-point
  • Star (Server/client)
    • A client endpoint does not have to be defined before the client starts sending data.
    • Client endpoints can be statically predefined.
  • Mesh

Since point-to-point is supported, other topologies can be made, but not on the same tunnel.[citation needed]

Extensibility[]

WireGuard is designed to be extended by third-party programmes and scripts. This has been used to augment WireGuard with various features including more user-friendly management interfaces (including easier setting up of keys), logging, dynamic firewall updates, and LDAP integration.[citation needed]

Excluding such complex features from the minimal core codebase improves its stability and security. For ensuring security WireGuard restricts the options for implementing cryptographic controls, limits the choices for key exchange processes, and hashes algorithms to a small subset of modern cryptographic primitives. If any flaw is found in one of the primitives a new version can be released that resolves the issue. Also, the configuration that affect the security of the overall application cannot be modified by the users.[12]

Reception[]

WireGuard aims to provide a simple and effective virtual private network implementation. A 2018 review by Ars Technica observed that popular VPN technologies such as OpenVPN and IPsec are often complex to set up, disconnect easily (in the absence of further configuration), take substantial time to negotiate reconnections, may use outdated ciphers, and have relatively massive code bases of over 400,000 and 600,000 lines of code, respectively, which hinders debugging.[13]

WireGuard's design seeks to reduce these issues, aiming to make the tunnel more secure and easier to manage by default. By using versioning of cryptography packages, it focuses on ciphers believed to be among the most secure current encryption methods, and at the time of the Ars Technica review had a codebase of around 4000 lines of kernel code, about 1% of either OpenVPN or IPsec, making security audits easier. WireGuard was praised by Linux kernel creator Linus Torvalds who called it a "work of art" in contrast to OpenVPN and IPsec.[14] Ars Technica reported that in testing, stable tunnels were easily created with WireGuard, compared to alternatives, and commented that it would be "hard to go back" to long reconnection delays, compared to WireGuard's "no nonsense" instant reconnections.[13]

Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard as a replacement for existing technologies like IPsec and OpenVPN.[15]

Availability[]

Implementations[]

Implementations of the WireGuard protocol include:

  • Donenfeld's initial implementation, written in C and Go.[16]
  • Cloudflare's BoringTun, a user space implementation written in Rust.[17][18]
  • Matt Dunwoodie's implementation for OpenBSD, written in C.[19]
  • Ryota Ozaki's wg(4) implementation, for NetBSD, is written in C.[20]
  • The FreeBSD implementation is written in C and shares most of the data path with the OpenBSD implementation.[21]
  • OpenWrt Project: WireGuard
  • Oracle Linux with "Unbreakable Enterprise Kernel" Release 6 Update 1, since November 2020[22]
  • Native Windows kernel implementation named "wireguard-nt", since August 2021[23]

Linux "User space" programs supporting WireGuard[]

User space programs supporting WireGuard include:

History[]

Early snapshots of the code base exist from June 30, 2016.[43] Four early adopters of WireGuard were the VPN service providers Mullvad,[44] AzireVPN,[45] IVPN[46] and cryptostorm.[47] WireGuard has received donations from Mullvad, Private Internet Access, IVPN, the NLnet Foundation[48] and now also from OVPN.[49]

As of June 2018 the developers of WireGuard advise treating the code and protocol as experimental, and caution that they have not yet achieved a stable release compatible with CVE tracking of any security vulnerabilities that may be discovered.[50][51][needs update]

On 9 December 2019, David Miller - primary maintainer of the Linux networking stack - accepted the WireGuard patches into the "net-next" maintainer tree, for inclusion in an upcoming kernel.[52][53][54]

On 28 January 2020, Linus Torvalds merged David Miller's net-next tree, and WireGuard entered the mainline Linux kernel tree.[55]

On 20 March 2020, Debian developers enabled the module build options for WireGuard in their kernel config for the Debian 11 version (testing).[56]

On 29 March 2020 WireGuard was incorporated into the Linux 5.6 release tree. The Windows version of the software remains at beta.[3]

On 30 March 2020, Android developers added native kernel support for WireGuard in their Generic Kernel Image.[57]

On 22 April 2020, NetworkManager developer Beniamino Galvani merged GUI support for WireGuard.[58]

On 12 May 2020, Matt Dunwoodie proposed patches for native kernel support of WireGuard in OpenBSD.[59]

On 22 June 2020, after the work of Matt Dunwoodie and Jason A. Donenfeld, WireGuard support was imported into OpenBSD.[60]

On 23 November 2020, Jason A. Donenfeld released an update of the Windows package improving installation, stability, ARM support, and enterprise features.[61]

On 29 November 2020, WireGuard support was imported into the FreeBSD 13 kernel.[21]

On 19 January 2021, WireGuard support was added for preview in pfSense Community Edition (CE) 2.5.0 development snapshots.[62]

In March 2021, kernel-mode WireGuard support was removed from FreeBSD 13.0, still in testing, after an urgent code cleanup in FreeBSD WireGuard could not be completed quickly.[63] FreeBSD-based pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 removed kernel-based WireGuard as well.[64]

In May 2021, WireGuard support was re-introduced back into pfSense CE and pfSense Plus development snapshots as an experimental package written by a member of the pfSense community, Christian McDonald. The WireGuard package for pfSense incorporates the ongoing kernel-mode WireGuard development work by Jason A. Donenfeld that was originally sponsored by Netgate[65][66][67]

In June 2021, the official package repositories for both pfSense CE 2.5.2 and pfSense Plus 21.05 included the WireGuard package[68]

See also[]

  • Comparison of virtual private network services
  • Secure Shell (SSH), a cryptographic network protocol used to secure services over an unsecured network.

Notes[]

  1. ^ Not all platforms may have a currently released version and some may be at beta.[needs update?]

References[]

  1. ^ https://git.zx2c4.com/wireguard-linux-compat/tag/?h=v1.0.20210219; retrieved: 18 March 2021.
  2. ^ "Installation". WireGuard. Retrieved 23 April 2020.
  3. ^ Jump up to: a b c Salter, Jim (30 March 2020). "WireGuard VPN makes it to 1.0.0—and into the next Linux kernel". Archived from the original on 31 March 2020. Retrieved 23 April 2020.
  4. ^ Jump up to: a b c d e "WireGuard: fast, modern, secure VPN tunnel". WireGuard. Archived from the original on 28 April 2018. Retrieved 31 March 2021.
  5. ^ Preneel, Bart; Vercauteren, Frederik, eds. (11 June 2018). Applied Cryptography and Network Security. Springer. ISBN 978-3-319-93387-0. Archived from the original on 18 February 2019. Retrieved 25 June 2018.
  6. ^ Jump up to: a b Donenfeld, Jason A. "Known Limitations - WireGuard". www.wireguard.com. Retrieved 1 June 2020.
  7. ^ Lipp, Benjamin; Blanchet, Bruno; Bhargavan, Karthikeyan (2019), A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol, Research Report RR-9269, Paris: Inria, p. 49, hal-02100345
  8. ^ Donenfeld, Jason (2 May 2021). "WireGuard: Next Generation Kernel Network Tunnel" (PDF). Wireguard.com.
  9. ^ Jump up to: a b Donenfeld, Jason A. "Known Limitations - WireGuard". www.wireguard.com. Retrieved 2 May 2021.
  10. ^ "Why TCP Over TCP Is A Bad Idea". sites.inka.de. Retrieved 2 May 2021.
  11. ^ Donenfeld, Jason A. "Introduction & Motivation" (PDF). WireGuard: Next Generation Kernel Network Tunnel (PDF). Archived (PDF) from the original on 4 March 2018.
  12. ^ "Wireguard VPN Protocol - Privacy HQ". privacyhq.com. Retrieved 6 May 2021.
  13. ^ Jump up to: a b Salter, Jim (26 August 2018). "WireGuard VPN review: A new type of VPN offers serious advantages". Ars Technica. Archived from the original on 20 September 2018.
  14. ^ "Linux-Kernel Archive: Re: [GIT] Networking".
  15. ^ "US Senator Recommends Open-Source WireGuard To NIST For Government VPN". Phoronix. 30 June 2018. Archived from the original on 5 August 2018. Retrieved 5 August 2018.
  16. ^ Donenfeld, Jason (7 June 2019). "WireGuard: fast, modern, secure VPN tunnel". Retrieved 16 June 2019.
  17. ^ Krasnov, Vlad (18 December 2018). "BoringTun, a userspace WireGuard implementation in Rust". Cloudflare Blog. Archived from the original on 4 April 2019. Retrieved 29 March 2019.
  18. ^ "CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation". phoronix.com. Retrieved 29 March 2019.
  19. ^ Johansson, Janne (21 June 2020). "WireGuard imported into OpenBSD".
  20. ^ "wg(4) - NetBSD Manual Pages". 20 August 2020.
  21. ^ Jump up to: a b "Import kernel WireGuard support".
  22. ^ "Announcing the Unbreakable Enterprise Kernel Release 6 Update 1 for Oracle Linux". Oracle Linux Blog. 12 November 2020. Retrieved 12 November 2020.
  23. ^ "WireGuardNT, a high-performance WireGuard implementation for the Windows kernel". 2 August 2021.
  24. ^ Haller, Thomas (15 March 2019). "WireGuard in NetworkManager". GNOME Blogs.
  25. ^ Poettering, Lennart (28 January 2018). "[ANNOUNCE] systemd v237". systemd-devel (Mailing list).
  26. ^ Larabel, Michael (18 February 2020). "Intel ConnMan 1.38 Released With WireGuard Support". Phoronix.
  27. ^ "Mozilla VPN: Protect Your Entire Device".
  28. ^ Radziukas, Augustas (16 July 2020). "Development Update 07.02–07.16". Medium. Retrieved 25 July 2020.
  29. ^ "What is NordLynx? | NordVPN Customer Support". support.nordvpn.com. Retrieved 1 September 2020.
  30. ^ "OPNsense search results for wireguard | OPNsense documentation". OPNsense. Retrieved 28 April 2021.
  31. ^ McDonald, Christian (9 June 2021). "theonemcdonald/pfSense-pkg-WireGuard". github. Retrieved 1 June 2020.
  32. ^ "pivpn/pivpn". GitHub. Retrieved 30 May 2020.
  33. ^ "WireGuard® on PIA is out of beta and available to use on Windows, Mac, Linux, Android, and iOS". Retrieved 26 August 2020.
  34. ^ "Fast and clutter-free WireGuard protocol is now live on Surfshark". Surfshark. 19 October 2020. Retrieved 8 November 2020.
  35. ^ "Mistborn bundles important Internet services on your home network and secures them with a WireGuard VPN tunnel, Pi-hole, iptables rules, and separate containers". Retrieved 16 October 2020.
  36. ^ "What is WireGuard?". OVPN.com. Retrieved 7 November 2020.
  37. ^ "oVPN New Updates - WireGuard + OpenVPN 2.5 Coming soon! - YouTube". www.youtube.com. Retrieved 7 November 2020.
  38. ^ "Wireguard VPN | TorGuard". torguard.net. Retrieved 7 November 2020.
  39. ^ "Why we chose WireGuard for Veeam PN v2". Veeam Software Official Blog. 15 May 2019. Retrieved 2 December 2020.
  40. ^ "What is WireGuard VPN Protocol And How to Use It With VPN Unlimited". VPN Unlimited Blog. 15 November 2019. Retrieved 7 November 2020.
  41. ^ "VyprVPN WireGuard VPN Protocol is here to protect you!". AndroidPIMP. 14 May 2020. Retrieved 8 November 2020.
  42. ^ S, Yegor (21 July 2020). "Introducing WireGuard". Medium. Retrieved 8 November 2020.
  43. ^ "Index of /Monolithic-historical/".
  44. ^ Mason, John (13 February 2019). "Mullvad Review". thebestwpn. 2. Strong Tunneling Protocols – OpenVPN & WireGuard. Archived from the original on 24 June 2019. Retrieved 8 April 2019.
  45. ^ Mason, John (19 February 2019). "AzireVPN Review". thebestvpn. 2. Impressive Protocols and Encryption. Archived from the original on 8 May 2019. Retrieved 8 April 2019.
  46. ^ Pestell, Nick (11 December 2018). "Introducing Wireguard". Retrieved 22 September 2019.
  47. ^ "WireGuard support added!". cryptostorm blog. 5 April 2019. Archived from the original on 9 December 2019. Retrieved 9 December 2019.
  48. ^ "Donations". WireGuard. Archived from the original on 28 April 2018. Retrieved 28 April 2018.
  49. ^ "OVPN donates to support WireGuard". OVPN. 23 March 2020.
  50. ^ "About The Project". WireGuard. Work in Progress. Archived from the original on 25 June 2018. Retrieved 25 June 2018.
  51. ^ "Installation". WireGuard. Archived from the original on 26 June 2018. Retrieved 26 June 2018.
  52. ^ "e7096c131e5161fa3b8e52a650d7719d2857adfd - pub/scm/linux/kernel/git/davem/net-next - Git at Google". kernel.googlesource.com.
  53. ^ "LKML: David Miller: Re: [PATCH net-next v2] net: WireGuard secure network tunnel". lkml.org.
  54. ^ "[ANNOUNCE] WireGuard merged to net-next, on its way to Linux 5.6". 9 January 2020. Archived from the original on 9 January 2020.
  55. ^ Torvalds, Linus. "index : kernel/git/torvalds/linux.git". Linux kernel source tree. Kernel.org. Retrieved 2 February 2020.
  56. ^ "drivers/net: Enable WIREGUARD as module".
  57. ^ "ANDROID: GKI: enable CONFIG_WIREGUARD".
  58. ^ "merge branch 'bg/wireguard' (d321d0df) · Commits · GNOME / network-manager-applet". gitlab.gnome.org. Retrieved 30 May 2020.
  59. ^ "WireGuard for OpenBSD Kernel Patches Posted".
  60. ^ "add wg(4), an in kernel driver for WireGuard vpn communication".
  61. ^ "[ANNOUNCE] WireGuard for Windows 0.3: ARM support, enterprise features, & more".
  62. ^ "WireGuard for pfSense Software".
  63. ^ Anderson, Tim (23 March 2021). "FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation". The Register. Situation Publishing. Retrieved 31 March 2021.
  64. ^ Thompson, Jim (18 March 2021). "WireGuard Removed from pfSense® CE and pfSense® Plus Software". Netgate blog. Rubicon Communications. Retrieved 20 March 2021.
  65. ^ Long, Scott (5 May 2021). "pfSense: WireGuard returns as an Experimental Package". Netgate - Secure networks start here. Retrieved 9 June 2021.
  66. ^ Paxson, Audian (19 January 2021). "WireGuard for pfSense Software". Netgate - Secure networks start here. Retrieved 9 June 2021.
  67. ^ "wireguard-freebsd - WireGuard implementation for the FreeBSD kernel". git.zx2c4.com. Retrieved 9 June 2021.
  68. ^ Pingle, Jim (2 June 2021). "pfSense Plus 21.05-RELEASE Now Available". Netgate - Secure networks start here. Retrieved 9 June 2021.

External links[]

Retrieved from ""