At the end of July, the developers of the WireGuard VPN tunnel proposed that will make their VPN tunneling software part of the Linux kernel. However, the exact date of implementation of the "idea" is still unknown. Let's talk about this tool in more detail under the cut.
/ photo
Briefly about the project
WireGuard is a next-generation VPN tunnel created by Jason A. Donenfeld, CEO of Edge Security. The project was developed as and a nimble alternative to OpenVPN and IPsec. The first version of the product contained only 4 lines of code. For comparison, OpenVPN has about 120 thousand lines, and IPSec has 420 thousand lines.
On developers, WireGuard is easy to set up and protocol security is achieved . : Wi-Fi, LTE or Ethernet need to reconnect to the VPN server every time. WireGuard servers, on the other hand, do not drop the connection, even if the user has received a new IP address.
Despite the fact that WireGuard was originally designed for the Linux kernel, the developers and about the portable version of the tool for Android devices. The application is still unfinished, but you can try it in action right now. For this you need .
In general, WireGuard is quite popular and has even been multiple VPN providers such as Mullvad and AzireVPN. Published online this decision. For example, , which are created by users, but there are guides, .
Technical details
Π (p. 18) noted that WireGuard's throughput is four times higher than OpenVPN's: 1011 Mbps versus 258 Mbps, respectively. WireGuard is also ahead of the standard Linux IPsec solution - it has 881 Mbps. It excels in ease of setup.
After the key exchange (the VPN connection is initialized almost like in SSH) and the connection is established, WireGuard handles all other tasks on its own: there is no need to worry about routing, statefulness, etc. Additional configuration efforts will only need to be applied if you want to use symmetric encryption.
/ photo
To install, you will need a distribution kit with a Linux kernel βolderβ than 4.1. It can be found in the repositories of major Linux distributions.
$ sudo add-apt-repository ppa:hda-me/wireguard
$ sudo apt update
$ sudo apt install wireguard-dkms wireguard-tools
As the xakep.ru editors note, self-assembly from source is also easy. It is enough to raise the interface and generate public and private keys:
$ sudo ip link add dev wg0 type wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey
wire guard interface for working with a cryptographic provider . Instead, a stream cipher is used. , cryptographic Poly1305 and proprietary cryptographic hash functions.
The secret key is generated using based on elliptic curve . Hashing uses ΠΈ . Due to the timestamp format the protocol drops packets with a lower timestamp value, thereby ΠΈ .
At the same time, WireGuard uses the ioctl function to control I / O (previously used ), which makes the code cleaner and simpler. You can verify this by looking at .
Developer Plans
So far, WireGuard is an out-of-tree kernel module. But project author Jason Donenfeld , that the time has come for a full-fledged implementation in the Linux kernel. Since it is simpler and more reliable than other solutions. Jason in this regard even Linus Torvalds himself - he called the WireGuard code "a work of art."
But no one is talking about the exact dates for the introduction of WireGuard into the kernel. AND this will happen with the release of the August Linux kernel 4.18. However, there is a chance that this will happen in the very near future: in version 4.19 or 5.0.
When WireGuard is added to the kernel, developers finalize the application for Android devices and start writing an application for iOS. In addition, it is planned to complete implementations in Go and Rust and port them to macOS, Windows and BSD. It is also planned to implement WireGuard for more "exotic systems": , , as well as many other interesting things. All of them are listed in project authors.
PS A few more articles from our corporate blog:
The main direction of our activity is the provision of cloud services:
| | | | | |
Source: habr.com