At the end of July, the developers of the WireGuard VPN tunnel proposed patch setthat will make their VPN tunneling software part of the Linux kernel. However, the exact date of implementation of the "idea" is still unknown. Let's talk about this tool in more detail under the cut.
WireGuard is a next-generation VPN tunnel created by Jason A. Donenfeld, CEO of Edge Security. The project was developed as simplified and a nimble alternative to OpenVPN and IPsec. The first version of the product contained only 4 lines of code. For comparison, OpenVPN has about 120 thousand lines, and IPSec has 420 thousand lines.
On words developers, WireGuard is easy to set up and protocol security is achieved through proven cryptographic algorithms. When changing networks: Wi-Fi, LTE or Ethernet need to reconnect to the VPN server every time. WireGuard servers, on the other hand, do not drop the connection, even if the user has received a new IP address.
Despite the fact that WireGuard was originally designed for the Linux kernel, the developers taken care of and about the portable version of the tool for Android devices. The application is still unfinished, but you can try it in action right now. For this you need become one of the testers.
Π official documentation (p. 18) noted that WireGuard's throughput is four times higher than OpenVPN's: 1011 Mbps versus 258 Mbps, respectively. WireGuard is also ahead of the standard Linux IPsec solution - it has 881 Mbps. It excels in ease of setup.
After the key exchange (the VPN connection is initialized almost like in SSH) and the connection is established, WireGuard handles all other tasks on its own: there is no need to worry about routing, statefulness, etc. Additional configuration efforts will only need to be applied if you want to use symmetric encryption.
To install, you will need a distribution kit with a Linux kernel βolderβ than 4.1. It can be found in the repositories of major Linux distributions.
As the xakep.ru editors note, self-assembly from source is also easy. It is enough to raise the interface and generate public and private keys:
$ sudo ip link add dev wg0 type wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey
wire guard does not use interface for working with a cryptographic provider CryptoAPI. Instead, a stream cipher is used. ChaCha20, cryptographic imitation insert Poly1305 and proprietary cryptographic hash functions.
At the same time, WireGuard uses the ioctl function to control I / O (previously used netlink), which makes the code cleaner and simpler. You can verify this by looking at configuration code.
Developer Plans
So far, WireGuard is an out-of-tree kernel module. But project author Jason Donenfeld says, that the time has come for a full-fledged implementation in the Linux kernel. Since it is simpler and more reliable than other solutions. Jason in this regard supports the even Linus Torvalds himself - he called the WireGuard code "a work of art."
But no one is talking about the exact dates for the introduction of WireGuard into the kernel. AND hardly this will happen with the release of the August Linux kernel 4.18. However, there is a chance that this will happen in the very near future: in version 4.19 or 5.0.
When WireGuard is added to the kernel, developers want to finalize the application for Android devices and start writing an application for iOS. In addition, it is planned to complete implementations in Go and Rust and port them to macOS, Windows and BSD. It is also planned to implement WireGuard for more "exotic systems": DPDK, FPGA, as well as many other interesting things. All of them are listed in to-do-list project authors.