Jason A. Donenfeld, the author of WireGuard VPN, has released the first major release of the WireGuard client software for Windows 1.0, as well as the WireGuardNT 1.0 drivers with a port VPN WireGuard for the Windows 10 and 11 kernel, supporting AMD64, x86, and ARM64 architectures. The Windows kernel component code is licensed under the GPLv2, and the client software is licensed under the MIT license.
The port is based on the codebase of the main WireGuard implementation for the Linux kernel, which has been converted to use Windows kernel entities and the NDIS network stack. Compared to the wireguard-go implementation, which runs in user space and uses the Wintun network interface, WireGuardNT offers significant performance improvements by eliminating context switches and copying packet contents from the kernel to user space. Similar to the implementations for Linux, OpenBSD, and FreeBSD, all protocol processing logic in WireGuardNT runs directly at the network stack level.
Version 1.0 was marked as a milestone, marking the resolution of a number of issues and the fulfillment of intended tasks, such as: the use of the NdisWdfGetAdapterContextFromAdapterHandle() function instead of the less secure storage of the driver state in the Reserved field and the use of undocumented offsets; correct and prompt tracking of the MTU (Maximum Transmission Unit) size through the interception of system calls; the use of the C23 standard in the code.
As a reminder, WireGuard VPN is based on modern encryption methods, delivers exceptional performance, is easy to use, is free of complications, and has proven itself in a number of large-scale deployments handling large volumes of traffic. The project has been in development since 2015 and has undergone an audit and formal verification of its encryption methods. WireGuard utilizes a key-based encryption routing concept, which involves binding a private key to each network interface and using public keys for key binding.
The exchange of public keys to establish a connection is similar to SSH. To negotiate keys and connect without running a separate daemon in user space, the Noise_IK mechanism from the Noise Protocol Framework is used, similar to the maintenance of authorized_keys in SSH. Data transfer is carried out via encapsulation in UDP packets. Changing is supported. IP addresses VPN servers (roaming) without connection interruption with automatic client reconfiguration.
The ChaCha20 stream cipher and the Poly1305 message authentication algorithm (MAC), developed by Daniel J. Bernstein, Tanja Lange, and Peter Schwabe, are used for encryption. ChaCha20 and Poly1305 are marketed as faster and more secure alternatives to AES-256-CTR and HMAC, whose software implementation allows for fixed-time execution without requiring special hardware support. The shared secret key is generated using the elliptic curve Diffie-Hellman protocol in the Curve25519 implementation, also proposed by Daniel Bernstein. The BLAKE2s algorithm (RFC7693) is used for hashing.
Source: opennet.ru
