NetBSD Project Developers on the inclusion of the wg driver with the implementation of the WireGuard protocol in the main NetBSD kernel. NetBSD became the third operating system after Linux and OpenBSD with integrated support for WireGuard. Related commands for configuring a VPN are also proposed - wg-keygen and wgconfig. In the default kernel configuration (GENERIC), the driver is not yet activated and requires an explicit setting in the "pseudo-device wg" settings.
Additionally, it can be noted corrective update of the wireguard-tools 1.0.20200820 package, which includes user-space utilities such as wg and wg-quick. This release prepares the IPC for upcoming support for WireGuard on the FreeBSD operating system. Separation of code specific to different platforms into different files has been implemented. Support for the "reload" command has been added to the systemd unit file, which allows you to run constructs like "systemctl reload wg-quick at wgnet0".
Recall that VPN WireGuard is implemented on the basis of modern encryption methods, provides very high performance, is easy to use, devoid of complications and has proven itself in a number of large deployments that process large amounts of traffic. The project has been developing since 2015, passed the audit and the encryption methods used. WireGuard support is already integrated into NetworkManager and systemd, and kernel patches are included in the base distributions , Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, ΠΈ .
WireGuard uses the concept of encryption key routing, which involves binding a private key to each network interface and using public keys to bind. The exchange of public keys to establish a connection is similar to SSH. To negotiate keys and connect without running a separate user-space daemon, the Noise_IK mechanism from , similar to maintaining authorized_keys in SSH. Data transmission is carried out through encapsulation in UDP packets. It supports changing the IP address of the VPN server (roaming) without breaking the connection with automatic client reconfiguration.
For encryption stream cipher and Message Authentication Algorithm (MAC) , designed by Daniel Bernstein (), Tanya Lange
(Tanja Lange) and Peter Schwabe (Peter Schwabe). ChaCha20 and Poly1305 are positioned as faster and more secure analogues of AES-256-CTR and HMAC, the software implementation of which allows achieving a fixed execution time without involving special hardware support. To generate a shared secret key, the Diffie-Hellman protocol on elliptic curves is used in the implementation , also proposed by Daniel Bernstein. Algorithm used for hashing .
Source: opennet.ru