Development / Linux / Networking / Security

WireGuard VPN Protocol Coming to a Linux Kernel Near You

31 Jan 2020 9:57am, by

The WireGuard virtual private networking (VPN) protocol is coming to the Linux kernel, much to the delight of Linux creator Linus Torvalds.

“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art,” Torvalds enthused, on the Linux Kernel Mailing List.

What is WireGuard? Simply put, WireGuard is a Layer 3 Secure VPN that is easy to deploy, and, arguably, offers a much cleaner codebase than other open source VPN packages, and has finally been merged into the Linux source tree for version 5.6.

What Makes WireGuard Special?

The primary reason WireGuard has made such a name for itself is that it’s considerably easier to configure than other solutions (being deployed with just a few lines of code) and can be quickly audited for security vulnerabilities. In fact, the entire WireGuard codebase is made up of around 4,000 lines of code (in contrast to over 100,000 lines of code for OpenVPN).

Another reason WireGuard is special is how it functions. Unlike the more complex competition, WireGuard functions in a similar fashion to SSH — by exchanging public keys. Once the keys have been exchanged and the connection made, there’s no need to manage connections or daemons, or be concerned about state or what’s going on under the hood.

For those that are interested in what’s going on under the hood, WireGuard makes use of the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. And now that WireGuard will exist within the Linux kernel, it will be even easier to implement, as well as one of the most reliable VPNs for the Linux platform.

Why It Took so Long?

Security is never anything to be rushed, especially given the fragile state of data and network protection. Because of this, the upstream Linux crypto devs opted to incorporate elements of  WireGuard designer Jason Donenfeld’s Zinc crypto API into the existing kernel crypto stack.

Prior to this, there were 34 patches submitted to the crypto API library, which made it possible to unlock WireGuard for upstreaming into the Linux kernel. Unfortunately, the timing made it impossible for introducing WireGuard into the Linux 5.5 kernel. To that end, the VPN protocol has been targeted for the upcoming 5.6 kernel release.

The New Standard

Once Linux kernel 5.6 is released, expect WireGuard VPN to become the de facto standard in Linux VPN technology. The combination of small footprint, speed, simplicity, and in-kernel design should easily make this the favored option for Linux admins needing to implement a reliable VPN.

And because WireGuard will be built into the kernel, there’ll be no need for third-party solutions. This equates to faster, easier deployments of an often maligned solution for Linux. WireGuard will make adopting VPNs a veritable no-brainer.

The Linux Foundation is a sponsor of The New Stack.

Feature image by prettysleepy1 from Pixabay.

A newsletter digest of the week’s most important stories & analyses.