How much are people looking forward to WireGuard, the new in-kernel Linux virtual private network (VPN)? Well, Linus Torvalds said, “Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
If that sounds like damning with faint praise, you don’t know Torvalds. For him, this is high praise. Now, WireGuard has been committed to the Linux kernel’s netdev tree. While there are still tests to be made and hoops to be jumped through, it should be released in the next major Linux kernel release, 5.6, in the first or second quarter of 2020.
WireGuard has been in development for some time. It is a layer 3 secure VPN. Unlike its older rivals, which it’s meant to replace, its code is much cleaner and simple. The result is a fast, easy-to-deploy VPN. While it started as a Linux project, WireGuard code is now cross-platform, and its code is now available on Windows, macOS, BSD, iOS, and Android.
It took longer to arrive than many wished because WireGuard’s principal designer, Jason Donenfeld, disliked Linux’s built-in cryptographic subsystem on the grounds its application programming interface (API) was too complex and difficult. He suggested it be supplemented with a new cryptographic subsystem: His own Zinc library. Many developers didn’t like this. They saw this as wasting time reinventing the cryptographic well.
But Donenfeld had an important ally.
Torvalds wrote, “I’m 1000% with Jason on this. The crypto/ model is hard to use, inefficient, and completely pointless when you know what your cipher or hash algorithm is, and your CPU just does it well directly.”
In the end, Donenfeld compromised. “WireGuard will get ported to the existing crypto API. So it’s probably better that we just fully embrace it, and afterward work evolutionarily to get Zinc into Linux piecemeal.” That’s exactly what happened. Some Zine elements have been imported into the legacy crypto code in the forthcoming Linux 5.5 kernel. This laid the foundation for WireGuard to finally ship in Linux early next year.
WireGuard works by securely encapsulates IP packets over UDP. It’s authentication and interface design has more to do with Secure Shell (SSH) than other VPNs. You simply configure the WireGuard interface with your private key and your peers’ public keys, and you’re ready to securely talk.
When it arrives, I expect WireGuard to quickly become the new standard for Linux VPNs. With its tiny code-size, high-speed cryptographic primitives, and in-kernel design, it should be faster than all other existing VPN technologies. WireGuard’s not just fast, it’s secure as well, with its support of state-of-the-art cryptography technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD.
All this is why some companies — like Mullvad VPN — adopted WireGuard long before it was incorporated into Linux. As Mullvad co-founder Fredrik Strömberg wrote two-years ago, “We find WireGuard beneficial for a number of reasons. Its simplistic design in few lines of code makes it easier for sysadmins and developers to integrate it correctly — and harder for them to get it wrong.” Thus, “WireGuard will move the world one step closer to our own vision — of making mass surveillance ineffective.”
So, say hi to the future of the VPN. Its name is WireGuard.