Get best of the week

Linux kernel included WireGuard VPN

Today, Linus has migrated its net-next branch with WireGuard VPNs . This event was reported on the WireGuard mailing list.



Currently, code collection continues for the new Linux 5.6 kernel. WireGuard is a new generation fast VPN that incorporates modern cryptography. It was originally developed as a simpler and more convenient alternative to existing VPNs. The author is Canadian information security specialist Jason A. Donenfeld. In August 2018, WireGuard was praised by Linus Torvalds. Around the time, work began on incorporating a VPN into the Linux kernel. The process was a little delayed.

โ€œI see that Jason did a pool request to include WireGuard in the core,โ€ Linus wrote on August 2, 2018. - Can I just once again declare my love for this VPN and hope for a speedy merger? The code may not be perfect, but I looked at it, and compared to the horrors of OpenVPN and IPSec, this is a real work of art. โ€

Despite the wishes of Linus, the merger dragged on for a year and a half. The main problem turned out to be tied to their own implementations of cryptographic functions, which were used to increase productivity. After lengthy negotiations, a compromise decision was made in September 2019.translate patches to the core functions of the Crypto API, which WireGuard developers have complaints about in terms of performance and general security. But they decided to wire the native WireGuard crypto functions into a separate low-level Zinc API and eventually port them to the kernel. In November, the core developers kept their promise and agreed to transfer part of the code from Zinc to the main core. For example, the Crypto API includes WireGuard-prepared fast implementations of the ChaCha20 and Poly1305 algorithms.

In the end, on December 9, 2019, David S. Miller, responsible for the Linux kernel networking subsystem, accepted patches with the implementation of the VPN interface from the WireGuard project into the net-next branch.

And today, January 29, 2020, the changes went to Linus for inclusion in the kernel.



The declared advantages of WireGuard over other VPN solutions:

  • Easy to use.
  • Uses modern cryptography: Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, etc.
  • Compact readable code, easier to investigate for vulnerabilities.
  • High performance.
  • Clear and detailed specification .

All the core logic of WireGuard takes up less than 4000 lines of code, while OpenVPN and IPSec are hundreds of thousands of lines.

ยซ WireGuard , . SSH. Noise_IK Noise Protocol Framework, authorized_keys SSH. UDP. IP- VPN- () , โ€” Opennet.

ChaCha20 (MAC) Poly1305, (Daniel J. Bernstein), (Tanja Lange) (Peter Schwabe). ChaCha20 Poly1305 AES-256-CTR HMAC, . - Curve25519, . BLAKE2s (RFC7693)ยป.

Performance test results from the official website:

Bandwidth (megabits / s)


Ping (ms)


Test configuration:


  • Intel Core i7-3820QM and Intel Core i7-5200U
  • Gigabit Intel 82579LM and Intel I218LM cards
  • Linux 4.6.1
  • WireGuard Configuration: 256-Bit ChaCha20 with Poly1305 for MAC
  • IPsec First Configuration: 256-bit ChaCha20 with Poly1305 for MAC
  • Second IPsec Configuration: AES-256-GCM-128 (with AES-NI)
  • OpenVPN Configuration: Equivalent 256-bit AES Encryption Set with HMAC-SHA2-256, UDP Mode
  • Performance was measured using iperf3, the average result for 30 minutes is shown.

Theoretically, after integration into the network stack, WireGuard should work even faster. But in reality, this will not necessarily be the case due to the transition to the cryptographic functions built into the kernel of the Crypto API. Perhaps not all of them are still optimized to the performance level of the native WireGuard.

ยซ , WireGuard . , VPN . , โ€” 2018 . โ€” , OpenWRT. . , SSH-ยป.

The WireGuard project has been developing since 2015, it has passed an audit and formal verification . WireGuard support is integrated into NetworkManager and systemd, and kernel patches are part of the basic distributions of Debian Unstable, Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, Subgraph, and ALT.

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles