WireGuard - Fast and Secure VPN in Linux Kernel

Fig. 1. OpenVPN vs WireGuard, test Ars Technica

WireGuard - free and open protocol virtual private networks, intended to replace the IPsec, and OpenVPN. In January 2020, after a year and a half of code refinement, the long-awaited event nevertheless took place - Linus Torvalds accepted VPN WireGuard in the main Linux 5.6 branch .

Very soon, this VPN will become part of the Linux kernel - the heart of an open source operating system that runs the whole world, from web servers to Android phones and cars. This is a really important event, because WireGuard is much simpler and more logical than previous VPNs. In June 2019, automated cryptographic evidence was received mathematics protocol.

VPN is an important tool for security and privacy. In fact, it is an encrypted communication channel between two or more devices that allow data to be routed through a secure “tunnel”. Companies use a VPN to remotely access employees to the corporate network, and commercial VPN services offer users protection against traffic interception by directing it through remote servers. This means that your provider, government intelligence agencies or any unauthorized persons cannot see what you are doing on the Internet. Routing traffic through a remote server can also create the impression that you are accessing the Internet from another place. This allows people in some countries to access sites that are blocked for some reason.

But VPN connections are only as secure as the software itself. Security professionals have traditionally been critical of VPN software. One reason for this is that most VPN software is incredibly complex. The more complex the software, the more difficult it is to audit for security issues.

Old VPN programs are “too huge and complicated, and in principle it’s impossible to browse and check whether they are safe or not,” says Jan Jonsson, CEO of Mullvad VPN provider, based on which the built-in VPN service in the browser works Firefox

The author of WireGuard is hacker and pentester Jason A. Donenfeld. He managed to write much simpler and more concise code than in most other VPN programs. The first version of WireGuard contained less than 4,000 lines of code - compared to tens of thousands of lines in other VPN programs. This does not make WireGuard safer, but it makes troubleshooting much easier. The key mechanisms of the encryption protocol are shown in Fig. 2. Fig. 2: (a) WireGuard protocol; (b) cryptographic computing; (c) WireGuard cookie mechanism to protect the host from DoS attacks




WireGuard clients are already released for Android, iOS, MacOS, Linux, and Windows. Cloudflare launched the Warp VPN service based on the WireGuard protocol, and several commercial VPN providers also allow users to use the WireGuard protocol, including TorGuard, IVPN, and Mullvad.

The implementation of WireGuard directly in the kernel, which directly interacts with the hardware, should further accelerate the work of the program. WireGuard will be able to encrypt and decrypt data directly from a network card, without the need to transfer traffic through the kernel and software at a higher level.

The official release of Linux 5.6 will take place in a few weeks. After that, it can be expected that the WireGuard protocol will be more widely used in various VPN services, including to protect connections between IoT devices, many of which work on Linux.

The author of the program, Jason Donenfield, made a living by breaking into computer systems (penetration tests under an official contract for consulting services). He originally developed WireGuard as a data exfiltration tool to covertly capture data from a victim's computer.

In 2012, Jason moved to France and, like many VPN users, wanted to go online from an American site. But he did not trust the existing VPN software. In the end, he realized that he could use his exfiltration tool to route traffic through his parents' computer in the USA: “I realized that many methods of hacking systems (offensive security) are actually useful for protection, ” he said in an interview with the magazine Wired.

Donenfeld changed the traditional approach that VPN and cryptographic software have used for decades. For example, other VPN systems allow users to select one of several encryption algorithms. But support for multiple encryption schemes makes the software more complex and provides more opportunities for errors. WireGuard takes the liberty of making some decisions for the user. This makes the program not as flexible as IPsec and OpenVPN, but WireGuard is an order of magnitude simpler, which, according to proponents, reduces the likelihood of errors from both WireGuard developers and users.

A simple code audit is not the only reason WireGuard has attracted so much attention. The biggest advantage of WireGuard is that “it’s nice to use it, -says Thomas Ptacek, a security researcher. “It’s no more difficult to configure than any of the network tools that developers are already using.”

WireGuard is on a par with the secure Signal messenger - they are part of a broad movement to create better, more convenient software based on modern cryptographic methods.

In 2019, experts from the French Institute for Computer Research and Automation evaluated WireGuard cryptography. They received the automated cryptographic proof of the mathematical methods underlying WireGuard, although there might still be security issues in the code itself. Now it is being tested by Linux developers, and Donenfeld has fixed several problems ahead of the release of the new Linux 5.6 kernel and WireGuard 1.0.

---

PKI solutions for small and medium-sized businesses from the GlobalSign Certification Authority. For details, contact managers +7 (499) 678 2210, sales-ru@globalsign.com.