WireGuard explained

WireGuard
Logo Alt:The WireGuard logo
Logo Size:200px
Author:Jason A. Donenfeld
Developer:Jason A. Donenfeld
Released:[1]
Latest Release Version:
Programming Language:C (Linux, FreeBSD kernel modules, NetBSD, OpenBSD kernel drivers, Windows kernel drivers), Go (userspace implementation)
Genre:Virtual private network
License:various free and open-source

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs).[2] It aims to be lighter and better performing than IPsec and OpenVPN, two common tunneling protocols.[3] The WireGuard protocol passes traffic over UDP.

In March 2020, the Linux version of the software reached a stable production release and was incorporated into the Linux 5.6 kernel, and backported to earlier Linux kernels in some Linux distributions. The Linux kernel components are licensed under the GNU General Public License (GPL) version 2; other implementations are under GPLv2 or other free/open-source licenses.[2]

The name WireGuard is a registered trademark of Jason A. Donenfeld.[2]

Protocol

WireGuard uses the following:[4]

In May 2019, researchers from INRIA published a machine-checked proof of the WireGuard protocol, produced using the CryptoVerif proof assistant.

Optional pre-shared symmetric key mode

WireGuard supports pre-shared symmetric key mode, which provides an additional layer of symmetric encryption to mitigate future advances in quantum computing. This addresses the risk that traffic may be stored until quantum computers are capable of breaking Curve25519, at which point traffic could be decrypted. Pre-shared keys are "usually troublesome from a key management perspective and might be more likely stolen", but in the shorter term, if the symmetric key is compromised, the Curve25519 keys still provide more than sufficient protection.[6]

Networking

WireGuard uses only[7] UDP,[2] due to the potential disadvantages of TCP-over-TCP.[7] [8] [9] Tunneling TCP over a TCP-based connection is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown"). TCP meltdown occurs when a TCP connection is stacked on top of another. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes said delays and degraded transmission performance.

Its default server port is UDP 51820.

WireGuard fully supports IPv6, both inside and outside of tunnel. It supports only layer 3 for both IPv4 and IPv6 and can encapsulate v4-in-v6 and vice versa.[10]

MTU overhead

The overhead of WireGuard breaks down as follows:[11]

MTU operational considerations

Assuming the underlay network transporting the WireGuard packets maintains a 1500 bytes MTU, configuring the WireGuard interface to 1420 bytes MTU for all involved peers is ideal for transporting IPv6 + IPv4 traffic. However, when exclusively carrying legacy IPv4 traffic, a higher MTU of 1440 bytes for the WireGuard interface suffices.

From an operational perspective and for network configuration uniformity, choosing to configure a 1420 MTU network-wide for the WireGuard interfaces would be advantageous. This approach ensures consistency and facilitates a smoother transition to enabling IPv6 for the WireGuard peers and interfaces in the future.

Caveat

There may be situations where, for instance, a peer is behind a network with 1500 bytes MTU, and a second peer is behind a wireless network such as an LTE network, where often times, the carrier opted to use an MTU that is far lower than 1420 bytes — In such cases, the underlying IP networking stack of the host will fragment the UDP encapsulated packet and send the packets through, the packets inside the tunnel however will remain consistent and will not be required to fragment as PMTUD will detect the MTU between the peers (in this example, that would be 1420 bytes) and send a fixed packet size between the peers.

Extensibility

WireGuard is designed to be extended by third-party programmes and scripts. This has been used to augment WireGuard with various features including more user-friendly management interfaces (including easier setting up of keys), logging, dynamic firewall updates, dynamic IP assignment, and LDAP integration.

Excluding such complex features from the minimal core codebase improves its stability and security. For ensuring security, WireGuard restricts the options for implementing cryptographic controls, limits the choices for key exchange processes, and maps algorithms[4] to a small subset of modern cryptographic primitives. If a flaw is found in any of the primitives, a new version can be released that resolves the issue.

Reception

A review by Ars Technica found that WireGuard was easy to set up and use, used strong ciphers, and had a minimal codebase that provided for a small attack surface.

WireGuard has received funding from the Open Technology Fund.[12] and donations from Mullvad, Private Internet Access, IVPN, the NLnet Foundation[13] and OVPN.[14]

Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard as a replacement for existing technologies.[15]

Availability

Implementations

Implementations of the WireGuard protocol include:

History

Early snapshots of the code base exist from 30 June 2016.[23] Four early adopters of WireGuard were the VPN service providers Mullvad, AzireVPN, IVPN[24] and cryptostorm.

On 9 December 2019, David Miller – primary maintainer of the Linux networking stack – accepted the WireGuard patches into the "net-next" maintainer tree, for inclusion in an upcoming kernel.[25] [26] [27]

On 28 January 2020, Linus Torvalds merged David Miller's net-next tree, and WireGuard entered the mainline Linux kernel tree.[28]

On 20 March 2020, Debian developers enabled the module build options for WireGuard in their kernel config for the Debian 11 version (testing).[29]

On 29 March 2020 WireGuard was incorporated into the Linux 5.6 release tree. The Windows version of the software remains at beta.

On 30 March 2020, Android developers added native kernel support for WireGuard in their Generic Kernel Image.[30]

On 22 April 2020, NetworkManager developer Beniamino Galvani merged GUI support for WireGuard in GNOME.[31]

On 12 May 2020, Matt Dunwoodie proposed patches for native kernel support of WireGuard in OpenBSD.[32]

On 22 June 2020, after the work of Matt Dunwoodie and Jason A. Donenfeld, WireGuard support was imported into OpenBSD.[33]

On 23 November 2020, Jason A. Donenfeld released an update of the Windows package improving installation, stability, ARM support, and enterprise features.[34]

On 29 November 2020, WireGuard support was imported into the FreeBSD 13 kernel.[35]

On 19 January 2021, WireGuard support was added for preview in pfSense Community Edition (CE) 2.5.0 development snapshots.[36]

In March 2021, kernel-mode WireGuard support was removed from FreeBSD 13.0, still in testing, after an urgent code cleanup in FreeBSD WireGuard could not be completed quickly.[37] FreeBSD-based pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 removed kernel-based WireGuard as well.[38]

In May 2021, WireGuard support was re-introduced back into pfSense CE and pfSense Plus development snapshots as an experimental package written by a member of the pfSense community, Christian McDonald. The WireGuard package for pfSense incorporates the ongoing kernel-mode WireGuard development work by Jason A. Donenfeld that was originally sponsored by Netgate.[39] [40] [41]

In June 2021, the official package repositories for both pfSense CE 2.5.2 and pfSense Plus 21.05 included the WireGuard package.[42]

In 2023, WireGuard got over 200,000 Euros support from Germany's Sovereign Tech Fund.[43]

See also

Notes and References

  1. News: Yael . Grauer . 2021-01-16 . How one hacker's push to secure the internet became a crucial part of Mac, Linux, and Windows operating systems . . 2022-11-25.
  2. Web site: WireGuard: fast, modern, secure VPN tunnel. WireGuard. live. https://web.archive.org/web/20180428010439/https://www.wireguard.com/. 28 April 2018. 2021-03-31.
  3. Book: Springer. 978-3-319-93387-0. Preneel. Bart. Vercauteren. Frederik. Applied Cryptography and Network Security. 11 June 2018. 25 June 2018. https://web.archive.org/web/20190218102858/https://books.google.com/books?id=UKJfDwAAQBAJ&pg=PA3. 18 February 2019. live. dmy-all.
  4. Web site: Donenfeld . Jason A. . Protocol & Cryptography - WireGuard . 2023-05-14 . www.wireguard.com . en.
  5. Web site: Donenfeld. Jason A.. Known Limitations - WireGuard. www.wireguard.com. 1 June 2020. en.
  6. Web site: Donenfeld. Jason. May 2, 2021. WireGuard: Next Generation Kernel Network Tunnel. Wireguard.com.
  7. Web site: Donenfeld. Jason A.. Known Limitations - WireGuard. 2021-05-02. www.wireguard.com. en.
  8. Web site: Why TCP Over TCP Is A Bad Idea. Olaf. Titz. 2001-04-23. 2015-10-17.
  9. 2005SPIE.6011..138H. Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency. Honda, Osamu . Ohsaki, Hiroyuki . Imase, Makoto . Ishizuka, Mika . Murayama, Junichi . 8945952. Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. 6011. October 2005. 10.1117/12.630496. 10.1.1.78.5815. Atiquzzaman. Mohammed. Balandin. Sergey I.
  10. Donenfeld. Jason A.. WireGuard: Next Generation Kernel Network Tunnel. Introduction & Motivation. https://www.wireguard.com/papers/wireguard.pdf#section.1. live. https://web.archive.org/web/20180304235745/https://www.wireguard.com/papers/wireguard.pdf. 4 March 2018.
  11. Web site: Donenfeld . Jason A. . December 11, 2017 . [WireGuard] Header / MTU sizes for Wireguard ]. 2024-01-13.
  12. Web site: Building a more secure, accessible and resilient WireGuard VPN protocol.. 2022-06-20. www.opentech.fund.
  13. Web site: Donations . live . https://web.archive.org/web/20180428012457/https://www.wireguard.com/donations/ . 28 April 2018 . 28 April 2018 . WireGuard.
  14. Web site: 23 March 2020 . OVPN donates to support WireGuard . OVPN.
  15. Web site: US Senator Recommends Open-Source WireGuard To NIST For Government VPN. Phoronix. 30 June 2018. 5 August 2018. https://web.archive.org/web/20180805142858/https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-Senator-Recommends. 5 August 2018. live. dmy-all.
  16. Web site: WireGuard: fast, modern, secure VPN tunnel. Donenfeld. Jason. 2019-06-07. 2019-06-16.
  17. Web site: BoringTun, a userspace WireGuard implementation in Rust. Krasnov. Vlad. 2018-12-18. Cloudflare Blog. en-US. 2019-03-29. https://web.archive.org/web/20190404164726/https://blog.cloudflare.com/boringtun-userspace-wireguard-rust/. 4 April 2019. live. dmy-all.
  18. Web site: CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation. phoronix.com. 29 March 2019.
  19. Web site: WireGuard imported into OpenBSD. Johansson. Janne. 2020-06-21.
  20. Web site: wg(4) - NetBSD Manual Pages. 2020-08-20.
  21. Web site: 2021-08-02. WireGuardNT, a high-performance WireGuard implementation for the Windows kernel.
  22. Web site: WireGuard: VPN has never been so easy.
  23. Web site: Index of /Monolithic-historical/.
  24. Web site: Introducing Wireguard. Pestell. Nick. 11 December 2018. 2019-09-22.
  25. Web site: e7096c131e5161fa3b8e52a650d7719d2857adfd - pub/scm/linux/kernel/git/davem/net-next - Git at Google. kernel.googlesource.com.
  26. Web site: LKML: David Miller: Re: [PATCH net-next v2] net: WireGuard secure network tunnel]. lkml.org.
  27. Web site: [ANNOUNCE] WireGuard merged to net-next, on its way to Linux 5.6]. https://web.archive.org/web/20200109120322/https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html. dead. 9 January 2020. 9 January 2020.
  28. Web site: Torvalds. Linus. index : kernel/git/torvalds/linux.git. Linux kernel source tree. Kernel.org. 2 February 2020.
  29. Web site: drivers/net: Enable WIREGUARD as module. 21 March 2020 .
  30. Web site: ANDROID: GKI: enable CONFIG_WIREGUARD.
  31. Web site: merge branch 'bg/wireguard' (d321d0df) · Commits · GNOME / network-manager-applet. gitlab.gnome.org. 22 April 2020 . 30 May 2020. en.
  32. Web site: WireGuard for OpenBSD Kernel Patches Posted. 12 May 2020 .
  33. Web site: add wg(4), an in kernel driver for WireGuard vpn communication.
  34. Web site: [ANNOUNCE] WireGuard for Windows 0.3: ARM support, enterprise features, & more]. 23 November 2020 .
  35. Web site: Import kernel WireGuard support.
  36. Web site: WireGuard for pfSense Software.
  37. News: FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation. Tim. Anderson. 2021-03-23. 2021-03-31. The Register. Situation Publishing.
  38. Web site: Thompson. Jim. 2021-03-18. WireGuard Removed from pfSense® CE and pfSense® Plus Software. 2021-03-20. Netgate blog. en. Rubicon Communications.
  39. Web site: Long. Scott. 2021-05-05. pfSense: WireGuard returns as an Experimental Package. 2021-06-09. Netgate - Secure networks start here.. en.
  40. Web site: Paxson. Audian. 2021-01-19. WireGuard for pfSense Software. 2021-06-09. Netgate - Secure networks start here.. en.
  41. Web site: wireguard-freebsd - WireGuard implementation for the FreeBSD kernel. 2021-06-09. git.zx2c4.com.
  42. Web site: Pingle. Jim. 2021-06-02. pfSense Plus 21.05-RELEASE Now Available. 2021-06-09. Netgate - Secure networks start here.. en.
  43. Web site: WireGuard . 2024-05-26 . Sovereign Tech Fund . en.