WireGuard

WireGuard

The WireGuard logo
Original author(s)	Jason A. Donenfeld
Developer(s)	Jason A. Donenfeld
Initial release	2015; 10 years ago (2015)[1]
Stable release	Lua error in Module:Wd at line 405: invalid escape sequence near '"^'. / Lua error in Module:Wd at line 405: invalid escape sequence near '"^'.; Error: first parameter cannot be parsed as a date or time. (Lua error in Module:Wd at line 405: invalid escape sequence near '"^'.)
Written in	C (Linux, FreeBSD kernel modules, NetBSD, OpenBSD kernel drivers), Go (userspace implementation)
Operating system	<templatestyles src="Plainlist/styles.css"/> Android iOS Linux FreeBSD NetBSD OpenBSD macOS Windows 7+ Other[2][3][lower-alpha 1]
Type	Virtual private network
License	various free and open-source
Website	<strong%20class= "error"><span%20class="scribunto-error"%20id="mw-scribunto-error-3">Lua%20error%20in%20Module:Wd%20at%20line%20405:%20invalid%20escape%20sequence%20near%20'"^'. http://<strong%20class="error"><span%20class="scribunto-error"%20id="mw-scribunto-error-3">Lua%20error%20in%20Module:Wd%20at%20line%20405:%20invalid%20escape%20sequence%20near%20'"^'.Lua error in Module:EditAtWikidata at line 29: attempt to index field 'wikibase' (a nil value).

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.^[4] It aims for better performance and more power than IPsec and OpenVPN, two common tunneling protocols.^[5] The WireGuard protocol passes traffic over UDP.^[6]

In March 2020, the Linux version of the software reached a stable production release and was incorporated into the Linux 5.6 kernel, and backported to earlier Linux kernels in some Linux distributions.^[3] The Linux kernel components are licensed under the GNU General Public License (GPL) version 2; other implementations are under GPLv2 or other free/open-source licenses.^[4]

Protocol

WireGuard uses the following:^[4]

• X25519 for key exchange
• ChaCha20 for symmetric encryption
• Poly1305 for message authentication codes
• SipHash for hashtable keys
• BLAKE2s for cryptographic hash function
• UDP-based only^[6]

In May 2019, researchers from INRIA published a machine-checked proof of the WireGuard protocol, produced using the CryptoVerif proof assistant.^[7]

Optional Pre-shared Symmetric Key Mode

WireGuard supports pre-shared symmetric key mode, which provides an additional layer of symmetric encryption to mitigate future advances in quantum computing. This addresses the risk that traffic may be stored until quantum computers are capable of breaking Curve25519, at which point traffic could be decrypted. Pre-shared keys are "usually troublesome from a key management perspective and might be more likely stolen", but in the shorter term, if the symmetric key is compromised, the Curve25519 keys still provide more than sufficient protection.^[8]

Networking

WireGuard only^[9] uses UDP,^[4] due to the potential disadvantages of TCP-over-TCP.^[9][10]

WireGuard fully supports IPv6, both inside and outside of tunnel. It supports only layer 3 for both IPv4 and IPv6 and can encapsulate v4-in-v6 and vice versa.^[11]

Extensibility

WireGuard is designed to be extended by third-party programmes and scripts. This has been used to augment WireGuard with various features including more user-friendly management interfaces (including easier setting up of keys), logging, dynamic firewall updates, and LDAP integration.^{[citation needed]}

Excluding such complex features from the minimal core codebase improves its stability and security. For ensuring security, WireGuard restricts the options for implementing cryptographic controls, limits the choices for key exchange processes, and maps algorithms^{[citation needed]} to a small subset of modern cryptographic primitives. If a flaw is found in any of the primitives, a new version can be released that resolves the issue. Also, configuration settings that affect the security of the overall application cannot be modified by unprivileged users.^[12]

Reception

A review by Ars Technica found that WireGuard was easy to setup and use, used strong ciphers, and had a minimal codebase that provided for a small attack surface. ^[13]

WireGuard has received funding from the Open Technology Fund.^[14] and donations from Mullvad, Private Internet Access, IVPN, the NLnet Foundation^[15] and OVPN.^[16]

Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard as a replacement for existing technologies.^[17]

Availability

Implementations

Implementations of the WireGuard protocol include:

• Donenfeld's initial implementation, written in C and Go.^[18]
• Cloudflare's BoringTun, a user space implementation written in Rust.^[19][20]
• Matt Dunwoodie's implementation for OpenBSD, written in C.^[21]
• Ryota Ozaki's wg(4) implementation, for NetBSD, is written in C.^[22]
• The FreeBSD implementation is written in C and shares most of the data path with the OpenBSD implementation.^[23]
• Native Windows kernel implementation named "wireguard-nt", since August 2021.^[24]
• OPNsense via standard package os-WireGuard.^[25]
• pfSense via experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions.
• Mikrotik has an implementation on all modern routers

History

Early snapshots of the code base exist from 30 June 2016.^[26] Four early adopters of WireGuard were the VPN service providers Mullvad,^[27] AzireVPN,^[28] IVPN^[29] and cryptostorm.^[30]

On 9 December 2019, David Miller – primary maintainer of the Linux networking stack – accepted the WireGuard patches into the "net-next" maintainer tree, for inclusion in an upcoming kernel.^[31][32][33]

On 28 January 2020, Linus Torvalds merged David Miller's net-next tree, and WireGuard entered the mainline Linux kernel tree.^[34]

On 20 March 2020, Debian developers enabled the module build options for WireGuard in their kernel config for the Debian 11 version (testing).^[35]

On 29 March 2020 WireGuard was incorporated into the Linux 5.6 release tree. The Windows version of the software remains at beta.^[3]

On 30 March 2020, Android developers added native kernel support for WireGuard in their Generic Kernel Image.^[36]

On 22 April 2020, NetworkManager developer Beniamino Galvani merged GUI support for WireGuard.^[37]

On 12 May 2020, Matt Dunwoodie proposed patches for native kernel support of WireGuard in OpenBSD.^[38]

On 22 June 2020, after the work of Matt Dunwoodie and Jason A. Donenfeld, WireGuard support was imported into OpenBSD.^[39]

On 23 November 2020, Jason A. Donenfeld released an update of the Windows package improving installation, stability, ARM support, and enterprise features.^[40]

On 29 November 2020, WireGuard support was imported into the FreeBSD 13 kernel.^[23]

On 19 January 2021, WireGuard support was added for preview in pfSense Community Edition (CE) 2.5.0 development snapshots.^[41]

In March 2021, kernel-mode WireGuard support was removed from FreeBSD 13.0, still in testing, after an urgent code cleanup in FreeBSD WireGuard could not be completed quickly.^[42] FreeBSD-based pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 removed kernel-based WireGuard as well.^[43]

In May 2021, WireGuard support was re-introduced back into pfSense CE and pfSense Plus development snapshots as an experimental package written by a member of the pfSense community, Christian McDonald. The WireGuard package for pfSense incorporates the ongoing kernel-mode WireGuard development work by Jason A. Donenfeld that was originally sponsored by Netgate.^[44][45][46]

In June 2021, the official package repositories for both pfSense CE 2.5.2 and pfSense Plus 21.05 included the WireGuard package.^[47]

See also

• Comparison of virtual private network services
• Secure Shell (SSH), a cryptographic network protocol used to secure services over an unsecured network.

Notes

<templatestyles src="Reflist/styles.css" />

References

<templatestyles src="Reflist/styles.css" />

1. ↑ Lua error in package.lua at line 80: module 'strict' not found.
2. ↑ Lua error in package.lua at line 80: module 'strict' not found.
3. ↑ ^{3.0 3.1 3.2} Lua error in package.lua at line 80: module 'strict' not found.
4. ↑ ^{4.0 4.1 4.2 4.3} Lua error in package.lua at line 80: module 'strict' not found.
5. ↑ Lua error in package.lua at line 80: module 'strict' not found.
6. ↑ ^{6.0 6.1} Lua error in package.lua at line 80: module 'strict' not found.
7. ↑ Lua error in package.lua at line 80: module 'strict' not found.
8. ↑ Lua error in package.lua at line 80: module 'strict' not found.
9. ↑ ^{9.0 9.1} Lua error in package.lua at line 80: module 'strict' not found.
10. ↑ Lua error in package.lua at line 80: module 'strict' not found.
11. ↑ Lua error in package.lua at line 80: module 'strict' not found.
12. ↑ Lua error in package.lua at line 80: module 'strict' not found.
13. ↑ Lua error in package.lua at line 80: module 'strict' not found.
14. ↑ Lua error in package.lua at line 80: module 'strict' not found.
15. ↑ Lua error in package.lua at line 80: module 'strict' not found.
16. ↑ Lua error in package.lua at line 80: module 'strict' not found.
17. ↑ Lua error in package.lua at line 80: module 'strict' not found.
18. ↑ Lua error in package.lua at line 80: module 'strict' not found.
19. ↑ Lua error in package.lua at line 80: module 'strict' not found.
20. ↑ Lua error in package.lua at line 80: module 'strict' not found.
21. ↑ Lua error in package.lua at line 80: module 'strict' not found.
22. ↑ Lua error in package.lua at line 80: module 'strict' not found.
23. ↑ ^{23.0 23.1} Lua error in package.lua at line 80: module 'strict' not found.
24. ↑ Lua error in package.lua at line 80: module 'strict' not found.
25. ↑ Lua error in package.lua at line 80: module 'strict' not found.
26. ↑ Lua error in package.lua at line 80: module 'strict' not found.
27. ↑ Lua error in package.lua at line 80: module 'strict' not found.
28. ↑ Lua error in package.lua at line 80: module 'strict' not found.
29. ↑ Lua error in package.lua at line 80: module 'strict' not found.
30. ↑ Lua error in package.lua at line 80: module 'strict' not found.
31. ↑ Lua error in package.lua at line 80: module 'strict' not found.
32. ↑ Lua error in package.lua at line 80: module 'strict' not found.
33. ↑ Lua error in package.lua at line 80: module 'strict' not found.
34. ↑ Lua error in package.lua at line 80: module 'strict' not found.
35. ↑ Lua error in package.lua at line 80: module 'strict' not found.
36. ↑ Lua error in package.lua at line 80: module 'strict' not found.
37. ↑ Lua error in package.lua at line 80: module 'strict' not found.
38. ↑ Lua error in package.lua at line 80: module 'strict' not found.
39. ↑ Lua error in package.lua at line 80: module 'strict' not found.
40. ↑ Lua error in package.lua at line 80: module 'strict' not found.
41. ↑ Lua error in package.lua at line 80: module 'strict' not found.
42. ↑ Lua error in package.lua at line 80: module 'strict' not found.
43. ↑ Lua error in package.lua at line 80: module 'strict' not found.
44. ↑ Lua error in package.lua at line 80: module 'strict' not found.
45. ↑ Lua error in package.lua at line 80: module 'strict' not found.
46. ↑ Lua error in package.lua at line 80: module 'strict' not found.
47. ↑ Lua error in package.lua at line 80: module 'strict' not found.

Cite error: <ref> tags exist for a group named "lower-alpha", but no corresponding <references group="lower-alpha"/> tag was found, or a closing </ref> is missing