The WireGuard VPN protocol, which is smaller, faster and easier to configure than IPsec, has been merged into Linus Torvalds’ git repository for version 5.6 of the Linux kernel, the next release.
There is no set date for Linux kernel releases. Version 5.5 was released on 26 January 2020 and there is typically a couple of months between releases, so 5.6 may come in April.
WireGuard in 5.6 is not a surprise. The code was merged into network maintainer Dave Miller’s repository in December 2019 but not pulled in by Torvalds until today. “Linus pulled in net-next about a half hour ago. So WireGuard is now officially upstream,” said the announcement on the WireGuard mailing list. WireGuard developer Jason Donenfeld shared his excitement at the news, but added: “I look forward to start refining some of [the] rougher areas of WireGuard now.”
WireGuard “aims to be as easy to configure and deploy as SSH”, according to its description, and is cross-platform for Windows, macOS, BSD, iOS and Android. It is open source and licensed under GPLv2 (also used by the Linux kernel).
The reason for enthusiasm around WireGuard is a combination of relatively simple configuration, small codebase, sound cryptography, fast connection and strong performance. “Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals,” claims the homepage.
The Center for Direct Scientific Communication (CCSD) in Lyon, France, offers a cryptographic proof “for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks”. Configuration of WireGuard is a snap compared to what is needed for IPSec.
WireGuard demo (from the WireGuard site)
A concern is that WireGuard is still described as work in progress. “WireGuard is currently working toward a stable 1.0 release. Current snapshots are generally versioned ‘0.0.YYYYMMDD’ or ‘0.0.V’, but these should not be considered real releases and they may contain security quirks,” said the developer. This language has been moderated, though. Six months ago it said: “WireGuard is not yet complete. You should not rely on this code.” Inclusion in the Linux kernel is itself a big vote of confidence.
WireGuard is small and intended to be a VPN component rather than a complete solution, a fact that has led to some misunderstandings about its capability. Users will generally interact with VPN applications that support WireGuard. ®