Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree

[erek]

WireGuard could be a pretty interesting advancement in comparison to IPSec.

"Poly1305 is used for WireGuard's own message authentication but can be used outside the project as well—for example, chacha20-poly1305 is one of the highest-performing SSH ciphers, particularly on CPUs without AES-NI hardware acceleration.

Other interesting features new to the 5.6 kernel will include USB4 support, multipath TCP, AMD and Intel power management improvements, and more."

https://arstechnica.com/gadgets/202...ireguard-vpn-into-the-5-6-kernel-source-tree/

 

[jardows]

WireGuard looks interesting, not sure how much I want to bank on a new VPN technology until it has much more proven track record. Linux land seems to grab on to anything shiny and new like it is "The Next Best Thing" and then quietly abandon it after the initial hype. I'll wait a bit before embracing that.

My main question is why have it integrated into the kernel? What is the advantage of that? Could it not be implemented in user space just as well?

 

[Zarathustra[H]]

That is really interesting.

It doesn't seem that long ago he was on the forums with one of his legendary strong opinions about how it was nowhere near ready for prime time.

My understanding of WireGuard is admittedly limited, as I have only really played around with OpenVPN, but my understanding is that it makes secure tunnels much easier to set up, and connect much faster. I believe the Mullvad Client uses WireGuard in the background, and that totally checks out as it connects near instantly compared to the client I used to use with PIA.

Interesting about chacha20-poly-1305.

That is good news for devices without AES-NI support (those still exist?) but it would be more interesting to see how it benchmarks compared to AES on a capable AES-NI accelerated CPU.

 

[Nobu]

WireGuard looks interesting, not sure how much I want to bank on a new VPN technology until it has much more proven track record. Linux land seems to grab on to anything shiny and new like it is "The Next Best Thing" and then quietly abandon it after the initial hype. I'll wait a bit before embracing that.

My main question is why have it integrated into the kernel? What is the advantage of that? Could it not be implemented in user space just as well?

Same as any driver or encryption technology: security and speed. No reason it can't be implemented in user space, but there are reasons you might not want to.

 

[Zarathustra[H]]

I for one wonder how long it might take for this to show up in FreeBSD.

pfSense is based on FreeBSD, and the FreeBSD team is notoriously much more risk averse than even Linux.

It would be nice to be able to use WireGuard to connect on a pfSense box for the entire network.

 

[jardows]

I for one wonder how long it might take for this to show up in FreeBSD.

pfSense is based on FreeBSD, and the FreeBSD team is notoriously much more risk averse than even Linux.

It would be nice to be able to use WireGuard to connect on a pfSense box for the entire network.

It's available as a port. I haven't looked into it for a while, but IIRC it's fairly trivial to install a FreeBSD port into pfSense. In order for it to be merged into the kernel, ZX2C4/Edge Security would have to release it under a BSD compatible license. Currently the information shows that it is GPL, but that the organization isn't adverse to BSD or MIT licensing, so it could happen. If it works satisfactorily in user space, I don't see there being much request for a re-license for kernel integration. ZX2C4/Edge Security could theoretically release a kernel module on their own.

 

[Zarathustra[H]]

It's available as a port. I haven't looked into it for a while, but IIRC it's fairly trivial to install a FreeBSD port into pfSense. In order for it to be merged into the kernel, ZX2C4/Edge Security would have to release it under a BSD compatible license. Currently the information shows that it is GPL, but that the organization isn't adverse to BSD or MIT licensing, so it could happen. If it works satisfactorily in user space, I don't see there being much request for a re-license for kernel integration. ZX2C4/Edge Security could theoretically release a kernel module on their own.

Hmm. I really need to read up on the different licenses and where they conflict. Can something be GPL, BSD, and MIT at the same time?

 

[jardows]

Hmm. I really need to read up on the different licenses and where they conflict. Can something be GPL, BSD, and MIT at the same time?

The problem comes from the differences between the permissive (MIT, BSD) licenses and the restrictive (GPL) licenses. Simplified explanation - the GPL requires that any modification must be covered under the GPL. So if you modify your existing code with GPL'd code, you have to release the whole thing as GPL. So if FreeBSD were to merge GPL licensed code into their kernel, the entire kernel would then have to be re-released under the GPL instead of the BSD license. Again, this is an oversimplified explanation of how it would work.

As far as I can tell, the original owner of the software can release the software under different licenses. I usually see this done where a GPL'd software is also made available with a closed source license for companies that request it. I can only imagine releasing under two different open source licenses, especially a restrictive GPL and permissive BSD would cause a near-instant fork from the derivative products, so I don't see a security company like Edge Security doing anything like that. Anything is possible though!

 

[Vermillion]

WireGuard looks interesting, not sure how much I want to bank on a new VPN technology until it has much more proven track record. Linux land seems to grab on to anything shiny and new like it is "The Next Best Thing" and then quietly abandon it after the initial hype. I'll wait a bit before embracing that.

My main question is why have it integrated into the kernel? What is the advantage of that? Could it not be implemented in user space just as well?

It's been in use for awhile as a DKMS package. The reason for not mainlining earlier was the support code needed in the kernel for Wireguard. That took longer to polish and get approved. The reason why it's better in the kernel is it's faster than traditional VPNs that are in userspace. Some believe it being in the kernel makes it easier to audit as well. The fact that it uses the kernel subsystems so closely means it's only ~4000 lines of code as well compared to the 600K for OpenVPN and OpenSSL. Linus himself has praised the VPN solution and has been looking forward to it's integration.

Here's a great look at Wireguard from Ars.

https://arstechnica.com/gadgets/201...ns-amaze-but-windows-support-needs-to-happen/
https://arstechnica.com/information...aking-a-spin-on-wireguards-windows-pre-alpha/

I can't wait for 5.6 to hit so I can replace my OpenVPN with Wireguard. Rumors are if 5.6 doesn't arrive in time for Ubuntu 20.04 LTS it'll be back ported to 5.5 for Ubuntu. So my pihole/openvpn box will likely be getting rebuilt.

EDIT: And there it is LOL: https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-20.04-Adds-WireGuard

 

[jardows]

It's been in use for awhile as a DKMS package. The reason for not mainlining earlier was the support code needed in the kernel for Wireguard. That took longer to polish and get approved. The reason why it's better in the kernel is it's faster than traditional VPNs that are in userspace. Some believe it being in the kernel makes it easier to audit as well. The fact that it uses the kernel subsystems so closely means it's only ~4000 lines of code as well compared to the 600K for OpenVPN and OpenSSL. Linus himself has praised the VPN solution and has been looking forward to it's integration.

Here's a great look at Wireguard from Ars.

https://arstechnica.com/gadgets/201...ns-amaze-but-windows-support-needs-to-happen/
https://arstechnica.com/information...aking-a-spin-on-wireguards-windows-pre-alpha/

I can't wait for 5.6 to hit so I can replace my OpenVPN with Wireguard. Rumors are if 5.6 doesn't arrive in time for Ubuntu 20.04 LTS it'll be back ported to 5.5 for Ubuntu. So my pihole/openvpn box will likely be getting rebuilt.

EDIT: And there it is LOL: https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-20.04-Adds-WireGuard

Is the code size due to the integration into the kernel, or is it just a natural part of the program itself? I can see the value of kernel integration for appliance-style devices. Once it is done, it would be interesting to do some comparisons of in-kernel VPN support vs. user-land support, and how it performs on various platforms such as Linux distributions, FreeBSD, OpenBSD, and Windows.
I may play around with it a bit.

 

[Vermillion]

Is the code size due to the integration into the kernel, or is it just a natural part of the program itself? I can see the value of kernel integration for appliance-style devices. Once it is done, it would be interesting to do some comparisons of in-kernel VPN support vs. user-land support, and how it performs on various platforms such as Linux distributions, FreeBSD, OpenBSD, and Windows.
I may play around with it a bit.

My understanding is that it's both. The fact it is can use the kernel's crypto API lessens the code by a substantial amount compared to something like OpenVPN that built it's own crypto API. It's also just a brilliantly coded piece of software. Bottom line is this is a very good thing and I'm really looking forward to integrating into my home.

 

[Shoganai]

NordVPN is using this right now on iOS. It's lightning fast ... definitely the fastest NordVPN has ever been on my phone.

 

[RanceJustice]

OpenVPN and now WireGuard are some of the only viable, secure, and open protocols for VPN use. OpenVPN has long been the "standard" and overall a good one, but WireGuard has even better potential for security and overhead. Integration into the Linux kernel means expansion of WireGuard support even better implementations. Not very long ago, WireGuard was only supported by a handful of VPN services (Mullvad, CryptoStorm, and Proton were some of the early adopters, among a few other higher-tier privacy focused VPNs), but its expansion is overall a great thing. Its implementation is pretty slim and efficiently coded to begin with, but the kernel will improve that as well as ease integration significantly.

 

[ChadD]

Same as any driver or encryption technology: security and speed. No reason it can't be implemented in user space, but there are reasons you might not want to.

Exactly speed is one advantage... but the main one is security. Userland software includes malware... which can't access kernel space, on systems that haven't already been compromised in some other way anyway.