After years of development WireGuard, a revolutionary approach to Virtual Private Networks (VPN) was finally fast-tracked to the Linux kernel. Now, at long last, WireGuard is in Linus Torvald’s code tree. That means WireGuard should appear in the Linux kernel 5.6 release. This may be as early as April 2020.
This has the potential to change everything about VPNs — not just in Linux, but in the entire VPN world. That’s because essentially all VPN services run off Linux servers. Some VPN services, such as StrongVPN and Mullvad VPN, have already seen the writing on the wall and are moving their software stacks to WireGuard.
This is being made easier because WireGuard’s code, which is licensed under the open-source Gnu General Public License (GPL) version 2.0, is already available on Android, Windows, macOS, BSD Unix, and iOS.
They’re doing this because as one of WireGuard’s biggest fans — Linus Torvalds — said: “Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
In more detail, WireGuard claims that “Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals.”
There’s certainly something to this. The WireGuard codebase has about 4,000 lines of code, while the popular OpenVPN has over 100,000 lines. Which would you rather debug?
Despite this simplicity, WireGuard incorporates state-of-the-art cryptography technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD. It’s also been shown to be secure by an academic mechanized cryptographic proof.
As WireGuard nears mainstream acceptance in the Linux kernel, its creator, Jason Donenfeld, is still working out its rough edges. The WireGuard site now states that “some parts of WireGuard are working toward a stable 1.0 release, while others are already there.”
In a Linux Kernel Mailing List (LKML) message, Donenfeld added he was running multiple automated WireGuard code tests for various code trees on pretty much all Linux hardware architectures. And, along the way, “Even though the CI [Continuous integration] at the moment is focused on the Wireguard test suite, it has a habit of finding lots of bugs and regressions in other weird places. For example, Linux-next is failing at the moment on a few archs [architectures].”
There’s little doubt that WireGuard, which has been in development since 2015, will be ready for prime time by this spring. By then, VPN developers will already have WireGuard-powered VPN programs and services ready for both VPN service providers and end-users.
This will not immediately put an end to other VPN technologies. But, if WireGuard lives up to its promise, you’ll be able to see its end from here. Tomorrow’s VPN, on Linux and everywhere else, will be based on WireGuard.