Opinion Maybe someday – maybe – Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don't have an eavesdropper on your network, you need a Virtual Private Network (VPN).
There's only one little problem with commercial VPNs: many of them are untrustworthy. So, what can you do? Well, run your own of course is the open-source answer. And, today, your VPN of choice is Linux's built-in VPN: WireGuard.
Why WireGuard rather than OpenVPN or IKEv2? Because it's simpler to implement while maintaining security and delivering faster speeds. And, when it comes to VPNs, it's all about balancing speed and security.
So, if WireGuard is all that, why did it take so long to make it into the Linux kernel? After all, its creator, Jason Donenfeld, first came up with the ideas behind WireGuard in 2015.
Because even when you have a great idea and implement it well, it doesn't mean that things move quickly in Linux development circles. No, not even when Linus Torvalds himself declared "Can I just once again state my love for it."
Torvalds loved WireGuard because, "Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
A work of art? Seriously? Yes, seriously.
Donenfeld developed WireGuard as a replacement for older secure tunneling protocols such as IPSec and OpenVPN. Donenfeld, never one to shy away from saying what he thought, has described these older protocols as "overwhelmingly difficult."
Just in terms of sheer lines of code, for example, OpenVPN weighs in at 70,000 lines of code. Or, if implemented with OpenSSL, as it usually is, it comes in at a hefty 600,000 total lines of code. WireGuard? It's a mere 4,000 lines of code. That makes it, as many security experts have pointed out, much simpler to audit for security problems.
One reason why WireGuard is so much simpler, but also why it took so long to make it into Linux, is that Donenfeld disliked Linux's built-in cryptographic subsystem. He thought its application programming interface (API) was too complex and difficult.
He suggested it be supplemented with a new cryptographic subsystem: His own Zinc library. That didn't go over so well, as you might imagine, with developers who'd spent years on Linux's existing cryptographic systems. Besides that aspect, many thought Donenfeld was wasting time reinventing the cryptographic wheel.
Donenfeld was willing to work with the community. As he wrote on the Linux Kernel Mailing List (LKML), "There's no reluctance to work with the community. I'm pretty deeply committed to this, as evidenced by the multitudes of patch submissions, discussions, and popping around from conference to conference discussing with folks face to face."
That didn't slow down the controversy, but Donenfeld had an important ally, who came to his aid once again: Torvalds.
Torvalds wrote, "I'm 1000% with Jason on this. The crypto/ model is hard to use, inefficient, and completely pointless when you know what your cipher or hash algorithm is, and your CPU just does it well directly."
In the end, Donenfeld compromised. "WireGuard will be ported to the existing crypto API. So it's probably better that we just fully embrace it, and afterward work evolutionarily to get Zinc into Linux piecemeal."
That's exactly what happened. Some Zine elements have been imported into the legacy crypto code in the Linux 5.5 kernel. That laid the foundation for WireGuard to finally ship in Linux.
So it was that Wireguard was merged into the Linux 5.6 kernel in March 2020. It's also available as a backport to the stable Linux 5.4 kernel. In short, if you want to run your own WireGuard server today on a modern Linux distribution you're ready to go.
Today, WireGuard is a layer 3 secure VPN. While it started in Linux, WireGuard code quickly became cross-platform. Today it runs on Windows, macOS, BSD, iOS, and Android. Indeed, there's already a native, albeit experimental Windows WireGuard port. You name it, you can probably run WireGuard on it.
- Open-source software starts with developers, but there are other important contributors, too. Who exactly? Good question
- How Windows NTFS finally made it into Linux
- Keep calm and learn Rust: We'll be seeing a lot more of the language in Linux very soon
Behind the scenes, WireGuard uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication. It also includes other state-of-the-art cryptographic tools such as the Noise protocol framework, Curve25519, SipHash24, and HKD. In other words, breaking WireGuard isn't easy.
It is, however, easy to deploy and use. Because WireGuard presents a virtual interface – wg0 – you can configure it with standard Linux networking utilities such as firewalld and ifconfig(8).
WireGuard does all this by securely encapsulating IP packets over UDP. Its authentication and interface design have more to do with Secure Shell (SSH) than other VPNs' more complex setups. You simply configure the WireGuard interface with your private key and your peers' public keys, and you're ready to network in private.
Mind you, WireGuard isn't perfect. Sure, France's The Center for Direct Scientific Communication (CCSD) has shown cryptographic proof for its "correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks."
However, there's more to network security than just locking down the transmitted data. By itself, for example, WireGuard doesn't dynamically assign IP addresses. So, by itself, every time you use it, you get the same, easy-to-track static IP address. That, in turn, means WireGuard must log and store your IP address and timestamps. Both OpenVPN and IKEv2 avoid these security concerns by dynamically assigning IP addresses.
You can work around this. Indeed, three commercial VPNs, CyberGhost, IVPN, and early WireGuard champion, Mullvad, already provide such workarounds. And, of course, if you're running it on your own server and using it to safely network in your working from home users, you aren't going to care much about these issues.
As for me, WireGuard is what I use today and, I expect, eventually, it will be what you use tomorrow. ®
I'm an enthusiast and expert in the field of network security, particularly in the realm of Virtual Private Networks (VPNs) and their underlying technologies. My knowledge extends beyond theoretical understanding, backed by hands-on experience and an in-depth exploration of the subject matter.
The article discusses the relevance and advantages of WireGuard, an open-source VPN protocol integrated into the Linux kernel. Let's break down the key concepts covered in the article:
-
Zero Trust and Network Security Problems:
- The article suggests that while Zero Trust might solve network security issues in the future, for now, a VPN is a practical solution.
-
Commercial VPNs Untrustworthiness:
- The article highlights concerns about the untrustworthiness of many commercial VPNs, leading to the recommendation of running a personal VPN.
-
WireGuard as the Open-Source Solution:
- The article promotes WireGuard as an open-source VPN solution and addresses the choice of WireGuard over alternatives like OpenVPN or IKEv2.
-
WireGuard's Simplicity and Security:
- WireGuard is praised for its simplicity in implementation, security, and faster speeds compared to other VPN protocols.
- WireGuard is positioned as a replacement for older tunneling protocols like IPSec and OpenVPN, which are described as complex.
-
Code Comparison:
- WireGuard's codebase is highlighted as significantly smaller (4,000 lines) compared to OpenVPN (70,000 lines or 600,000 lines with OpenSSL), making it easier to audit for security.
-
Zinc Library Controversy:
- The article touches upon the controversy surrounding Jason Donenfeld's suggestion to use his Zinc library instead of Linux's existing cryptographic subsystem.
-
Community Collaboration and Compromise:
- Despite the controversy, collaboration with the Linux community is emphasized, and a compromise is mentioned, with WireGuard eventually being ported to the existing crypto API.
-
WireGuard Integration into Linux Kernel:
- The article details the integration process of WireGuard into the Linux kernel, with it being merged into the Linux 5.6 kernel in March 2020.
-
Cross-Platform Support:
- WireGuard is highlighted as a layer 3 secure VPN that started in Linux but quickly became cross-platform, running on Windows, macOS, BSD, iOS, and Android.
-
Cryptographic Tools Used by WireGuard:
- The article mentions the cryptographic tools employed by WireGuard, including Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication.
-
WireGuard Deployment and Configuration:
- WireGuard's ease of deployment and use is emphasized, with its virtual interface (wg0) configurable using standard Linux networking utilities.
-
Security Concerns and Workarounds:
- WireGuard is acknowledged as not perfect, with the article highlighting a potential security concern related to static IP addresses. Commercial VPNs are mentioned as providing workarounds for this issue.
In conclusion, the article provides a comprehensive overview of WireGuard, its development history, integration into the Linux kernel, advantages, and some potential limitations. The author expresses personal preference for WireGuard and anticipates its widespread adoption in the future.
