WireGuard: next generation in-kernel modern VPN

Thanks for being here, I have a few questions.

Does the server get a separate wg interface for every client that connects? Or does it do something like multipoint GRE interfaces with next hop addresses in the arp table?

Does this do a DH key agreement to guarantee forward secrecy or does it literally encrypt the packet with the peers public key?

Also is it in the scope of this project for peers to discover each other for direct communication, like a Phase3 DMVPN?

Yes, guilty as charged. Ever since I saw you presentation in Paris in last September, I was dying for wireguard to come out.

I'm curious what will be your strategy with regard to working or not with upstream Linux ?

Hey! Knew I recognized that username. You also make pass which I've been using since you released that too. Definitely going to give this a run. Thanks for more useful tools!

Don't have time for a detailed review. However, I like that you're working to replace IPsec with something simpler, easier to use, and with flexible deployment. Crypto algorithms look better than most VPN's I see as well. Good work on all that. Just remember to aid others' verification efforts later on by keeping it modular, minimal shared state, simple constructions in code, and so on. Whatever passes through a decent static analysis tool.

Also, one of easiest, formal methods is Design by Contract which can be emulated with asserts for pre- and post-conditions plus main invariants. Quite useful to encode operating assumptions in there. Such can also be used for automating test-case generation, fuzzing, dynamic analysis, and covert channel analysis. Oh yeah, definitely do a covert channel analysis on anything that gets near the keys to plug any leaks.

First of all, congratulations on launching !

This looks interesting and I will be sure to check it out when I get the chance. I see from the examples on the site that it's IPv4 everywhre. Is there IPv6 support ? If not, is it on the roadmap ?

What capabilities does this provide over IKEv2 with certificates and MOBIKE for roaming?

One disadvantage off the bat is that every operating system from OSX to Windows 7 to Linux to *BSD already has support for IKEv2 and MOBIKE caked in.

Where has the code for the nuts and bolts of the crypto come from (e.g. everything in the "crypto" folder)?

How does WireGuard deal with private keys on smartcards or other HSMs ?

Any chance of switching to a non-GPLv2 license? Broad adoption would be far more likely.

Nice work, but I'm wondering why does it have to be in kernel?

Couldn't it still be fast and written in a safer than C language considering the security context? (Or we'll still need to get grsec in there... :)

Cheers!

That may technically be true, but if the author was to sue anyone based on that argument, this project itself would be in violation of copyright law, since all the code seems to be distributed only as a Linux kernel module (with all files #including kernel headers and such) and so it actually has to be distributed under the GPLv2.

I don't really have any problem re-licensing it less restrictively, I don't think. I'll have to think about it for more than 10 seconds I suppose. But I put "GPLv2" there without much thought simply because that's what Linux uses. But you make a good point about the BSDs.

Maybe a clone would be in order. It would add some code diversity.

That's a very nice tool, but I dislike how it leaks information via the visible directory structure and filenames.

> How do you deal with MTU? OpenVPN's handing is particularly bad [1]?

MTU is dealt with the same way as other kernel space tunneling devices.

> Is the whole protocol in-kernel or just the data plane?

All of it, which is why there's so much emphasis on simplicity.

> For admins who want to provision large number of clients, do you ever plan to implement some kind of certificate hierarchy?

Rather, the goal is to make the kernel interface very simple and minimal, so that admins can then glue ontop whatever situation they want. This could be certificates, or pigeons, but the important thing is that it's a layer ontop (in userspace), and not intimately bound to the core.

same question here

As mentioned in the roadmap and the cross-platform page, we're working on a cross-platform userspace client, so Mac and Windows users can use it too. It's in the works!

Speed, simplicity.

It's not possible to do highspeed crypto from userspace while still integrating with the usual networking stack. Tun devices result in copies and context switches which makes things quite slow.

This also adds quite a bit of simplicity.

But sure, I agree, it's scary. But not nearly as scary as the obscenely huge xfrm/ipsec layer in the kernel. Or the dozens of other kernel tunneling deivces available. And I dare even say it's not as scary as most userspace VPN solutions like OpenVPN which are massive code bases. WireGuard, in contrast, aims to be quite minimal in its codebase, so that it can be audited by an individual.

I didn't make the title of this HN post, unfortunately. But do note: there _will_ be userspace implementations of WireGuard. It's most certainly not tied to the kernel. It's just that the OP saw me present at a kernel conf about it. :P

So, everyone needs to take a deep breath here. In kernel VPN is giving me a bit of a security heart attack. As a security professional I would recommend not running this on anything but a sandbox that isn't connected to your environment. A single misstep in the code, a bad implementation of a crypto library or a bad hook could easily lead to ring 0 compromise.

Not trying to discount the author's work, and I haven't reviewed any of the documentation, but until this gets evaluated by a CC lab (or like independent group) I would not implement in anything you care about.

It's faster. Performance usually matters more than security for most "security" products. ;) Having extra code in kernel is usually just asking for it. Here's one done closer to high-assurance principles that I'm sure the WireGuard scheme could be ported to:

http://genode-labs.com/publications/mikro-sina-2005.pdf

Far as keeping it in kernel, it might be implemented in SPARK and Rust to see if it gets through static and dynamic (if necessary) checkers. Test and fuzz it heavily. If C, use strong, static tools to show correctness and/or compiler transformations like SAFEcode (or Softbound+CETS) to immunize it. I know Criswell runs Linux kernel on SVA-OS with SAFEcode but not sure if S+CETS can do it. Such approaches will knock out most of the flaws that lead to code injection.

Faster, more secure, and works quite well with mobile thanks to built-in roaming.

Endpoint IPs are learned based on successfully authenticated/decrypted packets. The Endpoint= entry in the config is just the location of an initial server endpoint. Inner tunnel IPs are fixed in the config, and it's up to things that build ontop of WireGuard to manage this however fits best.

Your concern (1) is valid, but fortunately that's an over-simplification in the casual introduction part of documentation, which I'll fix. Sorry about that. This should read more like, "Encrypt entire IP packet using the symmetric session associated with peer ABCDEFGH." Thanks for pointing this out. As for (2), WireGuard indeed does padding; see the protocol page or the paper for details.

WireGuard is UDP only. For TCP or SSL tunneling, look at a million other things that already do this.

Similar cryptographic building blocks. WireGuard has an emphasis on no-negotiation, which it inherits from Noise, which is Trevor Perrin's well-regarded crypto protocol construction kit. As an application, WireGuard is _way_ simpler than ZeroTier; it's something you would build the remaining 90% of ZeroTier on top of.

I was going to ask that myself but ZeroTier provided a hint. It seems to be aiming for more than a simple, IPsec replacement. It will have more features and complexity no matter what. Also, Jason already speced out the WireGuard protocol plus intends a Rust port. Will significantly increase code-level security over ZeroTier. Both need strong, peer review at protocol and implementation levels, though. As always with these things.