Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Secure tunneling tech hopes to move from module to resident


The developer of WireGuard has laid the groundwork for plugging his open-source privacy tool directly into the Linux kernel in hope of making secure communications easier to deploy and manage.

Jason Donenfeld, creator of WireGuard and the founder of Edge Security, on Tuesday submitted a proposed set of patches to the Linux kernel project to integrate the secure VPN tunnel software as an official network driver. The code is now awaiting review by the kernel maintainers. Initially released and still available as an optional kernel module for Linux, WireGuard is also available for Android, macOS, Windows, and other platforms.

"Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers," said Donenfeld in the notes accompanying his patches. "There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux."

WireGuard was developed as an alternative to secure tunneling protocols like IPSec and OpenVPN. Donenfeld has described these older protocols as "overwhelmingly difficult." WireGuard, at just under 4,000 lines of code, aspires to be simpler and more easily audited.

Compare that to 100,000 lines of code for OpenVPN, which also requires OpenSSL, another 500,000 lines of code. Or consider Linux XFRM, an IPsec implementation that spans about 13,000 lines of code and may be used alongside StrongSwan for the key exchange, which runs about 400,000 lines of code.

Under the hood

WireGuard guards layer 3, the network layer, in the OSI networking model. It uses Curve25519 for key exchange, BLAKE2s for hashing, and ChaCha20 and Poly1305 for authentication – full details can be found here [PDF].

In lieu of the complexity of IPsec and XFRM, WireGuard presents a virtual interface – wg0 – that can be configured using familiar networking utilities like ip(8) and ifconfig(8). After setting up private key and public keys, WireGuard should just work.

"This is in a sense sort of blasphemous," said Donenfeld in late 2016 during a Code Blue Conference presentation about the technology, "because in achieving this simplicity we've done away with all the academically pure layering assumptions."

It's not quite heresy: WireGuard has been subject to formal verification for its crypto implementation. But it's still characterized as a work-in-progress and includes a list of things to do.

Setting up your own VPN node is considered by many security experts to be preferable to free or commercial options, which have been known to leak information and to sell your browsing histories and private data to partners.

Other attempts to make secure communication more accessible have made progress as well. Noteworthy efforts include Trail of Bits' Algo (which now supports WireGuard), Jigsaw's Outline and Streisand (which also supports WireGuard). ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022