This article is more than 1 year old

WireGuard VPN gets native port to the Windows kernel

'This project is a big deal to me' says protocol's creator

WireGuard, a high performance and easily configured VPN protocol, is getting a native port from Linux to the Windows kernel, and the code has been published as experimental work in progress.

A WireGuard implementation for Windows already exists and can be found here, based on what Jason A Donenfeld, the creator of WireGuard, called "a generic TUN driver we developed called Wintun" and a cross-platform Go codebase called wireguard-go.

This current implementation "lives in userspace, and shepherds packets to and from the Wintun interface," Donenfeld said. The goal with the new implementation, called WireGuardNT, is that the whole protocol implementation will be in the Windows networking stack, "in the same way that it's done currently on Linux, OpenBSD, and FreeBSD."

Donenfeld went into detail about how the existing version compromises performance, even though he said it is "decently fast." He also said there are serious problems with WireGuard's current Windows performance when the VPN is connected over Wi-Fi. "Users commonly see massive slowdowns," he explained, because of latency. One user of the experimental code reported the following figures:

  • Wireguard-go/Wintun over wired Ethernet: 600Mbps
  • Wireguard-go/Wintun over Wi-Fi: 95Mbps
  • WireGuardNT over Wi-Fi: 600Mbps

The WireGuardNT repository is full of warnings about "experimental, unfinished, work in progress... Do not use it!... a wheel or two are likely missing, in addition to, perhaps, the entire crankshaft." However, Donenfeld said that WireGuard for Windows (the official implementation using wireguard-go, as linked above) already includes WireGuardNT, as an optional alternative. He said he envisages three phases of deployment. Currently users have to set an ExperimentalKernelDriver registry key in order to use WireGuardNT. In phase two it will be on by default, but possible to disable, while in phase three, wireguard-go/Wintun will be removed.

It works: activating a WireGuard tunnel using the new experimental driver

It works: Activating a WireGuard tunnel using the new experimental driver

Donenfeld stated that "for the Windows platform, this project is a big deal to me, as it marks the graduation of WireGuard to being a serious operating system component, meant for more serious usage."

Users have praised WireGuard's ease of setup as well as its performance and the fact that the protocol has undergone formal verification. In August 2018, Linus Torvalds said: "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art." He then merged WireGuard into the Linux kernel in January last year for version 5.6.

With Torvalds quick to embrace WireGuard for Linux, where is Microsoft when it comes to Windows? "I've never seen the built-in Windows VPN protocols exceed ~70Mbps in any scenario," said a user on Hacker News, asking why volunteers have come up with something that is "ONE HUNDRED TIMES faster than the best Microsoft can offer to their hundreds of millions of enterprise customers that are working from home." ®

More about


Send us news

Other stories you might like