Proposal should add WireGuard to Linux kernel for secure vpn tunnels

Jason Donenfeld, the creator of WireGuard, suggests including his software in the Linux kernel. He describes WireGuard as a next generation kernel network tunnel that should provide a faster and simpler alternative to IPsec and OpenVPN.

In a post on the Linux kernel mailing list, Donenfeld writes that his project is the result of about three years of work. He introduced WireGuard in 2016 as a new VPN tunnel. In further explanation, he writes that the commit he added implements WireGuard as a simple network driver. There are now different clients for the software, for example for different Linux distributions, macOS and Android. An official Windows client is currently missing.

In an accompanying white paper, he explains that WireGuard consists of about four thousand lines of code and that the software should provide users with a virtual network interface called wg0, which can be configured via ip or ifconfig. All users need to configure is to add a private key and IPs with 32 byte public keys of peers that are allowed to communicate with.

The exchange of keys, making and breaking connections and similar activities must take place in the background out of sight of the user. Donenfeld draws a comparison between the simplicity of configuring and setting up ssh and that of WireGuard. The small size of the software should also provide the smallest possible attack surface for attackers and make it easier to perform an audit.

The source code of the software can be found online. On the official site, Donenfeld states that it is currently still a work in progress. For example, no security audits have yet been carried out and a stable 1.0 release is still being worked on. Linus Torvalds says in an earlier post on the mailing list that efforts should be made to include WireGuard in the kernel.