WireGuard has done things right and now comes as a port to the Windows Kernel

wire guard

It seems that things are going quite well within the WireGuard project, as Jason A. Donenfeld, author of VPN WireGuard, presented the WireGuardNT project which is a high-performance WireGuard VPN port for the Windows kernel which is compatible with Windows 7, 8, 8.1, and 10, and supports AMD64, x86, ARM64, and ARM architectures.

It is important to remember that in the last semester of 2019 the patches were made with the implementation of the project's VPN interface in the net-next branch, this because the WireGuard developers made a commitment and agreed to transfer part of the code to the main kernel , not as a separate API, but as part of the Crypto API subsystem.

After that a few months later the project came to OpenBSD changes for the ifconfig and tcpdump utilities with support for the WireGuard functionality, documentation and minor changes to integrate WireGuard with the rest of the system and after that the project was moved to have compatibility with Android.

wire guard
Related article:
WireGuard keeps breaking it, now it's OpenBSD who adopts the protocol

WireGuard VPN is implemented on the basis of modern encryption methods, provides very high performance, is easy to use, hassle-free, and has proven itself in a number of large deployments handling high volumes of traffic.

The project has been developing since 2015, has passed a formal audit and verification of the encryption methods used. WireGuard uses the concept of encryption key routing, which involves binding a private key to each network interface and using the public keys to bind.

The exchange of public keys to establish a connection is done by analogy with SSH. To negotiate keys and connect without running a separate daemon in user space, the Noise_IK mechanism of the Noise Protocol Framework is used, similar to maintaining authorized_keys in SSH. Data transmission is done by encapsulation in UDP packets. Supports changing VPN server IP address (roaming) without breaking connection with automatic client reconfiguration.

Encryption uses ChaCha20 stream encryption and Poly1305 message authentication algorithm (MAC). ChaCha20 and Poly1305 are positioned as faster and more secure counterparts to AES-256-CTR and HMAC, whose software implementation allows you to achieve a fixed runtime without using special hardware support.

And now the project arrives as a port for Windows which builds on the tested code base of the core WireGuard implementation for the linux kernel, which has been translated to use the Windows kernel entities and the NDIS networking stack.

After many months of work, Simon and I are pleased to announce the WireGuardNT project, a native WireGuard port for the Windows kernel. 

WireGuardNT, started out as a port of the Linux code base… After initial portability efforts there were successful, the NT code base quickly diverged to fit well with native NTisms and NDIS (Windows networking stack) APIs. The end result is a deeply integrated, high-performance implementation of WireGuard, which makes use of the full range of capabilities of the NT kernel and NDIS.

Compared to the wireguard-go implementation that runs in user space and uses the Wintun network interface, WireGuardNT has a significant performance improvement by eliminating context switch operations and copy the contents of the package from the kernel to the user space.

By analogy with the WireGuardNT implementations for Linux, OpenBSD, and FreeBSD, all protocol processing logic works directly at the network stack level.

wire guard
Related article:
WireGuard was finally accepted by Linus Torvalds and will be integrated into Linux 5.6

Although no specific optimizations have been made yet, WireGuardNT has already achieved a maximum data transfer throughput of 7,5 Gbps in our test environment with Ethernet.

In real user systems with Wi-Fi, the performance is noticeably lower, but not very different from direct data transfer. For example, on a system with an Intel AC9560 wireless card, the performance without WireGuard was 600 Mbps and with WireGuardNT it was also 600 Mbps, while when using wireguard-go / Wintun it was 95 Mbps.

Source: https://lists.zx2c4.com/


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.