Announcement

Collapse
No announcement yet.

WireGuard Sees Native, High-Performance Port To The Windows Kernel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WireGuard Sees Native, High-Performance Port To The Windows Kernel

    Phoronix: WireGuard Sees Native, High-Performance Port To The Windows Kernel

    The excellent WireGuard open-source secure VPN tunnel has been seeing growing adoption on Linux now that it's been in the mainline kernel for a while and also seeing continued progress on the BSDs. While there has been beta WireGuard for Windows in user-space, "WireGuardNT" was announced today as a native high-performance port to the Windows kernel...

    https://www.phoronix.com/scan.php?pa...Windows-Kernel

  • #2
    Does this have the blessing of Microsoft? Will this be integrated into Windows or will it be an installable third party component (is that even possible)? Or is it similar to the btrfs driver for windows that requires special installation and disablement of some security guards?

    Comment


    • #3
      You'll be able to use this by downloading the WireGuard client from the usual webpage. Nothing fancy is required. You can read about this on the actual announcement: https://lists.zx2c4.com/pipermail/wi...st/006887.html

      Comment


      • #4
        Originally posted by zx2c4 View Post
        You'll be able to use this by downloading the WireGuard client from the usual webpage. Nothing fancy is required. You can read about this on the actual announcement: https://lists.zx2c4.com/pipermail/wi...st/006887.html
        i cant find the hint to it in the message. Is the Driver signed by Microsoft that it can run without disable secure boot or driver signing in general?

        Comment


        • #5
          Originally posted by Nille View Post

          i cant find the hint to it in the message. Is the Driver signed by Microsoft that it can run without disable secure boot or driver signing in general?
          Yes it is. wireguard.sys that's embedded into the new wireguard.dll is signed by "Microsoft Windows Hardware Compatibility Publisher", and the .dll itself is signed by "WireGuard LLC" code signing cert. You can extract the .sys from .dll with 7-zip in the "#" mode.
          Last edited by numacross; 02 August 2021, 04:46 PM.

          Comment


          • #6
            Originally posted by mazumoto View Post
            Does this have the blessing of Microsoft? Will this be integrated into Windows or will it be an installable third party component (is that even possible)? Or is it similar to the btrfs driver for windows that requires special installation and disablement of some security guards?
            Blessing? All you need is to pay Microsoft some money to digitally sign a driver.

            Comment


            • #7
              I was wondering if Wireguard can be used instead of ssh tunnel, as I am not sure how a "VPN" network might be different from that. If that is possible, how does it compare? And is it more difficult to set up a VPN than ssh tunnels?

              Comment


              • #8
                Originally posted by indepe View Post
                I was wondering if Wireguard can be used instead of ssh tunnel, as I am not sure how a "VPN" network might be different from that. If that is possible, how does it compare? And is it more difficult to set up a VPN than ssh tunnels?
                A tad more difficult since SSH basically requires no configuration whatsoever.

                https://www.wireguard.com/quickstart/

                Comment


                • #9
                  There us just something about a product like WireGuard being built in to the kernel that makes me uneasy. At least OpenVPN can run as "nobody".

                  An exploit in WG could mean remote root access, no? :/

                  Comment


                  • #10
                    Originally posted by linner View Post
                    There us just something about a product like WireGuard being built in to the kernel that makes me uneasy. At least OpenVPN can run as "nobody".

                    An exploit in WG could mean remote root access, no? :/
                    The entire implementation of WireGuard isn't in the kernel. It's just that context switching between kernelspace and userspace is expensive, and therefore it's more performant to offload some of it to kernelspace.

                    Comment

                    Working...
                    X