Next-Generation Secure Network Tunnel Announced For The Linux Kernel
Jason Donenfeld announced today WireGuard, what he describes as a next-generation secure network tunnel for the Linux kernel.
Donenfeld explained to us in a briefing last week about WireGuard, "IPsec is overly complex and impossible to actually use in a secure manner, but it's the fastest thing out there for VPN and secure tunneling. OpenVPN is very popular, but it's super slow, by virtue of being in userspace, and contains a whole buggy SSL/x509 stack. I've started from scratch, and written an extremely simple, yet powerful and cryptographically secure, replacement, in around 4000 lines of code, called WireGuard...It's much simpler than anything before it, with peers exchanging short Curve25519 public keys just like in SSH. Secure network interfaces can be added and removed using the usual 'ip-link' and 'ip-address' tools. From there, everything is easily taken care of by the kernel, and secure tunnels are made quite simple. Not only that, but the performance is in fact better than IPsec, which is quite the accomplishment."
Via this kernel mailing list post he went on to describe WireGuard in much greater detail. He has also launched WireGuard.io if you are looking at learning more about this proposal for the Linux kernel.
Donenfeld explained to us in a briefing last week about WireGuard, "IPsec is overly complex and impossible to actually use in a secure manner, but it's the fastest thing out there for VPN and secure tunneling. OpenVPN is very popular, but it's super slow, by virtue of being in userspace, and contains a whole buggy SSL/x509 stack. I've started from scratch, and written an extremely simple, yet powerful and cryptographically secure, replacement, in around 4000 lines of code, called WireGuard...It's much simpler than anything before it, with peers exchanging short Curve25519 public keys just like in SSH. Secure network interfaces can be added and removed using the usual 'ip-link' and 'ip-address' tools. From there, everything is easily taken care of by the kernel, and secure tunnels are made quite simple. Not only that, but the performance is in fact better than IPsec, which is quite the accomplishment."
Via this kernel mailing list post he went on to describe WireGuard in much greater detail. He has also launched WireGuard.io if you are looking at learning more about this proposal for the Linux kernel.
42 Comments