It has been disclosed that David S. Miller, responsible for the network subsystem in Linux, has taken patches with the implementation of the VPN interface of the WireGuard project in the net-next branch. With which at the beginning of next year, the accumulated changes in the net-next branch they will form the basis for the Linux 5.6 release.
For those unaware of wire guard they should know that this it's a VPN which is implemented on the basis of modern encryption methods, provides very high performance, is easy to use, It is uncomplicated and has proven itself in a number of large deployments that handle high volumes of traffic.
About WireGuard
The project has been developed since 2015, it has passed a formal audit and verification of the encryption methods used. The support of WireGuard is already integrated into NetworkManager and systemd, and kernel patches are part of the basic distributions of Debian Unstable, Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, Subgraph, and ALT.
WireGuard uses the concept of encryption key routing, which involves binding a private key to each network interface and using it to bind public keys. The exchange of public keys to establish a connection is done by analogy with SSH.
To negotiate keys and connect without starting a separate daemon in user space, the Noise_IK mechanism of the Noise Protocol Framework is used, similar to the maintenance of authorized keys in SSH. Data is transmitted through encapsulation in UDP packets. Support to change the IP address of VPN server (roaming) without interrupting the connection and automatically reconfigure the client.
For encryption, ChaCha20 stream encryption is used and the Poly1305 (MAC) message authentication algorithm, this is positioned as faster and more secure analogues of AES-256-CTR and HMAC, whose software implementation allows to achieve a fixed execution time without involving special hardware support.
After a long time WireGuard will finally be included in Linux
Various attempts have been made to promote The code of WireGuard within Linux, but they have not been successful due to the binding of their own implementations of cryptographic functions, which were used to increase productivity.
These functions were initially proposed to the kernel as an additional low-level API, which could eventually replace the regular Crypto API.
After negotiations at the Kernel Recipes conference, the creators of WireGuard in September they made a compromise decision to change their patches to use the Crypto core API, of which WireGuard developers have complaints in terms of performance and general security.
It was decided that the API would continue to develop, but as a separate project.
Later in November, the kernel developers made a commitment and they agreed to transfer some of the code to the main kernel. In fact, some components will be transferred to the kernel, but not as a separate API, but as part of the Crypto API subsystem.
For example, Crypto API already includes fast implementations prepared by Wireguard of the ChaCha20 and Poly1305 algorithms.
Regarding the next WireGuard installment in the core, the founder of the project announced a restructuring of the repository. To simplify development, the monolithic "WireGuard.git" repository, which was designed for a separate existence, will be replaced by three separate repositories that are better suited for organizing code work in the main kernel:
- wireguard-linux.git - A complete kernel tree with changes from the Wireguard project, patches of which will be reviewed for inclusion in the kernel and regularly transferred to the net / net-next branches.
- wireguard-tools.git- A repository of utilities and scripts that run in user space, such as wg and wg-quick. The repository can be used to create packages for distributions.
- wireguard-linux-compat.git a repository with a module option, supplied separately from the kernel and includes the compat.h layer to ensure compatibility with older kernels. The main development will take place in the wireguard-linux.git repository, but until now users have the opportunity and the need for a separate version of the patches will also be supported in the working form.