For the last few months I’ve been actively following the development of a new VPN software called WireGuard. Unlike the many VPN providers before it, WireGuard sits entirely in kernel space so that means it can completely avoid the performance hits invoked on VPN’s like OpenVPN that sit entirely in userspace. What does that mean? Let me explain.
When software makes calls out to the Internet on Linux (or any modern operating system) it has to pass from User space (where all your applications like Google Chrome, Word, GIMP, etc… run) into Kernel space where the secure parts of the operating system lie. Recent updates made mandatory that any switching between these two places require a flush of the TLB (translation lookaside buffer) which is responsible for mapping the current memory locations of software running on the system. Due to the discovery of Meltdown it is now required that any switching between the two spaces results in the TLB being flushed. This causes a significant decrease in performance for applications like OpenVPN that reside in User space and have to travel into Kernel space. Now your probably wondering, wouldn’t it be easier to have connections to the Internet be handled in User space? The answer to that is No. Everything involving networking has no choice but to contact the OS which will use Kernel space to handle the networking.
WireGuard avoids this TLB flushing completely by being in Kernel space and being handled by the OS which allows for very fast VPN communications. WireGuard also makes use of the Curve25519 algorithm which can be found in Facebook’s Messenger app as well as Signal and WhatsApp which pride themselves on the security of their platforms.
Currently the developers of WireGuard do not attempt to sell WireGuard as a 100% guaranteed solution for secure communications like what is offered by OpenVPN due to being such a new protocol that has not gone through all the vetting necessary but given the relatively smaller codebase it should not take an incredibly long time for others to review WireGuard’s code and see for themselves that the software is solid.
One thing that sets WireGuard apart from other VPNs is that because of its use of Curve25519 there is no need for having to verify clients’ session at the VPN since, by design, Curve25519 sees any 32-byte string as a valid public key which it will then use to encrypt the data. This kind of system can be combined with a web service that allows clients to specify their public key to the server in advance (automate the task of configuring peers to the client) and configure a default timeout for when the user can no longer access the VPN connection.
In all, WireGuard is on its way to becoming the defacto standard in VPN technologies and companies who are looking at other options or wish to switch from their current system should definitely consider WireGuard as a possible contender to some of the other systems out there.