Wireguard – the open-source answer to VPN shortfalls?
Most end-users’ experiences of VPNs (virtual private networks) are from when they’ve needed to “dial into” the office or workplace, remotely.
That’s something that, right now, millions of people have to do from their homes. And while many organizations’ resources are located in the cloud, there’s still a significant number of services, applications, filestores, and resources that are on-premise — thus the continuing need for VPNs to gain access.
“Dialing-in” is often still the terminology used in conversation, but that’s ironic because the process of working inside a VPN “tunnel” is very much reminiscent of the days of dial-up internet connections: slow to establish connection, glacial in responsiveness of apps & services, prone to breaking, and often the subject of frustration (and irritable calls to IT support staff).
But all that is set to change over the next 12 months or so, due to the inclusion of a relatively few lines of code (around 4,000) comprising an application called Wireguard in the Linux kernel.
The rise of Wireguard?
Although it’s been a long while in development, an application of this importance has been (as is only right) the subject of much scrutiny, checking, double-checking and sanity-testing before reaching its 1.0.0 release, and its inclusion into the 5.6 version of the Linux kernel.
As its name suggests, the kernel is the heart of the operating system. And the Linux operating system is the one that runs the vast majority of the servers that supply internet services. From social media giants, media streamers, all Google applications, payment gateways, office suites, websites — every perceivable online resource is run on Linux servers.
Wireguard significantly changes the way that servers can communicate with one another safely, and by dint of the same technology, the way that remote workers can connect to on-premise resources or any cloud-based service.
UPDATE: WireGuard was merged into the Linux kernel for 5.6. This repository contains a backport of WireGuard for kernels 3.10 to 5.5, as an out of tree module. (v1.0.20200413) https://t.co/B5mBfl8STi
— oBot (@oiaBot) April 14, 2020
Under the hood of VPN tunnels at present there are several flavors of technology in everyday use, which deploy a bewildering array of encryption methods, transport layers, tunnel set-up procedures, handshaking, and tunnel maintenance.
A typical IPSEC tunnel, for instance, might involve around half a million lines of code, and the very quantity of that requirement means that first and foremost, there’s plenty of attack surface for bad actors to address.
Most VPN connections can take 8-20 seconds to establish and are highly susceptible to sudden disconnection. Frustrating for end-users, it’s a particular bugbear for IT systems administrators, especially when charged with interconnected servers that need to keep communicating safely to provide the services they were designed to, at production levels of reliability and speed.
Wireguard’s inclusion in the Linux kernel v5.6 is set to change all that, for several reasons:
- It’s a smaller code base, so less attack surface is presented
- It uses robust encryption methods by default that have been extensively peer-reviewed, and are open to anyone for examination
- Negotiations and connections take milliseconds, not seconds
- Connections are hugely stable
- It’s much simpler to set up and maintain for even the most security-conscious systems administrator
There are production-ready versions of Wireguard available already for Linux, Mac, Android, and iOS. The Windows implementation is still in beta, but initial reports are showing that this version, too, should shortly be released.
Its inclusion in the core of Linux means that any services running on Ubuntu, Red Hat, SuSE, CentOS — that is, most of the online world — can make use of stable, safe, encrypted tunnels without having to recompile each kernel instance manually.
With kernel version 5.6 due to hit production systems over the next 6-24 months, the world’s servers will be taking a significant step forward from present realities.
Naturally, any form of encryption and security is only as good as the people charged with its maintenance and establishment. But until quantum computers become capable of 256-bit operation and are deployed to brute-force private encryption keys, the online world may soon get a whole lot safer.
3 February 2023
3 February 2023