Security news that informs and inspires

WireGuard VPN Added to Linux Kernel


With the sharp increase in the number of people working from home and requiring secure access to remote resources, interest in and usage of VPNs has spiked, as well. So it’s an opportune time for the WireGuard VPN to make its way into the Linux kernel, an addition that will make the technology available by default to millions of Linux users.

WireGuard is a fast, flexible VPN that was designed specifically for Linux implementations, but it has been a third-party addition until now. With the release of Linux 5.6 today, WireGuard is now included in the kernel by default and will make its way into the downstream distributions, as well.

“The last several weeks of 5.6 development and stabilization have been exciting, with our codebase undergoing a quick security audit, and some real headway in terms of getting into distributions,” Wireguard developer Jason Donenfeld said in an announcement of the Linux kernel addition.

WireGuard was developed as a replacement for the heavier and more complex existing VPN protocols such as IPsec and the popular implementations such as OpenVPN. One of the drawbacks of those larger and more complex systems and protocols is that they can be quite difficult to implement and even more difficult to audit or verify. WireGuard is meant to be both high-performance and easy to audit, making it simpler for a single person or small team to dig into.

“Key exchanges, connections, disconnections, reconnections, discovery, and so forth happen behind the scenes transparently and reliably, and the administrator does not need to worry about these details. In other words, from the perspective of administration, the WireGuard interface appears to be stateless,” the original WireGuard technical paper says.

“Firewall rules can then be configured using the ordinary infrastructure for firewalling interfaces, with the guarantee that packets coming from a WireGuard interface will be authenticated and encrypted. Simple and straightforward, WireGuard is much less prone to catastrophic failure and misconfiguration than IPsec.”

As the Linux 5.6 kernel makes its way downstream to the other distributions, more and more users will have access to the WireGuard software. That trickle down effect generally takes some time as distributions adopt the new release and then users upgrade their machines. In the meantime, the existing compatibility with older versions of some Linux distributions will be be maintained.

“We'll also continue to maintain our wireguard-linux-compat backports repo for older kernels. On the backports front, WireGuard was backported to Ubuntu 20.04 (via wireguard-linux-compat) and Debian Buster (via a real backport to 5.5.y),” Donenfeld said in tyhe email announcing the release.