A few hours after the launch of the new version of the Linux Kernel 5.6 was presented, which includes the implementation of WireGuard VPN (you can check the changes and news of this new version here) their developers released the release of a significant launch of WireGuard VPN 1.0.0 marking the delivery of WireGuard components.
Since WireGuard is now being developed on the main Linux kernel, a wireguard-linux-compat.git repository has been prepared for distributions and users who continue to ship older versions of the kernel.
About WireGuard VPN
WireGuard VPN is implemented on the basis of modern encryption methodss, it provides very high performance, is easy to use, has no fuss, and has been proven in a number of large deployments that handle high volumes of traffic. The project has been developed since 2015, has passed a formal audit and verification of the encryption methods used.
WireGuard support is already integrated into NetworkManager and systemd and kernel patches are included in the base distributions of Debian Unstable, Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, Subgraph, and ALT.
wire guard uses the concept of encryption key routing, which involves binding a private key to each network interface and using it to bind public keys. The exchange of public keys to establish a connection is done by analogy with SSH.
To negotiate keys and connect without starting a separate daemon in user space, the Noise_IK mechanism of the Noise Protocol Framework is used, similar to keeping authorized keys in SSH. Data is transmitted through encapsulation in UDP packets. TOlets change the IP address of the VPN server (roaming) without interrupting the connection with automatic client reconfiguration.
For encryption, ChaCha20 stream encryption and Poly1305 message authentication algorithm are used (MAC) developed by Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. ChaCha20 and Poly1305 are positioned as faster and more secure analogs of AES-256-CTR and HMAC, whose software implementation allows to achieve a fixed execution time without involving special hardware support.
To generate a shared secret key, the Diffie-Hellman protocol on elliptic curves is used in the implementation of Curve25519, also proposed by Daniel Bernstein. For the hash, the BLAKE2s algorithm (RFC7693) is used.
What changes are included in WireGuard VPN 1.0.0?
The code included in the Linux kernel underwent an audit of additional security, carried out by an independent company specialized in such controls. The audit did not reveal any problems.
The prepared repository includes the WireGuard code with backing and layer compat.h to ensure compatibility with older kernels. It is noted that while there is an opportunity for developers and a need for users, a separate version of the patches will be kept in working form.
In its current form, WireGuard can be used with Ubuntu 20.04 and Debian 10 "Buster" kernels and it is also available as patches for the Linux 5.4 and 5.5 kernels. Distributions using the latest kernels, such as Arch, Gentoo, and Fedora 32, will be able to use WireGuard in conjunction with the 5.6 kernel update.
The main development process is now underway in the wireguard-linux.git repository, which includes a full Linux kernel tree with changes from the Wireguard project.
The patches in this repository will be reviewed for inclusion in the main kernel and will be regularly transferred to the net / net-next branches.
Development of utilities and scripts that run in user space, such as wg and wg-quick, takes place in the wireguard-tools.git repository, which can be used to create packages in distributions.
Also, no further builds of dynamic kernel module support will be required even though WireGuard will continue to function as a loadable kernel module.
Finally if you are interested in knowing more about it about this new version, you can consult the statement of its developers In the following link.