The relatively new WireGuard VPN protocol is being used by many Linux users as an alternative to OpenVPN and IPSec. The developers of the open source project have set themselves the goal to build an easy-to-use yet highly secure VPN tool. It is particularly important to you to keep the code base of the project as narrow as possible in order to make security audits by independent security researchers as easy as possible.
However, this goal is so far contrary to their plans to get WireGuard in the main development branch of the Linux kernel. Despite support from Linux boss Linus Torvalds prevented various controversies so far. Now movement could get into the thing.
Torvalds enables the WireGuard code
Torvalds himself had praised WireGuard last year when he described the software’s source code as “horror” in OpenVPN and IPSec as a “work of art”. The Linux chief developer had also expressed the hope that WireGuard lanset quickly in the mainline, the main development branch of the Linux kernel. This has not happened yet, as WireGuard has its own crypto API called Zinc for its encryption operations, which should also be integrated into the kernel. Now, the kernel already has its own API for these purposes, and the kernel developers have insisted that the WireGuard people should use the existing technology.
So far, WireGuard chief developer Jason Donenfeld has always insisted that his goal of a maximum small – and thus maximum safe – code base with the existing kernel API is not to do. The kernel API is well written, but also far too extensive, difficult to use and “a cipher museum” – it contains in his opinion too many outdated and insecure crypto algorithms. His main criticism is that nobody knows which algorithms are trustworthy. He prefers crypto, which is documented by external sources through comprehensible audits , Donenfeld said last year to the industry magazine LWN.
After spending more than a year arguing about Zinc, which also prevented their VPN software from joining the kernel mainline, WireGuard developers are now ready to compromise. Now they seem to think about decoupling both software components and integrating them separately into the main development branch of the kernel. To do this, WireGuard must first be ported to the existing crypto API. Then nothing should stand in the way of the blessing of the Linux developers. Only then do you want to turn back to Zinc and try to get this project into the mainline as well.
The new plan is to cause WireGuard to quickly become part of the kernel and that, with luck, Donenfeld will eventually get his way and the team will be able to portport the VPN software back to Zinc later. However, the developers involved still do not seem to agree that this is the best course of action.
Inclusion in the Mainline has many advantages
But why is it so important for developers to be included in the kernel’s main development branch? The main advantage is surely that their VPN protocol is then available to everyone without having to rely on special kernel patches from their distribution. This generally drastically increases the availability of the technology and makes pure Userland implementations of the technology unnecessary.
Additionally, inclusion in the mainline simplifies the upstream development process for WireGuard developers and strengthens collaboration with kernel developers. As a side effect, it becomes easier for other projects to use the WireGuard and Zinc code in their own software.