Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday December 12 2019, @06:12AM   Printer-friendly
from the protected-communications dept.

WireGuard VPN is a step closer to mainstream adoption

As of this morning, Linux network stack maintainer David Miller has committed the WireGuard VPN project into the Linux "net-next" source tree. Miller maintains both net and net-next—the source trees governing the current implementation of the Linux kernel networking stack and the implementation of the next Linux kernel's networking stack, respectively.

This is a major step forward for the WireGuard VPN project. Net-next gets pulled into the new Linux kernel during its two-week merge window, where it becomes net. With WireGuard already a part of net-next, this means that—barring unexpected issues—there should be a Linux kernel 5.6 release candidate with built-in WireGuard in early 2020. Mainline kernel inclusion of WireGuard should lead to significantly higher uptake in projects and organizations requiring virtual private network capability.

[Ed. addition] Wireguard implements a fast, modern, secure VPN tunnel. According to Wikipedia:

WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the second version of the GNU General Public License (GPL).


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by stormwyrm on Thursday December 12 2019, @07:49AM (2 children)

    by stormwyrm (717) on Thursday December 12 2019, @07:49AM (#931341) Journal
    Indeed. There were a plethora of embarrassingly insecure VPN protocols [auckland.ac.nz] that were made at around the time that the Linux kernel got IP tunnel support. There is a reason for the complexity of the IPsec, TLS (OpenVPN), and SSH protocols: good security is hard. No complexity was added to those protocols without a good security rationale. I am not convinced that WireGuard's approach to reducing the complexity of these protocols wasn't to similarly strip out all of those nasty security features that make the established protocols so complex, the way all of the dozens of insecure VPN protocols I mentioned had. I don't see that Jason Donenfeld, the main developer behind WireGuard, has done much serious research in cryptography and security. I'd be a bit less sceptical if I could find some information on this guy's academic background, but a quick search doesn't turn it up. A well-regarded Master's Thesis and/or PhD dissertation on security protocols might have inspired a bit more confidence, but I can't find such a thing. He's got a grand total of three peer-reviewed publications [google.fr] in Google Scholar, all of them related to his work with WireGuard. That's at least a hopeful sign that this isn't total craptology, but not enough for me to even think of using it for anything serious. I'm sticking to OpenVPN or IPsec for now thank you very much.
    --
    Numquam ponenda est pluralitas sine necessitate.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Thursday December 12 2019, @12:39PM

    by Anonymous Coward on Thursday December 12 2019, @12:39PM (#931367)

    There is a reason for the complexity of the IPsec, TLS (OpenVPN), and SSH protocols: good security is hard.

    I'm not sure what is so complex about these protocols. IPsec is rather simple protocol. The problem is not in the protocol, but in the key server (CA management) and how the protocol is actually used. Saying IPsec is difficult is like saying driving is difficult because you need this license thing and follow the rules and such.

    No complexity was added to those protocols without a good security rationale.

    Well, some features are somewhat niche. The sad thing is that IPsec has not seen much adoption outside Windows Server where it's actually implemented well

  • (Score: 2) by FatPhil on Thursday December 12 2019, @03:33PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday December 12 2019, @03:33PM (#931415) Homepage
    """
    Simple and straightforward, WireGuard is much less prone to catastrophic failure and misconfiguration than IPsec. It is important to stress, however, that
    the layering of IPsec is correct and sound; everything is in the right place with IPsec, to academic perfection. But, as often happens with correctness of abstraction, there is a profound lack of usability, and a verifiably safe implementation is very difficult to achieve. WireGuard, in contrast, starts from the basis of flawed layering violations and then attempts to rectify the issues arising from this conflation using practical engineering solutions and cryptographic techniques that solve real world problems.
    """

    Sounds a bit bodgy, and possibly fragile, there's a reason the layers are as they are.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves