Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday December 12 2019, @06:12AM   Printer-friendly
from the protected-communications dept.

WireGuard VPN is a step closer to mainstream adoption

As of this morning, Linux network stack maintainer David Miller has committed the WireGuard VPN project into the Linux "net-next" source tree. Miller maintains both net and net-next—the source trees governing the current implementation of the Linux kernel networking stack and the implementation of the next Linux kernel's networking stack, respectively.

This is a major step forward for the WireGuard VPN project. Net-next gets pulled into the new Linux kernel during its two-week merge window, where it becomes net. With WireGuard already a part of net-next, this means that—barring unexpected issues—there should be a Linux kernel 5.6 release candidate with built-in WireGuard in early 2020. Mainline kernel inclusion of WireGuard should lead to significantly higher uptake in projects and organizations requiring virtual private network capability.

[Ed. addition] Wireguard implements a fast, modern, secure VPN tunnel. According to Wikipedia:

WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the second version of the GNU General Public License (GPL).


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by maxwell demon on Thursday December 12 2019, @07:58AM (7 children)

    by maxwell demon (1608) on Thursday December 12 2019, @07:58AM (#931343) Journal

    Never heard of this guy, have no confidence in his code.

    Well, David Miller has confidence in that guy's code. And if you don't trust David Miller's judgement, you better don't run any Linux kernel.

    There is a "next-net" tree? Seriously?

    Well, obviously. After all, the summary directly links to it (well, to the WireGuard commit message on Github, but without the tree, that commit message wouldn't exist either, would it?).

    Does it run on systemd?

    It runs directly in the kernel.

    This stinks of the self-promotion crap we have seen recently on SN.

    Who would self-promote here?

    Jim Salter, who wrote the Ars Technica article? I don't see any sign that he was involved in the development of WireGuard.

    takyon, who submitted it to SN? Again, I don't see any indication of involvement in WireGuard.

    martyb, who posted it? Again, I see no connection to WireGuard.

    Can any trusted Soylentils vouch for this?

    I have no idea whether you would consider me a trusted Soylentil, but the information given by the summary and the linked pages gives me no reason to distrust the code.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Funny) by DeathMonkey on Thursday December 12 2019, @06:51PM (1 child)

    by DeathMonkey (1380) on Thursday December 12 2019, @06:51PM (#931482) Journal

    I have no idea whether you would consider me a trusted Soylentil,

    I don't think we should trust him. He's a gaseous lawbreaker!

  • (Score: 2) by Bot on Thursday December 12 2019, @11:56PM

    by Bot (3902) on Thursday December 12 2019, @11:56PM (#931573) Journal

    >martyb, who posted it? Again, I see no connection to WireGuard.

    The P in VPN stands for private, so it is pretty normal to see no connection.

    --
    Account abandoned.
  • (Score: 0) by Anonymous Coward on Friday December 13 2019, @05:44AM (3 children)

    by Anonymous Coward on Friday December 13 2019, @05:44AM (#931647)
    Sure, I'd trust David Miller's ability to evaluate the quality of the code for WireGuard. His ability to evaluate whether or not the WireGuard protocol actually has security better than a wet paper sack, not so much. This is a protocol designed and coded by some guy named Jason Donenfeld (not David Miller) who seems to have no credentials in security engineering whatsoever. Mr. Donenfeld could be the next Bruce Schneier or Niels Ferguson but there is nothing about him that I can easily find that gives us a hint that he might actually be that sort of computer security wunderkind. Call me sceptical but I'm not touching this with a ten-meter cattle prod until there are at least a few peer-reviewed independent analyses of the protocol.
    • (Score: 2) by maxwell demon on Friday December 13 2019, @07:01AM (2 children)

      by maxwell demon (1608) on Friday December 13 2019, @07:01AM (#931655) Journal

      Of course you would wait for others to do security audits before actually using the code. I doubt there were many who started using OpenVPN before others checked it, too. And even if it were written by Bruce Schneier, it would be a bad idea not to wait for others to verify it.

      But there is a massive difference between “it's probably good, but I'll not use it until experts confirm” and “I don't trust this, I'll assume this is utter crap until experts force me to reconsider.”

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Friday December 13 2019, @09:00AM (1 child)

        by Anonymous Coward on Friday December 13 2019, @09:00AM (#931668)

        But there is a massive difference between “it's probably good, but I'll not use it until experts confirm” and “I don't trust this, I'll assume this is utter crap until experts force me to reconsider.”

        I think the former is more appropriate if there is some reason to think it were any good, e.g. if it were from someone with a reasonable track record in the security field, or is built on top of already known and trusted security systems. IPsec had this since it was the work of a lot of well-known experts in cryptography and security. OpenVPN had this since it uses the already tried and tested SSL/TLS protocols. The latter though, seems like the more appropriate response for WireGuard though, given how Mr. Donenfeld seems to be a relative unknown in the security field, has no academic credentials that can be easily found, and does not have much in the way of peer-reviewed scholarship. Is there any reason why we laypeople ought to think that his design is sound?

        • (Score: 0) by Anonymous Coward on Friday December 13 2019, @09:23PM

          by Anonymous Coward on Friday December 13 2019, @09:23PM (#931835)

          Well, it is in next-net, which means that the cryptographic primitives are required to come from the crypto tree. The maintainers of the crypto tree are quite well-known, and that code has been examined heavily over the years, and used in almost every cryptographic function, regardless of where, in the Linux kernel for that reason. In addition, the formal verification means that if you have a valid specification and good pieces, then you have a good implementation. In addition, the maintainers of the various trees in the kernel are no slouches when it comes to this stuff either and there has been almost a year of back and forth on the various mailing lists, so if it looks good to the experts after all that with a better picture of how the kernel and the software works than any layperson, then that is a much better signal to a layperson than any sort of academic credentials or notoriety of the author.