CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →A VPN rewritten from scratch
The most widespread VPNs in 2020 — IPsec (1990s) and OpenVPN (2001) — are robust but complex. OpenVPN has roughly 100,000 lines of code, IPsec is a galaxy of RFCs, ciphers, modes. Both have wide attack surfaces and verbose configurations.
WireGuard, by Jason A. Donenfeld, was born with the opposite ambition: rewriting VPN from scratch with criteria of simplicity, auditability, performance. The first academic paper is from 2017 (“WireGuard: Next Generation Kernel Network Tunnel”). After years of development and review, WireGuard is integrated into Linux mainline kernel 5.6 on 29 March 2020 — a significant milestone for a VPN protocol.
Licence: GPL v2 (kernel component) + UNLICENCE/BSD for userland tools.
Technical features
- ~4000 lines of code for the kernel core — two orders of magnitude below OpenVPN
- Fixed cryptography — no negotiation. Algorithms: Curve25519 for key exchange, ChaCha20-Poly1305 for AEAD, BLAKE2s for hashing, HKDF for key derivation. No deprecated algorithms, no cipher suite negotiation, no possible downgrade
- Noise Protocol Framework as handshake — mathematically analysed design (Trevor Perrin)
- Stateless design — the server responds only to authenticated peers; maintains no session state before authentication (DoS mitigation)
- Peer model — conceptual client/server symmetry; each peer has a public key + allowed IPs
- Roaming — endpoints can change IP (mobile, dual-homed) without session drop
Configuration
A typical WireGuard configuration is a 10-20 line .conf file:
[Interface]
PrivateKey = ...
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = ...
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820Compare with OpenVPN (typical configs of hundreds of lines) or IPsec (strongSwan, libreswan, with even more articulated configurations).
Before Linux 5.6
Before mainline integration, WireGuard was available as out-of-tree kernel module (DKMS) and userspace (wireguard-go in Go; boringtun in Rust by Cloudflare). Mainline inclusion was anticipated and required two revisions (dependency on its own zinc crypto library was replaced by using the kernel’s existing one).
WireGuard was then ported to FreeBSD (13.0), OpenBSD, macOS (via official app + kernel extension), Windows (NDIS driver), iOS, Android.
Adoption
Post-5.6 inclusion, adoption is rapid:
- Linux distributions (Ubuntu 20.04, Debian 11, Fedora, Arch) include WireGuard out-of-the-box
- Commercial VPNs (Mullvad, ProtonVPN, NordLynx) adopt WireGuard as primary protocol
- Cloud providers — AWS Client VPN integration, Google Cloud, Azure support peers
- Home router / NAS (OpenWrt, pfSense, OPNsense, Synology, QNAP) integrate WireGuard
Limits and caveats
- IP-based access control — each peer is tied to a public key + allowed IPs. User/role authentication is not native; orchestration requires external tooling (Headscale, Tailscale, Netmaker)
- No cipher choice — those with specific policies (strict FIPS, HSM) must evaluate compliance
- NAT traversal — less sophisticated than OpenVPN UDP or IPsec NAT-T; works well with minimal symmetric NAT
- Minimal logging — design choice; additional instrumentation must be built
In the Italian context
As of 2020 Italian WireGuard adoption spreads among:
- SMEs seeking simple VPN for smart-working remote access (pandemic driven)
- MSPs and ISPs offering managed VPN
- PA — experiments in more innovative bodies
- Individual researchers and sysadmins — as personal solution
References: WireGuard in Linux kernel 5.6 (29 March 2020). Jason A. Donenfeld as author/project lead. Licences: GPLv2 (kernel), UNLICENCE (userland). Noise Protocol Framework (Trevor Perrin). Curve25519 (DJB), ChaCha20-Poly1305, BLAKE2s. Porting: FreeBSD 13.0, OpenBSD, Windows, macOS, iOS, Android.