We’ve been anticipating WireGuard’s inclusion into the mainline Linux kernel for quite some time—but as of Sunday afternoon, it’s official. Linus Torvalds released the Linux 5.6 kernel, which includes (among other things) an in-tree WireGuard. Phoronix has a great short list of the most interesting new features in the 5.6 kernel, as well as a longer “everything list” for those who want to make sure they don’t miss anything.
If this is the first time you’re hearing about WireGuard, the TL;DR is that it’s a relatively new VPN (Virtual Private Network) application that offers a leaner codebase, easier configuration, faster connect times, and the latest and most thoroughly peer-reviewed and approved encryption algorithms. You can find a more detailed introduction in our initial August 2018 coverage.
Can I use this on Windows? Mac? BSD? Android? IOS?
Although WireGuard is now version 1.0.0 in the Linux world, its Windows package is still 0.1.0—early alpha stages. We’ve used the Windows package a fair amount now, and most users will find it very usable—but it is not yet guaranteed free of platform-specific “security quirks” or other minor issues not present in the more heavily tested Linux side of things.
If you decide to use these early versions of WireGuard for Windows, we strongly recommend keeping track of news and updates on a regular basis. Interested Windows users can find a sneak peek at WireGuard’s early Windows support here.
Mac and BSD users do not yet have an in-kernel option for WireGuard support but can run the Go language implementation from their respective repositories—
pkg install wireguard on FreeBSD, and
brew install wireguard-tools,
port install wireguard-tools, or even right from the Apple Store itself on the Mac.
IOS users can find WireGuard in the App Store, and Android users can find it in the Play Store. A word to the wise: third-party WireGuard clients exist for these platforms as well, but we recommend sticking to the official WireGuard clients linked here.
Detailed instructions and links for downloading and installing WireGuard on everything north of a kitchen toaster can be found here.
WireGuard gets third-party audit, goes 1.0.0
WireGuard itself gets a version bump to 1.0.0 along with its inclusion into the new kernel. Those familiar with open source versioning standards probably weren’t all that put off by its prior 0.8.x or 0.9.x versioning—after all, Dovecot was the world’s IMAP4 server for years on 0.4—but the 1.x versioning may soothe concerns for managerial or simply less Linux-savvy folks.
More importantly, WireGuard founding developer Jason Donenfeld commissioned a third-party security audit of the codebase, which came up clean:
I’ve been a bit neurotic about having 5.6 ship without any show stopper bugs. WireGuard has been stable for a long time now, but that doesn’t make me any less nervous about the real deal in 5.6. To that end, I’ve been doing code reviews and having discussions, and we also had a security firm audit the code. That audit didn’t turn up any vulnerabilities, but they did make a good defense-in-depth suggestion.
What it means to be “in-tree”
WireGuard will still operate as a Loadable Kernel Module (LKM)—not built statically into the kernel itself. But it will be “in-tree”—which means it’s provided ready to go with the vanilla kernel itself, with no need for repackaging by the various distros. This puts it on the same footing as most hardware drivers, which are also LKMs that are dynamically loaded when necessary.
The shift from third-party to first-party LKM also means no more Dynamic Kernel Module Support builds will be necessary. DKMS is a convenient framework that allows a kernel module to be automatically rebuilt from source against each new Linux kernel as it is installed—but it’s not bulletproof. A user with a single computer might go years without seeing a DKMS hiccup, but a sysadmin with tens of machines and critically important DKMS packages will probably have to poke at a botched kernel upgrade once or twice a year.
DKMS builds add a significant amount of extra time to routine kernel upgrades even when they go well, since the system is actually recompiling the source code itself against the new kernel’s headers. Although WireGuard is a relatively small and clean project, the DKMS build time is generally in the “several minutes” range even on relatively fast servers. This wasn’t enough extra time to be a big factor in automated upgrades, but it was enough to cause some frustrated toe-tapping in manual installations and upgrades.
You might not have to wait for 5.6
Fast-moving, “bleeding edge” distributions like Arch, Gentoo, Fedora, and Clear Linux will upgrade very rapidly to the new 5.6 kernel, but stable distributions like Ubuntu, Debian, or CentOS will likely remain on older kernels for a year or more.
Debian and Ubuntu users, fortunately, won’t have to wait for Linux 5.6. The upcoming Ubuntu Focal Fossa has a backported WireGuard in its kernel tree—so the need for the WireGuard PPA should be over soon for up-to-date Ubuntu admins. On the Debian side, maintainer Ben Hutchings has already committed a backport to Debian Buster.
There’s no word yet for CentOS, RHEL, or SuSE users, but we wouldn’t be surprised if more of the major stable distributions began adding official support prior to upgrading to Linux 5.6.