Send in your ideas. Deadline October 1, 2024
Stay up to date
More info available :
Theme fund: NGI0 PET
Start: 2020-04
End: 2020-04
More projects like this
Network infrastructure


Scale up WireGuard

WireGuard is a next generation VPN protocol that uses state of the art cryptography. This project aims to deliver various tasks: put WireGuard into the OpenBSD kernel and userspace tooling (tcpdump, ifconfig, wg, etc), rewrite Android client UI in Kotlin and make use of Kotlin coroutines, make the Android code into a library consumable by third-party apps, support more complex DNS and networking management in Windows client, improve performance and stability of cross-platform userspace implementation library, integrate more closely with various Linux netdev semantics and backport to Linux 5.4 and 4.19.

Why does this actually matter to end users?

The internet is unfortunately not only populated just by kind and careful people. And it wasn't designed to be secure either. This is a dangerous and rather unfortunate combination of circumstances, and one you should take into account when you use the internet. When you go online outside of your house or office, chances are you use whatever wireless network you can find to get online. Mobile internet subscriptions are still expensive, so it is logical people seize every opportunity to connect for free. While this is a daily habit for many millions of people, and often nothing bad happens, it does expose you to serious risks.

This is because your computer doesn't really know a lot about the world. It depend on information it gets from the networks it connects to. If the network happens to cheat, the computer often has very little defenses. If you use an untrustworthy network to connect you to the internet, you move yourself into the middle of enemy territory. While you happily enjoy your free bits it provides as a way to buy money, it has ample opportunity to exploit all kinds of security weaknesses against you. Essentially, if you got away scot free with connecting to an unsafe network, it probably wasn't your security that held anyone back. You were just lucky that no-one serious tried to do anything - this time. So it is recommended to not connect over wifi networks you don't know.

Unless of course you've arranged for a secure tunnel that allows you to teleport your internet traffic across the unsafe local network to the real internet unscathed. The concept is surprisingly simple: individual messages sent through the Internet, called packets, are encrypted using some mechanism, and this encrypted message then substitutes the original one, making all communications sent through the tunnel unreadable to eavesdroppers and unalterable to attackers. Proven cryptography protects the integrity of the traffic flowing through the tunnel. And once the packets reach the other end of the tunnel, they can be unpacked. From that point onwards they may continue their life as normal internet traffic. Travelling the path in reverse path is of course also possible: packets sent from the internet to your computer are protected in exactly the same way.

In anticipation of better technologies that should arrive with the next generation internet, such tunnels are a key technology to guarantee consumer safety. They play a major role in protecting users both from snooping and malicious traffic injection. Sadly, the tools to create these secure tunnels is rather cumbersome (if not plain hard) to work with. This has prevented mass adoption.

WireGuard is a completely new entrant to the field, and it is praised widely by technologists for its very high quality. Its goal is to be the most secure and easiest to use VPN solution available. Wireguard has many attractive traits: it is fast, simple and lean. It can run on embedded interfaces and super computers alike, and is fit for many different circumstances. Wireguard makes it very easy to set up a secure tunnel with modern technologies. It employs formally verified cryptographic constructions and has best in class performance. So you can more safely browse the web without annoying delay, even from potentially unsafe networks.

WireGuard starts from scratch with modern cryptography and best-practice defense-in-depth implementation strategies. It is suitable and easily deployable for both end users and in data centers across the world, and provides an essential core building block for making the Internet safer. NGI has supported this project before and now that WireGuard is included into the most popular and widely used open source operating systems, Linux, new work needs to be done to expand its usefulness, usability and reliability to provide users around the world an actually safe, private and trustworthy online experience.

Run by WireGuard

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.