Wireguard Rust Implementation
Implementation of WireGuard in a type safe language
WireGuard is an emerging open VPN protocol, WireGuard stands out from similar solutions, notably OpenVPN and IPSec, by being significantly simpler and hence easier to analyze and implement. WireGuard is currently available on Linux, Windows, MacOS,iOS, Android and BSD variants. WireGuard-rs will be an implementation of WireGuard in the Rust systems programming language. The WireGuard projects desire for a Rust userspace implementation, stems from the improved speed, memory consumption and safety guarantees offered by the Rust language, all of which are essential to the nature of the WireGuard project: a high performance, high security VPN. This implementation will be targeting userspace for Linux, Windows, MacOS and BSD variants.
- The project's own website: https://www.wireguard.com/
Why does this actually matter to end users?
VPNs (Virtual Private Networks) are common every-day tools, used by businesses, governments and private citizens alike to create secure overlay networks protected against adversaries controlling the underlying network architecture. Private citizens primarily use VPNs to enhance their privacy, by routing their traffic through a trusted intermediary they can hide their origin from any service they access on the internet and hide the contents of their traffic from any eavesdropper between them and their provider; whether it be the shady hotel wifi or an oppressive government. Businesses primarily use VPNs to connect remote sites as if they were situated on the same LAN (Local Area Network), enabling secure remote sharing of internal resources (e.g. printers) without exposing these directly to the internet. Additionally large internet service providers often emulate a secure local network between a number of physically decentralized "cloud nodes" by connecting them using a VPN.
WireGuard is a new VPN protocol, which aims for security and speed by dramatically simplifying its design and configuration. WireGuard has traditionally been implemented as a Linux kernel module, however a userspace implementation in the Go programming language also brings WireGuard to Windows, Android, MacOS, iOS, and BSD variants. While working with the Go implementation we identified a number of points for improvement: improved control of memory consumption, control of sensitive data in memory, easier integration into other applications, as well as speed. All of these problems stems from language design of Go, notably the garbage collected nature of the language and the extensive runtime. This also prohibits any future effort to run the same code in userspace and Linux kernel space.
The users should expect improved speed, memory consumption, security (better control of secrets for "forward secrecy") and stability, wherever the userspace implementation is used. We also expect that the switch from Go to Rust might bring improved battery life on mobile platforms. For developers and potential contributes to the WireGuard project, the Rust implementation is also intended to ease integration into other software (notably the iOS and Android applications), as well as provide better compartmentalization of the different WireGuard components.
Run by WireGuard
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.