It's hard to imagine the modern Internet without a VPN. For many years, VPNs have extended private networks across public networks, enabling users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. This consequently has had the effect of allowing users to bypass particular geographical restrictions as well as to keep data secure. The VPN software landscape, however, has had a myriad of problems, which WireGuard, a new secure tunneling protocol, aims to address.
OpenVPN, IPsec, and their problems
Today's well-known VPN solutions on Android are OpenVPN and IPsec, but they are not without problems. The popularity of OpenVPN sort of makes sense as it is easier to configure than IPsec and has been around for a long time. While the project is a somewhat acceptable solution for most users, its complexity is overwhelming. OpenVPN consists of around 120,000 lines of code. Such amount of code makes the project almost impossible to audit and secure, as witnessed by the massive trail of security bugs over the last few years. OpenVPN also lives in userspace, making it quite slow, since every packet must be copied several times and incur several context switches. IPsec, IKEv2, L2TP, PPTP, and related 90s technologies are also quite popular, but similarly problematic, being large bulky codebases — StrongSwan is around 430,000 lines of code, in addition, the entire kernel XFRM layer — and based on outdated 90s cryptographic wisdom. The ordinary use of these protocols is also very "chatty," sending traffic unnecessarily, resulting in reduced battery life on laptops and mobile phones.
An Exciting New VPN Project: WireGuard
Recently we had the pleasure to talk to one of our Recognized Developers, zx2c4. In real life, he is Jason Donenfeld and is an author of WireGuard, a next-generation VPN tunnel, that may soon dethrone OpenVPN and IPsec. Launched in 2015, WireGuard offers cutting edge cryptography, is easier to audit since it is less than 4,000 lines of code, and is quite easy to use.
WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. It runs over UDP.
The reception to WireGuard has been very positive, both inside the security community and inside the kernel community, with Greg KH, the stable maintainer of the Linux kernel, endorsing it after a thorough code review. It has been presented around the world, with the FOSDEM presentation being perhaps particularly relevant for XDA readers. The WireGuard white paper has been peer-reviewed by the academic community as well.
The protocol is very nice for mobile phones because it was developed as a "stealth VPN," by default not sending any packets unless there is actual data to be sent. This has the effect of not draining the battery like other VPN clients commonly do. Additionally, WireGuard allows roaming freely between different IP addresses, meaning you can transition between WiFi and cellular connections, or between any other kinds of connections, without having to establish any connections; it's entirely seamless.
The speed is best in class, offering SSSE3, AVX, AVX2, AVX512, and NEON-accelerated implementations of its ciphers. Its use of ChaCha20 means that it is extremely fast on nearly all hardware. In testing, WireGuard handily beats other protocols.
WireGuard is not only the fastest VPN on the block, but the cryptography has also been formally verified, which means there are mathematical proofs that its cryptographic constructs are secure in the symbolic model. While the cryptography is modern it is also conservative, erring on the side of paranoia rather than the side of frivolousness. That combined with its tiny and easily auditable code base make WireGuard very reliable from a security perspective.
WireGuard and Android Support
While WireGuard is primarily developed as an optimized kernel module for Linux, there is a userspace portable version in the works, so that it can be distributed in apps in the Play Store without needing root access. However, while the userspace implementation is still faster than the competition, much of the WireGuard magic shines when the native kernel module is used. For this reason, the primary interest of WireGuard to the XDA development community lies in integrating the kernel module into ROMs directly.
WireGuard has already made its way into some ROMs, in fact. Most notably, it's integrated into Sultanxda's popular ROMs for the OnePlus 3/3T and other developers will surely follow. The patching procedure is quite simple and can be done with a few simple steps. The best place to find the reference is the android_kernel_wireguard git repository page as well as zx2c4's XDA thread on adding it to ROMs.
The currently in development Android app uses the kernel module opportunistically, if it is available, and otherwise falls back to using the userspace implementation. The app has a GUI for defining VPN tunnels, checking status, and very nicely adds a toggle switch to the notification area to turn on and off tunnels. Below you can have a glimpse of the simple toggling interface of the early versions of the app.
The WireGuard development team is currently recruiting Android GUI developers to work alongside them as they make advances in the core technology. If any XDA developers are interested, they shouldn't hesitate to reach out to zx2c4. The WireGuard project is completely open-source and transparent.
Overall, WireGuard appears to be the future of VPNs and secure network tunnels, embracing rock solid modern cryptography, a secure auditable code base, and an innovative protocol well suited for smartphones. Its usage on the Linux server and desktop is already highly regarded, marching solidly ahead into mainline Linux. We at XDA look forward to seeing WireGuard come to Android and our ROMs.
If you are eager to test out WireGuard on your device, contact your ROM developer or, re-compile the ROM on your own. You can also grab the alpha version of the application from the official thread or Google Play store.
Visit the WireGuard thread on XDA
from xda-developers http://ift.tt/2AGbTWM
via IFTTT