The long-awaited WireGuard secure VPN tunnel functionality looks like it will land with the Linux 5.6 kernel cycle happening in early 2020. Linux 5.5 is kicking off next week but the necessary crypto subsystem changes have yet to take place as well as a final sign-off on the new WireGuard code.
The blocker for the past long while on getting WireGuard merged into the Linux kernel was over its Zync cryptography code and needing to get that mainlined, which was proving difficult. While WireGuard was ready to fold and adopt to Linux’s existing crypto API, in the interim crypto subsystem improvements making use of some Zinc design improvements materialized. It’s those crypto improvements now expected to land soon in the Crypto development tree that in turn open the door for the WireGuard networking code itself to merge.
The crypto improvements aren’t queued in the “cryptodev” Git tree so it’s possible that could be held off until Linux 5.6. Following that and getting the net-next tree pulling in that updated crypto implementation would pave the way for the WireGuard module to land.
WireGuard lead developer Jason Donenfeld has sent out an RFC patch to net-next for getting a final public review on the WG code.
This commit implements WireGuard as a simple network device driver, accessible in the usual RTNL way used by virtual network drivers. It makes use of the udp_tunnel APIs, GRO, GSO, NAPI, and the usual set of networking subsystem APIs. It has a somewhat novel multicore queueing system designed for maximum throughput and minimal latency of encryption operations, but it is implemented modestly using workqueues and NAPI. Configuration is done via generic Netlink, and following a review from the Netlink maintainer a year ago, several high profile userspace have already implemented the API.
That latest (and hopefully last) RFC series for WireGuard can be found on the Linux kernel mailing list. So barring any surprises for better (say as a last minute 5.5 merge window push) or worse (significant issues in the WireGuard code or crypto dependency), it’s looking like this long-awaited VPN addition will make it to mainline with Linux 5.6. In the meantime, the out-of-tree DKMS module for WireGuard works great.
>> Source Link