Jason A. Donenfeld, the creator of VPN WireGuard, recently unveiled the first major release of client software for Windows, WireGuard for Windows 1.0, along with WireGuardNT 1.0 drivers designed for the Windows 10 and 11 kernel. These drivers support AMD64, x86, and ARM64 architectures. The code for the Windows kernel component is distributed under the GPLv2 license, while the client software is licensed under the MIT license.
This new port is built on the code base of the main implementation of WireGuard for the Linux kernel, which has been adapted to utilize Windows kernel entities and the NDIS network stack. In contrast to the wireguard-go implementation that operates in user space and utilizes the Wintun network interface, WireGuardNT delivers substantial performance enhancements by eliminating context switching and the need to copy packet contents from the kernel to the user space. Similar to implementations for Linux, OpenBSD, and FreeBSD, WireGuardNT executes all protocol processing logic directly at the network stack level.
The release of Version 1.0 signifies a significant milestone, resolving numerous issues and completing intended tasks, such as implementing the NdisWdfGetAdapterContextFromAdapterHandle() function to enhance driver security and tracking the MTU size accurately. The project has adopted the C23 standard in its codebase to ensure consistency and reliability.
WireGuard, based on modern encryption techniques, boasts high performance, ease of use, and has been successfully deployed in various high-traffic environments. The project, initiated in 2015, has undergone formal verification of its encryption methods. WireGuard employs encryption key routing, attaching private keys to network interfaces and utilizing public keys for binding.
Public keys are exchanged to establish a connection, similar to the mechanism used in SSH. The project utilizes the Noise_IK mechanism from the Noise Protocol Framework for negotiating keys and connecting without requiring a separate user space daemon. Data transmission occurs through encapsulation in UDP packets, supporting seamless changing of the VPN server’s IP address (roaming) without disconnecting the connection.
For encryption, WireGuard utilizes the stream cipher ChaCha20 and the message authentication algorithm Poly1305.