WireGuard is getting a native, high-performance port to the Windows kernel
If you frequently use VPNs (virtual private networks), you’ll be excited to hear about a new project called WireGuardNT. For those unfamiliar, WireGuard is a relatively new VPN tunneling protocol that employs modern cryptography standards, has a secure code base, and has great performance. It’s integrated into the Linux kernel with version 5.6, but to date, there’s only ever been a userspace implementation on Windows. That’s where WireGuardNT comes in: It’s a native port of WireGuard to the Windows kernel, and it promises to make things much faster.
WireGuard on Windows currently uses a shared Go codebase with a TUN driver called Wintun. It works in userspace, and as the announcement puts it, it “shepherds packets to and from the Wintun interface”. With WireGuardNT, the whole protocol is implemented directly into Windows’ networking stack, just like on Linux.
While the performance of WireGuard on Windows is already pretty great, the plan is for it to get better with WireGuardNT. This project is still in its early stages, though, but even before additional tweaks and optimizations are made, it’s still faster by being native in the kernel. This can be attributed in part to the reduced overhead and latency from all the context switches happening with the old wireguard-go/Wintun implementation.
After some months of hard work, WireGuardNT, a high-performance WireGuard implementation for the Windows kernel, is finally released! It should offer significant performance, stability, and integration improvements. https://t.co/uFa4h9Wr4J pic.twitter.com/XryfhlwLgt
— Edge Security (@EdgeSecurity) August 2, 2021
But how much faster is the new WireGuardNT implementation over the old userspace version? Over a wired connection, the developers are seeing speeds as fast as 7.5Gbps; the developers have also noticed significant performance improvements over Wi-Fi, too. For example, one tester with an Intel AC9560 WiFi card was getting ~600Mbps without WireGuard, ~95Mbps with the old userspace version over WiFi, and ~600Mbps with the WireGuardNT implementation over WiFi. Basically, the wireless performance hit from the old userspace version has been eliminated thanks to the new native kernel port, and the wired performance has been upgraded significantly.
As mentioned, the project is still in the early stages. To get it ready for release, there are three phases to the project in version 0.4.z of the WireGuard for Windows client. The first stage, which we’re in right now, sees WireGuardNT hidden behind the ‘ExperimentalKernelDriver’ registry knob, so if you don’t turn it on, it won’t be enabled. The second phase will see the native kernel implementation enabled by default. The third, and final, phase will see the removal of the old wireguard-go/Wintun userspace implementation from the Windows client, though it will still be maintained to support other apps and uses.
As is the case with experimental releases like this, developer Jason Donenfeld hopes that people will try it out to find bugs and leave feedback. WireGuardNT is part of the WireGuard client for Windows now, and it’s in version 0.4. You can download it here, or you can read more about the project here.
An earlier version of this article stated that the networking performance gains were only significant over a wireless connection.