DragonFly BSD core now supports VPN WireGuard

The kernel of the DragonFly BSD operating system accepted about 100 changes related to the implementation of VPN WireGuard support. “wg” driver supporting WireGuard protocol moved from FreeBSD, and the code cryptographic functionsnetwork interface and ioctl API (for control from user space) borrowed from OpenBSD. Changes to the ifconfig utility required to configure VPN carried over from OpenBSD. The implementation is compatible with all official WireGuard clients for Linux, Windows, macOS, *BSD, iOS and Android. DragonFly BSD became the fifth open OS after Linux, OpenBSD, NetBSD and FreeBSD with integrated support for WireGuard.

WireGuard uses the concept of encryption key routing, which involves attaching a private key to each network interface and using it to bind the public keys. To negotiate keys and connect without running a separate daemon in user space, the Noise_IK mechanism from Noise Protocol Frameworksimilar to maintaining authorized_keys in SSH. Data transmission is carried out through encapsulation in UDP packets. It supports changing the IP address of the VPN server (roaming) without disconnecting the connection with automatic client reconfiguration.


For encryption used stream cipher ChaCha20 and message authentication algorithm (MAC) Poly1305designed by Daniel Bernstein (Daniel J. Bernstein), Tanja Lange and Peter Schwabe. ChaCha20 and Poly1305 are positioned as faster and safer analogues of AES-256-CTR and HMAC, the software implementation of which allows achieving a fixed execution time without the use of special hardware support. To generate a shared secret key, the elliptic curve Diffie-Hellman protocol is used in the implementation Curve25519, also proposed by Daniel Bernstein. The BLAKE2s algorithm (RFC7693) is used for hashing.

Thanks for reading: