Update New WireGuardNT shatters throughput ceilings on Windows


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
The WireGuard VPN project announced a major milestone for its Windows users today—an all-new, kernel-mode implementation of the VPN protocol called WireGuardNT. The new implementation allows for massively improved throughput on 10Gbps LAN connections—and on many WI-Fi connections, as well.

WireGuard (on Windows) and Wintun​

The original implementation of WireGuard on Windows uses wireguard-go—a userspace implementation of WireGuard written in Google's Go programming language. Wireguard-go is then tied to a virtual network device, the majority of which also lives in userspace. Donenfeld didn't like tap-windows, the virtual network interface provided by the OpenVPN project—so he implemented his own replacement from scratch, called Wintun.

Wintun is a definite improvement over tap-windows—the OpenVPN project itself has implemented Wintun support, with impressive results (414Mbps over tap-windows vs 737Mbps over Wintun). But while using Wintun is an improvement over tap-windows, it doesn't change the need for constant context switches from kernel space (where the "real" network stack lives) and userspace (where OpenVPN and wireguard-go both live).

In order to get rid of the remaining performance bottlenecks, the entire stack—virtual adapter, crypto, and all—needs to get pulled into the kernel. On Linux, that means being a DLKM (Dynamically-Loadable Kernel Module). On Windows, that means being a proper in-kernel device driver.

WireGuardNT and the NT kernel​

Ditching userspace components of the WireGuard stack on Windows and keeping everything in-kernel means changing WireGuard to work on Windows the way it works on Linux already. In fact, WireGuardNT began as a direct port of the Linux in-kernel WireGuard implementation.

According to WireGuard creator Jason Donenfeld, once the initial port succeeded, "the NT codebase quickly diverged to fit well with native NTisms and NDIS APIs. The end result is a deeply integrated and highly performant implementation of WireGuard for the NT kernel, that makes use of the full gamut of NT kernel and NDIS capabilities."