WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>,
	openvpn-devel@lists.sourceforge.net,  dev@nmap.org,
	Simon Rozman <simon@rozman.si>
Subject: [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows
Date: Fri, 22 Mar 2019 19:04:02 -0600
Message-ID: <CAHmME9r1VmJLSqrb8vQN3HOqeVX2QLs1-9wPYQL-UwNU6EJNLA@mail.gmail.com> (raw)

Hi everybody,

[Cross-posting to WireGuard, OpenVPN, and Nmap/npcap mailing lists.]

Simon and I are pleased to announce the start of a new project, made
for WireGuard and for others too: Wintun, a layer 3 TUN driver for

Homepage: https://www.wintun.net/

A TUN driver lets userspace programs act as virtual network cards,
reading and writing packets directly into the network stack, as though
they came from a real network adapter. While Linux and the BSDs have
had /dev/tun for ages, Windows typically hasn't had any native

Recently, Microsoft released a VPN UWP API, but it's lacking in
features, documentation is under NDA, and after reversing it for a
bit, it doesn't seem capable of doing many of the more advanced
routing and roaming things we want. Indeed it turns out that having a
real network adapter and some basic file handles is much preferable to
layers of API and abstraction.

On the flipside, OpenVPN's tap-windows6 project and the numerous
drivers from SoftEther have all provided similar functionality for
many years, and these efforts have produced something moderately
stable. We were, in fact, quite inspired by SoftEther's Neo6 driver.
However, these projects were written in a different age, the era of
NDIS5, and then ported later to NDIS6. This means they haven't
benefited from things like Windows 7's NdisMediumIP, which allows for
native layer 3 tunneling, without having to do layer 2 emulation.
Drivers like OpenVPN's tap-windows6 also do some somewhat nasty
things, like emulate DHCP from inside the kernel for network
configuration. The code is old and complicated. As usual, I wanted
instead something tiny and dumb that we can reason about, which does
things in a "right" and "boring" way for a narrower use case: layer 3

Wintun is our attempt at making a dumb layer 3 pipe, that doesn't do
anything fancy, and just shuffles bundles of packets between userspace
and the kernel driver. It's being used for WireGuard's Windows port.
We'd like to make it available and easy to use for other projects too
that need layer 3 userspace tunneling capabilities, like OpenVPN and
SoftEther. (Also, it may be just a matter of time before somebody
takes the tiny base of it, sticks the crypto in the kernel, and makes
WireGuard super fast on Windows.)

Have we succeeded in accomplishing our goals? Certainly not yet. At
the present moment [folks reading this in the future: check the date
of this email], I'd except for Wintun to be slower, buggier, and lower
quality than anything else out there. But we thought it'd be a good
idea to release sooner rather than later in order to have some more
eyeballs on it. It's the kind of codebase that _certainly_ needs some
cleanup and a thorough security audit. On the plus side, cloc(1) tells
me that it's only 950 lines. Still, NT programming is hard, and I'm
pretty certain we've made mistakes and left ugly corners. Consider
this email a statement of intent rather than an announcement of a
completed project.

So, if you're interested in NDIS programming and want to lend a hand,
don't hesitate to get in touch. We're eager for smart NT folks to help
us out.

Details are over on https://www.wintun.net/ where you may also find
rabbits bringing windows into tunnels. Enjoy!

WireGuard mailing list

             reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-23  1:04 Jason A. Donenfeld [this message]
2019-03-23 21:10 ` Alen Opacic
2019-03-25 10:23 ` [Openvpn-devel] " Arne Schwabe
2019-03-25 10:37   ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9r1VmJLSqrb8vQN3HOqeVX2QLs1-9wPYQL-UwNU6EJNLA@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=dev@nmap.org \
    --cc=openvpn-devel@lists.sourceforge.net \
    --cc=simon@rozman.si \
    --cc=wireguard@lists.zx2c4.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git