The new WireGuardNT breaks performance ceilings in Windows

Forget flexible cell phones, we're waiting for mobile phone plushies that work.
Enlarge / Forget flexible cell phones, we’re waiting for mobile phone plushies that work.

The WireGuard VPN project Announced an important milestone for your Windows users today: a brand new kernel-mode implementation of the VPN protocol called WireGuardNT. The new implementation enables vastly improved performance on 10Gbps LAN connections, and also on many Wi-Fi connections.

WireGuard (on Windows) and Wintun

The original WireGuard implementation on Windows uses wireguard-go, an implementation of the WireGuard user space written in Google’s Go programming language. Wireguard-go then links to a virtual network device, most of which also lives in user space. Donenfeld didn’t like it tap-windows, the virtual network interface provided by the OpenVPN project, so it implemented its own replacement from scratch, called Wintun.

Wintun is a definite improvement over touch windows – the OpenVPN project itself has implemented Wintun support, with impressive results (414Mbps over tap-windows vs 737Mbps over Wintun). But while using Wintun is an improvement over touch windows, it doesn’t change the need for constant context switches from kernel space (where the “real” network stack lives) and user space (where OpenVPN lives. and wireguard-go).

To get rid of the remaining performance bottlenecks, the entire stack (virtual adapter, crypto, and all) must be built into the kernel. On Linux, that means being a DLKM (dynamically loadable kernel module). In Windows, that means being a proper internal device driver.

WireGuardNT and the NT kernel

Removing user space components from the WireGuard stack on Windows and keeping everything in the kernel means changing WireGuard to work on Windows the way it already works on Linux. In fact, WireGuardNT started out as a direct port of the WireGuard implementation in the Linux kernel.

According to WireGuard creator Jason Donenfeld, once the initial port was successful “the NT code base quickly diverged to fit in well with native NTisms and NDIS API. The end result is a deeply integrated, high-performance implementation of WireGuard for the NT kernel, leveraging the full range of NT and NDIS kernel capabilities. “

This also, of course, means getting rid of a lot of context switches. The end results are solid – more than three times the top-end performance, measured with Ethr on a pair of Equinix Metal (formerly c3. small instances.

However, the benefits of less context switching extend beyond Xeon servers with 10 Gbps interfaces; Donenfeld mentioned that some early testers reported that WireGuardNT resolved the sometimes massive performance hits seen when using their VPN connection over Wi-Fi.

We tested the difference directly, using an HP EliteBook with an Intel AX201 Wi-Fi 6 card, connected to the router node of a Plume Wi-Fi 6 Superpods test kit. Although our results were not as dramatic as those of some of the early testers, they do confirm a significant increase in performance. On the same equipment and with the same settings, we measured WireGuardNT iperf3 running 10-25 percent faster than wireguard-go and Wintun.

Testing WireGuardNT today

WireGuardNT is available for testing on the general Windows system. to download for WireGuard now, as of version 0.4. But since it is still classified as experimental, you will need to manually add a registry key and a DWORD to use it. Open regedit as administrator, then navigate to HKLM -> Software. Next, create a key called WireGuard and, within that key, a DWORD called ExperimentalKernelDriver.

With ExperimentalKernelDriver set to 1, your tunnels will use the new WireGuardNT code; without it (or with it set to 0) they will use the default behavior, which is the old wireguard-go / wintun code. For your change to take effect, you will need to right-click on the WireGuard icon in the system tray and click “exit.” When you reopen the WireGuard application, it will honor your ExperimentalKernelDriver settings.

In the future, WireGuardNT will be enabled by default and you will need to set a registration mark instead if you want the above code. Beyond that, the project plans to eventually remove wireguard-go / wintun in the general binary entirely. The projects themselves, on the other hand, will stick around, as they have wide utility beyond the standard WireGuard client.

Leave a Reply

Your email address will not be published. Required fields are marked *