WireGuardNT replacing WireGuard-go on Windows?

Just saw an article in Ars Technica about the new native kernel driver in the main WireGuard binary. I was curious about what impact, if any, this is going to have with the TailScale Windows client when that feature comes out of preview in WG. Seems like the performance improvements are pretty dramatic.

It will take some work before Tailscale could implement use of a kernel implementation, but the Windows development effort is being paid close attention to.

In particular, this degree of kernel integration can be a pretty big security risk. One of the benefits of wireguard-go is it’s written in a memory safe language, so barring any problems in wintun (which is generally pretty minimal and carefully written), it should be hard to trick it into a security compromise.

There are also various features like our DERP transport and NAT traversal that don’t work in core wireguard, which would be hard to port.

We’ll get there eventually. But at the moment, performance of wireguard-go on Windows is already quite good. The wintun interface in particular is pretty high performance. Probably we could go a bit further at optimizing our use of Windows sockets, I guess, but most people have not seen any performance bottlenecks on Windows yet.

1 Like