WireGuard Kernel/ROM Integration

[zx2c4]

WireGuard is a next generation secure VPN tunnel for the Linux kernel, with modern yet conservative cryptography and simple design principles. It is meant as a replacement for OpenVPN and for IPsec, and generally has better performance and security characteristics than both. It also is much easier to use. The whitepaper was peer reviewed for NDSS17 and the protocol itself has been formally verified. Since it lives in the kernel, it not only is very fast, but it is able to integrate in clever ways that are quite nice for battery life and overall smoothness. There are already commercial VPN providers offering services using WireGuard, and it is very easy to run your own WireGuard servers as well.

Not only is it free software, but WireGuard also comes with free stickers. Send me a DM with how many you want and to where I should send them, and I’ll drop an envelope in the box. (Do not request stickers on the mailing list.)

But WireGuard being awesome is old news. The new news is that now there’s an easy way to integrate it into Android kernels.

WireGuard runs on ordinary Android devices, but ones that have the special WireGuard kernel module will have numerous advantages. That is the topic of this thread. The main interest here in XDA Land is in making the kernelspace version readily available to kernel/ROM devs, which has the best possible performance, battery life, integration, and stability.

Adding to Kernel Trees

If you maintain your own kernel, you may easily patch your kernel tree to support WireGuard with the following commands:

$ curl https://data.zx2c4.com/wireguard-android-kernel-patcher.tar.xz | tar -xJf -
$ wireguard-android-kernel-patcher/doit.bash path/to/kerneltree

This will patch your kernel and create a commit or a series of commits for you.


Everybody: Download the App

The Android GUI app will opportunistically use the kernel component if it's available (patched in using either one of the two methods above), and will then fall back to the userspace implementation otherwise.


Getting Support

Ask or help on IRC in #wireguard on Freenode. DO NOT ASK FOR USER SUPPORT IN THIS THREAD. Devs only, please. User help is on the IRC channel.



XDA:DevDB Information
WireGuard, Kernel for all devices (see above for details)

Contributors
zx2c4
Source Code: https://www.wireguard.com/

Kernel Special Features: WireGuard kernel module integration

Version Information
Status: Release

Created 2017-11-28
Last Updated 2020-12-05

 

[zx2c4]

This post formerly had a list of an incredible amount of ROMs and kernels with WireGuard baked in. But by now, so many kernels have WireGuard that it became impossible to keep track of.

You can check if your current kernel has WireGuard by downloading the WireGuard app and looking at the settings panel. If it says "kernel backend", you have WireGuard in your kernel. If it says "userspace backend", you do not have WireGuard in your kernel.

 

[zx2c4]

Reserved

 

[giltwist]

It is meant as a replacement for OpenVPN and for IPsec, and generally has better performance and security characteristics than both. It also is much easier to use.

Have you been in contact with devs behind DD-WRT, AsusWRT-Merlin, Tomato, etc. to help them integrate it into their router firmwares? I'm interested in the improved security, but it won't be easier than OpenVPN for a lot of people until it's baked into their router.

 

[zx2c4]

Have you been in contact with devs behind DD-WRT, AsusWRT-Merlin, Tomato, etc. to help them integrate it into their router firmwares? I'm interested in the improved security, but it won't be easier than OpenVPN for a lot of people until it's baked into their router.

As far as router firmware goes, in addition to the ordinary Linux distros, it's also integrated into OpenWRT/LEDE and EdgeOS. I haven't talked to the DD, Merlin, and Tomato people yet though. That's a good suggestion.

 

[Devil7DK]

I'm trying to add wireguard to my rom. (ViperOS for Land aka Redmi 3S).

Got this error

FAILED: patch-wireguard
/bin/bash -c "(ln -vsfT \"\$(realpath --relative-to=\"kernel/xiaomi/msm8937/net)\" \"kernel/wireguard/wireguard/src\")\" \"kernel/xiaomi/msm8937/net/wireguard\" ) && (grep -q wireguard \"kernel/xiaomi/msm8937/net/Makefile\" || sed -i \"/^obj-\\\\\\\$(CONFIG_NETFILTER).*+=/a obj-\\\$(CONFIG_WIREGUARD) += wireguard/\" \"kernel/xiaomi/msm8937/net/Makefile\" ) && (grep -q wireguard \"kernel/xiaomi/msm8937/net/Kconfig\" || sed -i \"/^if INET\\\$/a source \\\"net/wireguard/Kconfig\\\"\" \"kernel/xiaomi/msm8937/net/Kconfig\" )"
/bin/bash: realpath: command not found
ln: failed to create symbolic link ‘kernel/xiaomi/msm8937/net/wireguard’ -> ‘’: No such file or directory

Ful log here https://hastebin.com/tegecuzeke.tex

 

[zx2c4]

/bin/bash: realpath: command not found
ln: failed to create symbolic link ‘kernel/xiaomi/msm8937/net/wireguard’ -> ‘’: No such file or directory

The issue is that you don't have `realpath(1)` installed. This is usually a standard part of every linux distribution, and comes in coreutils, since 2011.

In case you're using some ancient distro, I've added a workaround:

https://git.zx2c4.com/android_kernel_wireguard/commit/?id=3736a04ff5cf00d5d07e3e9f33438fbf83dc2401

Try `repo sync` and then see if things work for you.

 

[zelendel]

It will be interesting to see how this goes.

 

[Skello]

As far as router firmware goes, in addition to the ordinary Linux distros, it's also integrated into OpenWRT/LEDE and EdgeOS. I haven't talked to the DD, Merlin, and Tomato people yet though. That's a good suggestion.

I think it might be impossible on some due to old kernel. On my Asus RT-AC68U running the latest AsustWRT-Merlin build, the kernel is: Linux version 2.6.36.4brcmarm ([email protected]) (gcc version 4.5.3 (Buildroot 2012.02) )

 

[zx2c4]

I think it might be impossible on some due to old kernel. On my Asus RT-AC68U running the latest AsustWRT-Merlin build, the kernel is: Linux version 2.6.36.4brcmarm ([email protected]) (gcc version 4.5.3 (Buildroot 2012.02) )

Indeed some devices have simply too old kernels, but many other devices have kernels ≥3.10, which is from 2013.

 

[Devil7DK]

The issue is that you don't have `realpath(1)` installed. This is usually a standard part of every linux distribution, and comes in coreutils, since 2011.

In case you're using some ancient distro, I've added a workaround:

https://git.zx2c4.com/android_kernel_wireguard/commit/?id=3736a04ff5cf00d5d07e3e9f33438fbf83dc2401

Try `repo sync` and then see if things work for you.

Thanks. Will try and report.

 

[zx2c4]

Thanks. Will try and report.

By the way, usually the best way to debug things and work out problems is the #wireguard channel on Freenode, where we can exchange in real time. Feel free to poke us there.

 

[Droidphilev]

Hi,

Nice! Although this is complete Chinese for me i will test laters today. I signed up for the beta on Play and i am a Mullvad user which has Wireguard servers (experimental though). I will try later today and report back if i could get it working. Hopefully its not too soon for this question: will it in future be possible to exclude app from VPN usage. I had problems before with: my banking apps didn't like exotic ip adresses. English is not my native language but as i understand correctly: it can work without a kernel who has this implemented, right?

 

[Devil7DK]

Hi,

Nice! Although this is complete Chinese for me i will test laters today. I signed up for the beta on Play and i am a Mullvad user which has Wireguard servers (experimental though). I will try later today and report back if i could get it working. Hopefully its not too soon for this question: will it in future be possible to exclude app from VPN usage. I had problems before with: my banking apps didn't like exotic ip adresses. English is not my native language but as i understand correctly: it can work without a kernel who has this implemented, right?

If your kernel doesn't have the WireGuard implementation... You can't use it.

 

[Droidphilev]

If your kernel doesn't have the WireGuard implementation... You can't use it.

Ok thanks,

i was refering to this:

"Work continues on making a userspace version of WireGuard that will allow folks to run on normal ROMs without kernel support. This is coming along nicely..."

and this:

"The Android GUI app, which is currently in development, will opportunistically use the kernel component if it's available, and will then fall back to the userspace implementation otherwise. "

So you mean it's not possible *yet*? There's no use for me to start testing if it's not implemented yet of course

 

[Devil7DK]

Ok thanks,

i was refering to this:

"Work continues on making a userspace version of WireGuard that will allow folks to run on normal ROMs without kernel support. This is coming along nicely..."

and this:

"The Android GUI app, which is currently in development, will opportunistically use the kernel component if it's available, and will then fall back to the userspace implementation otherwise. "

So you mean it's not possible *yet*? There's no use for me to start testing if it's not implemented yet of course

User space implementation is not complete yet. I guess...

 

[Droidphilev]

User space implementation is not complete yet. I guess...

Your guess was right my friend. After trying to enable the app i get a warning that, for now, a patched kernel is needed. Thanks for your help!

 

[andersjohansson81]

Hi
Using this on my linux laptop and it seems to work great. however I cant seem to to get it to work on my phone. its sultaanXDA linage for 1+3t and it is supported. I would really like a noob friendly setup guide for the android GUI app. Im using azireVPN

 

[zx2c4]

Hi
Using this on my linux laptop and it seems to work great. however I cant seem to to get it to work on my phone. its sultaanXDA linage for 1+3t and it is supported. I would really like a noob friendly setup guide for the android GUI app. Im using azireVPN

Yes. Sultan's OP3T image is supported.

 

[zx2c4]

Try running this script with "sh script-name.sh" (as root probably) and you should get several configuration files in sdcard/Download/wireguard that you can import in the app. I'm not azireVPN user so I'm not sure this will work but I have tried the same trick (all I change is where the script save the downloaded config files) with Mullvad VPN with success.
Anyway, does anyone know how to allow local network traffic when using Wireguard (or it depends on the config file)? I cannot access local network resources when it's active. Thank you.

Funny, I made essentially the same modification to the script too, for the purposes of making new configs for my phone. You might want to remove the `exec sudo` line at the top, now that it doesn't actually need root. Other than that, the modification looks good.

Local network access is permitted by the default wg-quick(8) stuff on ordinary Linux. But it looks like there might be some special things needed with ndc on Android for pass through. I'll have to look into this. Thanks for the suggestion.