Google Summer of Code
The Linux Foundation umbrella organization is responsible for this year's WireGuard GSoC, so if you're a student, write "Linux Foundation" as your mentoring organization, and then specify in your proposal your desire to work with WireGuard, listing "Jason Donenfeld" as your mentor.
Here are a few projects students might work on, in no particular order. Students are also free to propose their own tasks. If you're interested or have any questions, please write an email to the WireGuard development team.
netns.sh test infrastructure works great, but it could use more tests to examine more code paths.
Separately, some tests that explore packets per second, latency, and buffer bloat issues would be quite handy.
There are tons of low hanging fruits for optimizing performance. For example, examine the handshake queue. Could it be parallelized? Is the work queue implementation ideal? What about the transport data path? Could it be faster? Could latency be lowered?
In order to combat buffer bloat, WireGuard could benefit from integrating the
fq_codel algorithm and kernel-library, for managing packet queues and parallelism. There is much related work in the kernel to base this on; in particular, many wireless drivers take the same technique using the same library.
Exponential Backoff and Dynamic Timers
The timer state machine could benefit from being dynamic, in order to deal with extremely high latency networks, such as between Earth and the Moon.
Crypto API Integration
WireGuard currently uses its own crypto primitives. Moving to the Crypto API will require some work, both to WireGuard and to the Crypto API. It would also be interesting to quantify precisely how much slower the kernel's Crypto API is compared to WireGuard's direct primitive implementations.
WireGuard currently uses ioctl, not Netlink. It needs to be ported to Netlink. Since WireGuard was originally written for Netlink, there is some precedent for doing so and some existing code which should help. Pay special attention to not breaking
wg(8) support for userspace implementation; such IPC could be reimagined.
Userspace sometimes would like to be alerted of various events, such as when a handshake happens.
In order to manage out-of-band network configuration, it would be nice to be able to use
recvfrom where the
sockaddr type is a public key, in order to send packets directly to particular public keys, not using cryptokey routing. This might be well implemented as AF_WIREGUARD with
recvfrom, or it might be better implemented as a Netlink message and Netlink event.
Routing Table Improvements
not_oif patch would be extremely helpful to complete. Here is the initial LKML thread. Implementation should be straight forward and indeed would be quite helpful. Pair
not_oif with a
SO_NOTIF and this would solve all sorts of general Linux networking issues.
The current radix tree works fine, but it deals with bytes instead of words, and could be faster. Pick up the pieces in simplifying and improving routingtable.c, check out the previous work in porting OpenBSD's ART table to WireGuard, write an LC-Trie implementation, or do something entirely different.
We already have AVX-accelerated primitives for ChaCha20, Poly1305, Blake2s, and Curve25519. You could try to improve these, or, even better, you could work on ARM and MIPS primitives.
Does WireGuard make correct use of locking contexts, such as
_bh and other details like those?
IPv6 Flowinfo, TTL, etc
Figure out what to do with IPv6 Flowinfo, TTL, and other interesting header fields.
Cryptography and Security Verification
Formally verify WireGuard's crypto constructions and enumerate various security properties. This is an interesting academic and security project.
WireGuard is already running on 3.18 and supports Android's fwmark routing infrastructure. Now this all must be wired up.
Find vulnerabilities in WireGuard!
Better document the WireGuard state machine and required logic to obtain maximal security properties. This task will require a complete understanding of the WireGuard paper, the Noise protocol, and the kernel C codebase.
unsigned long for each error event, accessible to userspace, would be a useful aid for debugging.
Generic Receive Offload
Implement GRO with WireGuard.
Audit the entire send and receive path to squelch any remaining unaligned accesses or accesses that cross cache lines.
Use Better Timer Interface
It's not immediately clear that
jiffies are the best thing to use for all timers. Consider using a different type of timer for certain situations that might need it, if possible.
Remove Reliance on Conntrack and XTables
WireGuard has some interesting psuedo-dependencies on Conntrack and XTables that could be removed.
Use path-MTU to use the optimal splitting per-peer endpoint, instead of having a single MTU per-interface.
Work on a userspace implementation in Go, Rust, or another safe language, and obtain full compatibility with the WireGuard module.
The WireGuard project needs guides, how-tos, in depth explanations, expanded man pages, blog posts, and every other type of guide for users, novice and expert alike.