Google Summer of Code

The Linux Foundation umbrella organization is responsible for this year's WireGuard GSoC, so if you're a student, write "Linux Foundation" as your mentoring organization, and then specify in your proposal your desire to work with WireGuard, listing "Jason Donenfeld" as your mentor.

Potential Projects

Here are a few projects students might work on, in no particular order. Students are also free to propose their own tasks. If you're interested or have any questions, please write an email to the WireGuard development team.

Testing Infrastructure

Currently the netns.sh test infrastructure works great, but it could use more tests to examine more code paths.

Separately, some tests that explore packets per second, latency, and buffer bloat issues would be quite handy.

Performance Improvements

There are tons of low hanging fruits for optimizing performance. For example, examine the handshake queue. Could it be parallelized? Is the work queue implementation ideal? What about the transport data path? Could it be faster? Could latency be lowered?

fq_codel Integration

In order to combat buffer bloat, WireGuard could benefit from integrating the fq_codel algorithm and kernel-library, for managing packet queues and parallelism. There is much related work in the kernel to base this on; in particular, many wireless drivers take the same technique using the same library.

Exponential Backoff and Dynamic Timers

The timer state machine could benefit from being dynamic, in order to deal with extremely high latency networks, such as between Earth and the Moon.

Crypto API Integration

WireGuard currently uses its own crypto primitives. Moving to the Crypto API will require some work, both to WireGuard and to the Crypto API. It would also be interesting to quantify precisely how much slower the kernel's Crypto API is compared to WireGuard's direct primitive implementations.

WireGuard currently uses ioctl, not Netlink. It needs to be ported to Netlink. Since WireGuard was originally written for Netlink, there is some precedent for doing so and some existing code which should help. Pay special attention to not breaking wg(8) support for userspace implementation; such IPC could be reimagined.

Userspace sometimes would like to be alerted of various events, such as when a handshake happens.

AF_WIREGUARD

In order to manage out-of-band network configuration, it would be nice to be able to use sendto and recvfrom where the sockaddr type is a public key, in order to send packets directly to particular public keys, not using cryptokey routing. This might be well implemented as AF_WIREGUARD with sendto and recvfrom, or it might be better implemented as a Netlink message and Netlink event.

Routing Table Improvements

The not_oif patch would be extremely helpful to complete. Here is the initial LKML thread. Implementation should be straight forward and indeed would be quite helpful. Pair not_oif with a setsockopt SO_NOTIF and this would solve all sorts of general Linux networking issues.

Trie Improvements

The current radix tree works fine, but it deals with bytes instead of words, and could be faster. Pick up the pieces in simplifying and improving routingtable.c, check out the previous work in porting OpenBSD's ART table to WireGuard, write an LC-Trie implementation, or do something entirely different.

Accelerated Primitives

We already have AVX-accelerated primitives for ChaCha20, Poly1305, Blake2s, and Curve25519. You could try to improve these, or, even better, you could work on ARM and MIPS primitives.

Lock Auditing

Does WireGuard make correct use of locking contexts, such as _bh and other details like those?

IPv6 Flowinfo, TTL, etc

Figure out what to do with IPv6 Flowinfo, TTL, and other interesting header fields.

Cryptography and Security Verification

Formally verify WireGuard's crypto constructions and enumerate various security properties. This is an interesting academic and security project.

Android

WireGuard is already running on 3.18 and supports Android's fwmark routing infrastructure. Now this all must be wired up.

Security Review

Find vulnerabilities in WireGuard!

Documentation

Better document the WireGuard state machine and required logic to obtain maximal security properties. This task will require a complete understanding of the WireGuard paper, the Noise protocol, and the kernel C codebase.

Error Counters

A simple unsigned long for each error event, accessible to userspace, would be a useful aid for debugging.

Generic Receive Offload

Implement GRO with WireGuard.

Unaligned Accesses

Audit the entire send and receive path to squelch any remaining unaligned accesses or accesses that cross cache lines.

Use Better Timer Interface

It's not immediately clear that jiffies are the best thing to use for all timers. Consider using a different type of timer for certain situations that might need it, if possible.

Remove Reliance on Conntrack and XTables

WireGuard has some interesting psuedo-dependencies on Conntrack and XTables that could be removed.

Per-peer PMTU

Use path-MTU to use the optimal splitting per-peer endpoint, instead of having a single MTU per-interface.

Userspace Implementations

Work on a userspace implementation in Go, Rust, or another safe language, and obtain full compatibility with the WireGuard module.

Documentation

The WireGuard project needs guides, how-tos, in depth explanations, expanded man pages, blog posts, and every other type of guide for users, novice and expert alike.