WireGuard 1.0: Stable milestone for the Windows version reached

The stable version WireGuard 1.0 for Windows was released over the weekend. Developer Jason Donenfeld released it on Saturday evening. He himself describes it as a milestone.

In Donenfeld's announcement on the WireGuard mailing list, he elaborates on some details. He has finally fixed the last “1.0 blockers” and is happy to have reached this milestone. In particular, the WireGuardNT driver contains a lot of bug fixes. The driver's IOCTLs were based on the NDIS device node, where certain required functions were not documented. This made the code a ticking time bomb, as certain pointers were not at a stable offset. Windows 10 has integrated a stable function for this, which WireGuardNT now uses.

What Donenberg also still lacked was correct notification of MTU (Maximum Transmission Unit) changes. WireGuard always pads packets to the next 16-byte boundary, up to the maximum MTU of the network interface; this is intended to protect against traffic analysis attacks. On Linux, the software has full access to this information, while on Windows, it requires a combination of different values for adapters, values selected by the TCP/IP interface, and a distinction between IPv4 and IPv6 for the driver. Windows has a callback that is supposed to inform about any changes, but it never becomes active when MTU changes. According to Donenberg, Microsoft wanted to correct this since 2019, but so far there is no sign of it. As a workaround, WireGuardNT polled all WireGuard interfaces every three seconds. The programmer has now also solved this more elegantly after analyzing and reverse-engineering some messages on the NSI device. This allows WireGuard to adapt to changed MTUs immediately and not just within three seconds.

These are the biggest changes; smaller ones include, for example, that the project is compiled in C23 mode, a more current C standard. In addition to the driver, he also worked on WireGuard for Windows, fixing 42 bugs.

WireGuard: Updated installation packages

The WireGuard 1.0 packages are available for download on the WireGuard download page. However, the integrated update mechanism usually also indicates the available update.

Just last week, Donenberg released the first update for WireGuard under Windows after four years. Previously, there was public discord because Microsoft blocked developer accounts with insufficient owner verification. However, these are absolutely necessary for signing the drivers and binary files. There is an appeal process, but Microsoft takes up to 60 days for it. For example, the VeraCrypt developer Mounir Idrassi complained about this. Donenfeld, however, sees it more calmly and dismisses it as excessive bureaucracy that can happen.

(dmk)