Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

> Why did Wireguard require so much of its code to be put into the Linux kernel? It didn't require it. Android has a VPN service API for implementing userspace VPNs and there's an official WireGuard app with a userspace implementation. The kernel module isn't a mandatory thing.

Replying to

and

Userspace VPN implementations require a lot of expensive context switches, reducing performance and battery life. It also requires userspace infrastructure / plumbing. Android has support for this including a toggle for always-on and another toggle to block leaks if it dies, etc.

Replying to

and

Elsewhere, every userspace VPN implementation has to reinvent the wheel including routing the traffic through the VPN and preventing leaks before it's started or if the process dies. It's messy and requires every userspace VPN implementation to do invasive stuff with root access.

Replying to

and

It's a mix of the usual reasons for shoving everything into the kernel: performance and working around lackluster, fragmented userspace infrastructure. Proper infrastructure exists for userspace VPN services but it's not universal. Putting things in the kernel gets it everywhere.

Replying to

and

Once it's there, projects are inclined to integrate support for it instead of needing to hack things together. Network management services, user interfaces for those and other tools are much more likely to integrate support for shared kernel infrastructure vs. yet another VPN.

8:10 PM · Apr 24, 2020Twitter Web App