A major milestone for Windows users was announced by the WireGuard project today, an all-new, kernels-mode implementation of the VPN protocol called WireGuardNT. The original implementation of WireGuard on Windows uses wireguard-go, a userspace implementation of WireGuard written in the Go programming language. Most of the Wireguard-go is tied to a virtual network device in userspace.
Donenfeld didn't like tap-windows, the virtual network interface provided by the OpenVPN project, so he implemented his own replacement from scratch, called Wintun. Wintun is a definite improvement over tap-windows, and the OpenVPN project has implemented Wintun support, with impressive results. Wintun isn't an improvement over tap-windows because it doesn't change the need for constant context switches from the "real" network stack and userspace.
Being a DLKM is a requirement for Linux. To be a proper in-kernel device driver on Windows, you need to keep userspace components of the WireGuard stack in-kernel. The initial port of WireGuard began as a direct port of the Linux in-kernel WireGuard implementation.
The end result is a deeply integrated and highly performant implementation of WireGuard for the NT kernel, that makes use of the full range of NT kernel and NDIS capabilities. The end results are solid: more than three times the top-end performance, as measured with Ethr on a pair of Equinix Metal c3.small instances. Our results were not as dramatic as those from early testers, but they did confirm a significant performance increase.
On the same equipment and with the same configs, we measured WireGuardNT running 10 percent to 25 percent faster than wireguard-go and Wintun. Since it's still classified as experimental, you will need to manually add a registry key and a DWORD to use it. As an administrator, open up and browse.
Next, create a key named WireGuard, and within that key, a DWORD named ExperimentalKernelDriver, which will set the default behavior for your tunnels. To make your change take effect, you need to click the WireGuard icon in the system tray and exit. If you want the old code, you'll need to set a registry flag in the future, but if you open the WireGuard app again, it will honor your ExperimentalKernelDriver setting.
The project will eventually sunset wireguard-go/wintun in the general binary. The projects themselves will remain since they have wide utility beyond the stock WireGuard client.