First, I'm going to try not to go into this in detail right now, but HN has very weird ideas about the potency of third-party code audits, particularly for things involving cryptography. A short summary: most third-party audits of cryptographic software written in systems languages don't accomplish anything. Most crypto software you depend on has never had a full-coverage audit from third-party auditors qualified to evaluate crypto.
You can watch any talk about WireGuard to see what I mean about the way WireGuard's code is written, but the short answer is that the thing was designed from the bottom up to be simple. WireGuard's feature selection was influenced strongly by what would keep the codebase smaller and easier to review. It was also designed to simplify the object lifecycle inside the code itself. All its state is preallocated at initialization.
WireGuard's cryptography is essentially an instantiation of Trevor Perrin's Noise framework. It's modern and, again, simple. Every other VPN option is a mess of negotiation and handshaking and complicated state machines. WireGuard is like the Signal/Axolotl of VPNs, except it's much simpler and easier to reason about (cryptographically, in this case) than double ratchet messaging protocols.
It is basically the qmail of VPN software.
And it's ~4000 lines of code. It is plural orders of magnitude smaller than its competitors.
WireGuard isn't a panacea. In particular: clientside support for it isn't there yet! But it's pretty clear to me at least that WireGuard should imminently be replacing OpenVPN and IPSEC.
You can watch any talk about WireGuard to see what I mean about the way WireGuard's code is written, but the short answer is that the thing was designed from the bottom up to be simple. WireGuard's feature selection was influenced strongly by what would keep the codebase smaller and easier to review. It was also designed to simplify the object lifecycle inside the code itself. All its state is preallocated at initialization.
WireGuard's cryptography is essentially an instantiation of Trevor Perrin's Noise framework. It's modern and, again, simple. Every other VPN option is a mess of negotiation and handshaking and complicated state machines. WireGuard is like the Signal/Axolotl of VPNs, except it's much simpler and easier to reason about (cryptographically, in this case) than double ratchet messaging protocols.
It is basically the qmail of VPN software.
And it's ~4000 lines of code. It is plural orders of magnitude smaller than its competitors.
WireGuard isn't a panacea. In particular: clientside support for it isn't there yet! But it's pretty clear to me at least that WireGuard should imminently be replacing OpenVPN and IPSEC.