- Jason A. Donenfeld is the 32-year-old creator of WireGuard, an open source VPN protocol widely considered to be one of the most secure in the world.
- In 2020, it was successful and adopted in the popular Linux kernel, as well as Windows, Mac, iOS and Android operating systems.
- Donenfeld started the project in 2015 and spent years building an open source community to support WireGuard.
- He spoke with Business Insider about his path to creating WireGuard, how he sees VPN security and the overwhelming response that the project, which is funded entirely by donations, has gotten from developers.
- Visit the Business Insider home page for more stories.
Jason A. Donenfeld has a relentless curiosity about everything from ancient cities to cutting-edge encryption. When he is not developing WireGuard, known as the most secure VPN protocol in the world, the security researcher enjoys exploring the vast network of centuries-old limestone tunnels below Paris.
Donenfeld, 32, originally came to Paris in 2010, after doing a summer job writing shape packaging algorithms, and then moved to the city in 2012, working as a vulnerability researcher.
His job of finding vulnerabilities for companies has led him to doubt the security of popular VPN protocols. He thought the dizzying complexity, bloated implementations and often outdated encryption were a worrying attack surface. In 2015, he started developing WireGuard.
WireGuard is an open source VPN protocol praised for its high level security. In the few years that Donenfeld developed it, WireGuard was adopted by the main Linux operating system and integrated with Mac and Windows, as well as iOS, Android and others.
Virtual private networks, or VPNs, extend private to public networks, allowing data centers across continents to connect directly with each other. They also allow users to send and receive data as if their computers or phones are directly connected to private networks.
This can sometimes be misleading. Even though companies and individuals may believe they are securely connecting through a VPN, this is not always the case, partly due to the difficulty of implementing outdated, complex or insecure protocols like IPSec and OpenVPN.
“When I say that I am not comfortable with OpenVPN or IPSec implementations, I am speaking from experience, because I have found many bugs in this type of software,” he said.
He said that the time spent on hacking systems left him with the knowledge of how to defend them as well.
“The way you avoid detection on a network can be a problem very similar to how you prevent attackers from knowing about your machine,” he said.
Part of WireGuard’s appeal is how it maintains security in a few different ways, eliminating entire classes of vulnerabilities. It’s at high speed. It uses defense-in-depth techniques, a series of layered mechanisms to protect data and information. And it’s stealthy, transmitting data only when necessary and remaining invisible when people search for your servers.
In addition, it is easier to audit. Unlike other VPN protocols, WireGuard has less than 4,000 lines of code, meaning security researchers can scan the entire code base for vulnerabilities in a single afternoon. And they usually do.
‘It’s a community project’
Last year, WireGuard was incorporated into the influential Linux kernel, which led to the widespread adoption of Windows, macOS, iOS, Android and OpenBSD, as well as Linux distributions such as Canonical’s Ubuntu, Debian, Oracle Linux, Red Hat’s CentOS and Fedora and SUSE Linux.
Getting there was not easy. Donenfeld wanted to have a unique and coherent design where he could make all decisions carefully, examining each piece. So he spent some time developing WireGuard himself before it was released, he said, just sharing code with a few friends and cryptographers.
“He contacted me unexpectedly when he was developing WireGuard and had developed some cryptographic protocols and wanted my review. I proposed small changes, but what he did initially was already very good,” said Jean-Philippe Aumasson, cryptographer, author and co-founder security company Taurus Group SA.
Donenfeld presented WireGuard at the Mozilla’s Kernel Recipes conference in 2017.
Courtesy of Jason A. Donenfeld
But Donenfeld wanted to completely change something as fundamental as the cryptographic architecture of Linux and encountered some resistance. Linux is tremendously popular, so radical changes can cause disruption. To get where he wanted, he had to start small, with gradual changes, and get involved with other people’s ideas and put them on board.
“This is how kernel development is done in general – it is a community project; you have to reach consensus, ”he said. “There is a big difference between releasing open source and saying, ‘here you go’, and disappearing back into a cave, and actually interacting with that world. I chose to interact closely with him, and that meant a lot of interaction and finding out how each facet works. “
The process involved working with other developers and researchers and giving lectures at conferences, including Kernel Recipes at Mozilla headquarters in Paris to connect with the developer community during the construction of WireGuard.
“I didn’t want to compromise the security of the intermediary parties. I didn’t want to make WireGuard depend on something with below-average security while promising to fix it ‘later’. That was never acceptable to me. So, finding something that was evolutionary so that it could be merged, but that still lived up to security ideals, was a very difficult process, “he said.
Donenfeld also wrote a compatibility layer for WireGuard, so that people could load the code into their own kernels – the lower layers of an operating system – before being sent upstream. This involved the formidable task of writing kernel code that was compatible with Linux variants and versions since 2013. But that meant that when Donenfeld was ready to upstream WireGuard, people were already using him.
The exchange of ideas
Donenfeld’s track record is not the norm in the industry, but his intense curiosity and momentum may have worked in his favor.
“There is a really well-defined channel that takes people to professional cryptography jobs and status in the cryptography community,” said Thomas Ptacek, security researcher and director at Fly.io. “It usually involves getting a degree, followed by a graduate degree in a program run by an extremely well-known cryptographer, and then working in a research lab for a long time right after university.”
In contrast, Donenfeld graduated in mathematics and philosophy from Columbia University in New York after growing up in Cincinnati. Although his track record is atypical, Donenfeld still managed to produce the first formally verified VPN protocol, which means it has been mathematically proven to be secure.
Donenfeld works at WireGuard mainly at his home, the top floor of an apartment building that appears to have been converted from several chambres de bonne – single rooms previously intended for maids – together. Before the pandemic, he worked on different roofs and cafes all over Paris, bringing his Linux laptop with him while exploring the city.
When not programming, Donenfeld is part of the Parisian jazz scene. He rocks a D’Angelico NYSS-3 guitar and has played around the city at clubs like Le Caveau des Oubliettes. Lately, he says, he’s been listening a lot to John Coltrane and Bill Frisell.
WireGuard is also entirely funded by donations, which is unusual for the software industry. In thanks to the donors, Donenfeld said he mailed thousands of stickers bearing the WireGuard logo, which was inspired by a stone engraving of the mythical ancient Greek python he saw during a visit to a museum in Delphi.
Just a few years ago, but Donenfeld said he received enough donations to work at WireGuard full time and to fund other developers working on specific aspects of him, but he said the project is always trying to last another year.
“I received job offers from Silicon Valley companies that would definitely result in a more financially rewarding life than being an open source author,” he said.
If he finds he has no funds to work on improving WireGuard, he can always return to freelance jobs in the security industry.
Donenfeld’s goal is to continue to develop high quality, professional, free and open source software that the entire community can benefit from.
“Opening the source code of something and interacting with this community is really a great way to improve the software and allows for a great exchange of ideas,” he said.