WireGuard author Jason Donenfeld recently announced the WireGuardNT project, a native port of WireGuard for the Windows kernel. Like the other versions, WireGuardNT, lowercase “wireguard-nt”, started out as a port of the Linux version of the codebase. After a successful initial porting effort, the NT codebase quickly diverged to better fit the native NTisms and NDIS (Windows Network Stack) APIs, and the end result was a deeply integrated and high-performance WireGuard implementation for the NT kernel that leverages the full functionality of the NT kernel and NDIS.

Related projects and source code: https://git.zx2c4.com/wireguard-nt/about/

Jason introduced the background of WireGuard in the announcement. An early implementation of WireGuard for Windows was a userspace implementation developed in Go - wireguard-go - that was responsible for getting packets in and out of the Wintun interface.

Jason was not satisfied with the virtual network interface tap-windows provided by the OpenVPN project, so he implemented his own Wintun from scratch. The OpenVPN project has since implemented its own support for Wintun. However, wireguard-go still requires constant context switching between kernel space and user space. To remove this performance bottleneck, the entire stack, such as virtual NICs and encryption, needs to be moved to the kernel.

The advent of WireGuardNT significantly reduces latency and eliminates the wireguard-go/Wintun context switching problem. Measurements show that the kernel mode implementation of WireGuardNT is 10-25% faster than the user space implementation of wireguard-go. Jason also claims that the impact of wireguard-go/Wintun on WiFi performance has disappeared when WireGuardNT is used, and that power and battery usage are lower.