It belongs in the kernel because 1 Gbit/s is over 80000 individual packets per second. You don't want to switch from kernel to user space and back that often. Context switches are expensive. It's a bit like reading files one byte at a time. Wireguard is designed to handle the packets with only a small amount of code in the kernel. User space code deals with the complicated things.
Of course it can. With additional overhead. And that's really the problem. Userland VPNs perform poorly.
Also even userland VPNs rely on some form of kernel support for their interfaces. Good luck getting OpenVPN to work without TAP/TUN compiled in the kernel at the very least. Beyond those slower protocols you can look to classics: The entire L2TP protocol is embedded in the kernel, as is PPTP. Actually it would be a more interesting exercise to find a high performance VPN protocol which isn't implemented at the kernel level.
Why in the kernel? (Score:1)
Re: (Score:1)
It belongs in the kernel because 1 Gbit/s is over 80000 individual packets per second. You don't want to switch from kernel to user space and back that often. Context switches are expensive. It's a bit like reading files one byte at a time. Wireguard is designed to handle the packets with only a small amount of code in the kernel. User space code deals with the complicated things.
Re: (Score:1)
Re:Why in the kernel? (Score:2)
Of course it can. With additional overhead. And that's really the problem. Userland VPNs perform poorly.
Also even userland VPNs rely on some form of kernel support for their interfaces. Good luck getting OpenVPN to work without TAP/TUN compiled in the kernel at the very least. Beyond those slower protocols you can look to classics: The entire L2TP protocol is embedded in the kernel, as is PPTP. Actually it would be a more interesting exercise to find a high performance VPN protocol which isn't implemented at the kernel level.