Loading...
Loading...
WireGuard for Windows and its kernel driver, WireGuardNT, reached v1.0, signaling a stability milestone after thorough review and testing. The release, announced by creator Jason A. Donenfeld, is available via the client updater and direct download. Key driver changes include adopting the documented NdisWdfGetAdapterContextFromAdapterHandle() API to avoid fragile internal offsets and implementing proper MTU change notifications. Correct MTU handling is important because WireGuard pads packets to 16-byte boundaries up to the interface MTU to mitigate traffic analysis. The update emphasizes reliability and correctness for Windows VPN users and administrators.
Stable VPN client and driver releases reduce operational risk for Windows deployments and provide a reliable foundation for security, networking, and devops teams. Correct MTU and kernel API handling affects performance, privacy protections, and long-term maintainability.
Dossier last updated: 2026-05-15 03:32:34
Researcher tested Mullvad VPN's WireGuard exit-IP allocation and found it's surprisingly deanonymizing. By rotating public keys and querying nine Mullvad servers, the author mapped exit-IP pools and observed only 284 distinct exit-IP combinations across 3,650 keys — far fewer than the trillions of theoretical combinations. The pattern: each assigned IP sits at nearly the same percentile within its server pool, implying Mullvad deterministically maps a key to a proportional index in each pool. Correlated indexes across servers with identical pool sizes suggest a seeded RNG or deterministic function is used to pick indexes, not per-connection randomization. This makes exit IPs a stable fingerprinting vector tied to rotating WireGuard keys, with privacy implications for users and VPN design.
Researcher testing Mullvad’s WireGuard exit IP allocation found the provider deterministically maps a user’s public key to a fixed exit IP index per server, rather than assigning a freshly randomized IP on each connection. By cycling pubkeys against nine servers and collecting 3,650 datapoints, the author mapped each server’s exit-IP pools and discovered only 284 distinct cross-server combinations — far fewer than the combinatorial space — because Mullvad appears to pick corresponding percentile positions within each server’s IP pool using a seeded RNG. That behavior makes exit-IP sets a stable fingerprinting vector tied to rotating keys (or persistent when keys don’t rotate), raising deanonymization risks for users. The finding matters for VPN privacy design and threat models.
WireGuard for Windows Reaches v1.0 | Hacker News Hacker News new | past | comments | ask | show | jobs | submit login WireGuard for Windows Reaches v1.0 ( zx2c4.com ) 23 points by zx2c4 1 hour ago | hide | past | favorite | discuss help Consider applying for YC's Summer 2026 batch! Applications are open till May 4 Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact Search:
WireGuard creator Jason A. Donenfeld announced the v1.0 release of WireGuard for Windows and its kernel driver, WireGuardNT, on April 18, 2026. The update is available via the Windows client’s built-in updater and as a fresh download from WireGuard’s site. Donenfeld said the final “1.0 blockers” are complete, marking a stability milestone after extensive code review and testing. For WireGuardNT, he highlighted two major changes: switching to the documented Windows API NdisWdfGetAdapterContextFromAdapterHandle() to reliably access driver state instead of relying on an unstable internal offset, and adding proper MTU change notifications. MTU handling matters because WireGuard pads packets to 16-byte boundaries up to the interface MTU to reduce traffic analysis risk.