WireGuard Implementation for LwIP Stack

[Daniel Hope]

I have developed a WireGuard implementation for an embedded project we are working on that uses LwIP as the IP stack. The implementation has been released here: https://github.com/smartalock/wireguard-lwip 

LwIP is an open source TCP/IP stack that is used mainly in embedded systems, often those with very tight memory requirements for code/data size, and normally not running Linux / BSD or even any operating system at all.

The project contains a pure C, malloc free implementation of the WireGuard protocol, some glue in the form of a lwIP netif implementation and some crypto elements that end users will probably want to optimise for their specific embedded platform. I wish I’d seen the single file crypto.c file that Jason just announced in the FreeBSD code as that would have been useful… although the x25519 probably would still use too much stack for us.

In terms of size we can run a couple of WireGuard peers as well as our main application on an STM32F10x board that has just 64K RAM - the goal here being secure connectivity rather than raw packet throughput.

I’d welcome any feedback to improve the code!

In terms of other ideas I think this code could be adapted to run as a static C library to link against to enable per-application WireGuard support. Whilst there are other methods that already exist to do this - e.g. containerisation, or via the library here: https://git.zx2c4.com/wireguard-tools/tree/contrib/embeddable-wg-library/, etc these tend to require either operating system tunnel/network interface support or Linux in particular.

Daniel