WireGuardNT and WireGuard for Windows hit v1.0 after resolving two long-standing kernel-level blockers on the Windows platform.
Key Takeaways
MTU polling loop eliminated:NotifyIpInterfaceChange() never fires for MTU changes despite a Microsoft-confirmed 2021 bug; the fix attaches a filter driver to \Device\Nsi via IoAttachDeviceToDeviceStack() and intercepts IOCTL_NSI_SET_ALL_PARAMETERS directly.
Stable IOCTL context lookup: Replaced the fragile Reserved field hack with NdisWdfGetAdapterContextFromAdapterHandle(), present on all Windows 10 versions since launch and guaranteed stable.
42 bug and correctness fixes land in WireGuard for Windows; codebase now compiles in C23 mode with typeof() support.
Old Windows 10 1809 DNS fallback: Reverse-engineered netsh.exe‘s DNS config path – two registry writes plus ControlService(SERVICE_CONTROL_PARAMCHANGE) to Dnscache – removing gnarly string parsing.
WireGuard pads packets to the nearest 16 bytes up to interface MTU for traffic analysis protection, making accurate real-time MTU awareness a correctness requirement, not a nice-to-have.
Hacker News Comment Review
Commenters flagged the NSI filter-driver interception as the release’s most technically significant move: attaching to an undocumented device stack to extract a single value is extreme but necessary given Microsoft’s unfixed bug.
macOS WireGuard reliability surfaced as an unresolved pain point – MDM-distributed system profiles appear to break per-user keychain access, with no clear upstream path for fix review or PR merging.
General sentiment is relief that the project is actively maintained; multi-year gaps between releases had led some operators to assume it was abandoned, even while it ran stably in production.
Notable Comments
@cwkcw: “when the documented API doesn’t fire for MTU changes, Microsoft confirms the bug in 2021, and the fix never ships, you either live with a 3-second polling loop or you attach a filter driver” – precise breakdown of the forced design choice.
@jaydenmilne: Notes the undocumented workarounds are clever and necessary, framing Windows kernel work as a categorically different environment from Linux.
