Hi
I was wondering what the general state of wireguard is currently? I have a non-critical issue but was just wondering about what I can expect at this moment (I understood wireguard on BSD has some legacy) and/or what the current best practice is around wireguard on opnsense.
Thanks all!
Krgds
set it up and use it. no issues here for months... (using go implementation)
Seconded. On VMs where I don't run OPNsense but plain FreeBSD I use the kernel module without problems so far. On OPNsense just install os-wireguard, configure, enjoy.
There has never been a debate about or a problem with the golang implementation.
I've set up wireguard a long time ago. Do I have to do anything new to take advantage of the kernel support? I'm asking because it's still pretty slow.
I see os-wireguard under Plugins, and under Packages I have os-wireguard-devel, wireguard-go, and wireguard-tools.
You need to manually install the kmod:
pkg install wireguard-kmod
Then reboot and the system will use the kmod rather than go implementation. The plugin interface should still interact with it OK
Note of course the kmod is still under development and so not officially supported by OPNsense devs
Hmmm...thanks. I've done that and rebooted but now wireguard-go always shows red on the Services dashboard. What log should I be looking at?
It's probably working nonetheless. You could install the wireguard widget to watch the true status and remove the wireguard-go service from the services widget.
Bug, of course, but that was my experience and since the WG widget exists, I can live with that.
Indeed you are correct. Thanks for the tip. It's working and I'll do some performance tests once I'm at a remote location.
Quote from: sot3 on November 20, 2021, 05:12:13 PM
Hmmm...thanks. I've done that and rebooted but now wireguard-go always shows red on the Services dashboard. What log should I be looking at?
The wireguard-go package would be showing as not running because the wireguard-kmod package is being used instead. If you removed the wireguard-go package from your system then it would no longer be listed.
Glad it is working for you. I have never had much luck when I tried the kmod. On a previous occasion when I tried it I mysteriously lost all DNS resolution on OPNsense. When I tried it yesterday, my IPv6 WAN interface simply refused to come up due to a reported "invalid gateway" on it. There is obviously something about my setup that doesn't play nice with the kmod, but given the issues created are seemingly unrelated I just can't figure out what :(
Quote from: chemlud on November 14, 2021, 11:14:33 AM
set it up and use it. no issues here for months... (using go implementation)
Same here for wireguard-kmod.
No issues for >6 months of production use and much faster than the Wireguard-Go implementation :)
So I just tried the kmod again, and now all is fine [emoji2369]. Nice speeds too in my early testing
What tools are you using to test performance? I'm seeing some improvement with kmod, but the speed is still a small fraction of what should be possible, I think.
I haven't done any formal testing. Just what I am observing with download speeds on the particular host I am sending through the VPN - around 4 times faster than when I previously used the go package or OpenVPN. You could always try a CLI speedtest tool
@Greelan, I didn't have a look at the kernel module yet, what would be needed to switch from go? :-)
Will the kernel package be included in 22.1? I didn't follow the BSD-Wiregurad drama...
pkg install wireguard-kmod
Then reboot
I suspect it is more likely 22.7. The kmod is still in development and in fact the pace seems to have slowed a bit in recent months: https://git.zx2c4.com/wireguard-freebsd/
The FreeBSD-wireguard saga was more a pfSense-wireguard saga when they tried to go their own way in developing the kmod and botched it. Donenfeld came to the rescue and has been developing it out of tree since
...yeppp, but pfsense forced the shit-code into the kernel...
Which was pretty bad of the FreeBSD kernel folk to just accept it. But it was pulled when Donenfeld pointed out the issues, and Donenfeld and his WG co-developers worked like navvies to get it into a decent state. Although he still labels it "experimental". Seems to be working just fine for me so far (and others have said the same in these forums)
will give it a try on a site-to-site WG tunnel doing fine with go for months now... :-)