Looks like wireguard was just committed to the FreeBSD kernel.
https://www.phoronix.com/news/FreeBSD-WireGuard-Lands-2022
What are the current plans for incorporating into opnsense?
I'm very keen to see this too.
And, support for wireguard-kmod follow CARP to ensure that wireguard only starts on the MASTER, like many other packages and if the firewall transitions to CARP backup status, then stop wireguard.
Without this, if wireguard is running on the backup firewall, then keepalive causes chaos on a clustered HA firewall pair.
Quote from: bbin on October 30, 2022, 06:30:16 PM
Looks like wireguard was just committed to the FreeBSD kernel.
https://www.phoronix.com/news/FreeBSD-WireGuard-Lands-2022
What are the current plans for incorporating into opnsense?
Hmm, I don't see FreeBSD 14 on the road map for 23.1
https://opnsense.org/about/road-map/
But, that's ok, because the link talks about Wireguard-kmod available as a package to be back ported to earlier FreeBSD versions and I quote:
Quoteor those on existing FreeBSD releases, the WireGuard module is also available via FreeBSD ports.
14.1 might be a target, certainly not for 23.1. ;)
The thing is the wireguard-kmod package is the same deal and we do favour packages over base tools, which are harder to patch and update. I also don't know what they did for the bash requirement of the wireguard tools but it remains to be seen.
For the time being: nothing new to see here, move along.
Cheers,
Franco
The non-bash tooling is still on the to-do list: https://git.zx2c4.com/wireguard-freebsd/tree/TODO.md
Truth be told I urged Jason to create this TODO file back in the day. I offered my help with the POSIX shell script conversion back when it was considered "fine" to have bash.
WireGuard sure is a weird case study of software engineering and project management. ;)
Cheers,
Franco
14.1 will have OpenVPN 2.6 and DSO which is quite the same speed as Wireguard
is not (only) about the speed. it's the philosophy (crypto straight forward, modern and onboard). and no bloat. it's also why LibreSSL is superior to OpenSSL. but nobody cares...
Does anyone know if this kernel module would support VPP/intel-ipsec-mb and/or Intel QAT?
Was recently reading this very interesting Intel article (https://builders.intel.com/docs/networkbuilders/intel-avx-512-and-intel-qat-accelerate-wireguard-processing-with-intel-xeon-d-2700-processor-technology-guide-1647024663.pdf) on a "Performance Comparison of Kernel WireGuard, VPP WireGuard with Software Encryption, and VPP WireGuard with Hardware Lookaside Encryption". Page 12 is the good stuff :)
Quote from: chemlud on November 12, 2022, 08:38:37 PM
...but nobody cares...
I care! I care a lot which why I really want Wireguard which is just so simple and difficult to deploy insecurely because there are no choices left for you to make.