OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: danielm on April 07, 2021, 05:40:21 am
-
Hello there,
can somebody summarize the changes that the wireguard implementation in Opnsense went through from 21.1.3 to 21.1.4 and how they affect existing setups?
I just saw that new wireguard related things like wireguard-kmod (kernel module I presume) will be installed during the update, alongside a very huge version jump in the wireguard package (1.0.20210223 -> 2,1) and I am worried regarding the latest stories about the FreeBSD wireguard kernel code quality.
Our wireguard setup has been working very reliably over the past year or so and I just want to know that it will stay that way in the new version.
Does the new version use a kernel module? Is that the same code with the abysmal quality that caused discussions? Can the old user-mode implementation still be used in the new version?
-
Does the new version use a kernel module? Is that the same code with the abysmal quality that caused discussions? Can the old user-mode implementation still be used in the new version?
In order to enable the kernel module, you have to explicitly do
pkg install wireguard-kmod
and reboot, otherwise the wireguard-go user-space implementation will still be used.
The kmod-implementation is the one largely done the WireGuard project owner Jason A. Donenfeld and not the one by Netgate/Mason Marcy, see https://git.zx2c4.com/wireguard-freebsd (https://git.zx2c4.com/wireguard-freebsd).
It is still considered experimental, though:
At this time this code is new, unvetted, possibly buggy, and should be
considered “experimental”. It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
I'm in the process of testing the new wireguard-kmod in a production setup for one week now with promising results, especially a substantial speed increase.
I can't see the version jump 1.0.20210223 -> 2,1 you mention, my wireguard versions on 21.1.4 are
wireguard-go 0.0.20210323,1
wireguard-kmod 0.0.20210323
wireguard-tools 1.0.20210315_3
-
Thank you for the information!
I will probably test out the update then.
The version jump is just what the updater told me would happen, I just copied the strings, might be showing it wrong but I still haven't upgraded so I can't say what it'll look like after the fact.
Also the updater told me it would install wireguard-kmod - so in the worst case I could just uninstall it and wireguard should still work fine, if I understand right.
-
I just upgraded the first machine and noticed 2 things:
1) the version change of the wireguard package was shown wrong, it is indeed what you showed
2) the wireguard-kmod package was only shown as a new package in the upgrade overview, but not actually installed
so indeed, it should just be running normally with the user space code.
Thanks again!
-
The new wireguard-kmod is running fine in the production installations I have used it in so far.
The speed increase is really substantial provided you use a kernel based WireGuard implementation on both sides of the tunnel.
I'm having minor issues with clients reconnecting automatically, everything else runs like a charm.
Just in case you are feeling "experimental" too, it might be worth a try :)