OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: allebone on July 31, 2022, 07:13:31 pm

Title: Did I misunderstand wireguard, zenarmor, kmod?
Post by: allebone on July 31, 2022, 07:13:31 pm

I switched to kmod a while ago and was happily waiting for zenarmor to ‘catch up’ and eventually be able to support monitoring on the kmod version of wireguards interface. However now I am thinking that will never happen as the kmod version is stripped down and missing stuff that sensei/zenarmor needs to work. Did I imagine that it was possible for the kernel version of wireguard to be supported one day by zenarmor or is that impossible by design and I shoumd be using wireguard go instead?

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: mb on August 01, 2022, 04:54:43 am

Hi @allebone,

Yes, the problem with wireguard kmod is that it does not have netmap support. For now, the best option would be wireguard go if you want to monitor the wireguard interface with zenarmor.

Having said that, we want to help wireguard kmod have netmap support and for that we're looking into several alternatives to make that happen.

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: allebone on August 01, 2022, 11:14:43 pm

I understand. Is the roadmap in years or months for this? Just want to understand if we are 6 months or 6 years away.

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: mb on August 02, 2022, 03:16:55 am

Hi @allebone, Sorry for making you wait.

The challenge for us here is that netmap is part of the Operating System and is developed and maintained by its own team. Since it's not part of zenarmor codebase, we reach out to the authors and sponsor this kind of development.

This generally takes longer than shipping a zenarmor functionality.

Having said that, the "current plans" are that we'll be sponsoring another round of work, sometime during this year.

I hope this answer is more helpful to you. 

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: allebone on August 02, 2022, 04:08:46 am

Thank you, very helpful.

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: franco on August 02, 2022, 10:11:15 am

Small historic context here:

The WireGuard version done by pfSense actually had iflib/netmap support but failed spectacularly with regard to implementational security. The kmod version rewrite omitted the iflib (and therefore netmap support) in part for complexity reasons and in part for not wanting to deal with it by the authors to race to the finish line.

So that's where we are now. ;)


Cheers,
Franco

Title: Re: Did I misunderstand wireguard, zenarmor, kmod?
Post by: mb on August 03, 2022, 07:09:23 am

Thanks @franco, very much helpful. I'll be reaching out to you about this.