console message during boot, with wireguard installed

Started by manilx, October 04, 2022, 11:54:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 04, 2022, 11:54:53 PM
Hi

On boot I get the following message displayed:

Code Select
Running wireguard-go is not required because this kernel has first class
support for WireGuard.
For information on installing the kernel module.
please visit:
https://www.wireguard.com/install

Going to the above link I find:
FreeBSD [kmod – v0.0.20220615, userspace go – v0.0.20220316 & tools – v1.0.20210914]
# pkg install wireguard

So, am I supposed to install the kernel module? I've read on this forum that it was experimental/beta.....

Confused....

Help appreciated.
October 05, 2022, 07:21:21 AM #1
There are security risks in running privileged binaries such as WireGuard in user space. It leaves them accessible in ways that kernel modules do not.

On a firewall there shouldn't be (m)any users logging in regularly, so the risk is reduced.

Bart...
October 05, 2022, 09:34:02 AM #2
Yes but this doesn't answer my question.

Are we supposed to stop using wireguard-go and install the kernel module as the message implies?

Appreciating an answer from the developers on this.....
October 05, 2022, 09:54:16 AM #3
The message is from the wireguard author and a bit on the nose. The debacle in FreeBSD was never fully recovered from it seems.

Here are the facts:

1. wireguard-go works reliably, securely and is still the default for us, but is slower
2. wireguard-kmod works in most use cases but has no plugin support, but is faster

General advice:

Ignore console messages, either install kmod manually or not...

# pkg install wireguard-kmod


Cheers,
Franco
October 05, 2022, 09:55:39 AM #4
Thx @franco!

I'll leave it as it is, tried kmod before and it was actually slower....
October 05, 2022, 10:00:00 AM #5
Ok, glad you tried both. It's true that some have more success with kmod than others.


Cheers,
Franco
October 05, 2022, 10:05:02 AM #6
Hope someday soon you implement a kernel module, which is fully working/supported.

I use WG heavily and coming from Untangle/Linux it's SO much slower on OPNsense. From a 1GB download I get 50% speed and on Untangle 95%......
October 05, 2022, 10:17:03 AM #7
Well, the plugin needs to be duplicated for kmod use and patched to show proper tunnel status. But besides that the ball is in the wireguard court either discontinuing the go package or working on the kernel module further...


Cheers,
Franco
October 05, 2022, 10:20:10 AM #8
I understand.
Does seem like a low priority job then for them as this doesn't go forward.
October 07, 2022, 02:28:21 PM #9
After the Upgrade to 22.7.5 I find that WG performance has been improved!
October 07, 2022, 02:37:37 PM #10
Are you using Surciata IPS? At least on the WireGuard end nothing changed...


Cheers,
Franco
October 07, 2022, 02:39:05 PM #11
Yes, I am. But before I updated I noted that the WG plugin was also being updated.....
October 07, 2022, 02:53:41 PM #12
If you mean this https://github.com/opnsense/ports/commit/beaae9739f0a ? It's an empty bump for go compiler version change...

Suricata was hogging CPU time it did not need so now more CPU time is there for WireGuard.


Cheers,
Franco
October 07, 2022, 02:55:32 PM #13
OK.  I just noted on the update info page that the wg-go was a newer version, so I thought this was the cause of the improvement.
Print
Go Up Pages1
User actions