console message during boot, with wireguard installed

[manilx]

Hi

On boot I get the following message displayed:

Code: [Select]

Running wireguard-go is not required because this kernel has first class
support for WireGuard.
For information on installing the kernel module.
please visit:
https://www.wireguard.com/install
Going to the above link I find:
 FreeBSD [kmod – v0.0.20220615, userspace go – v0.0.20220316 & tools – v1.0.20210914]
# pkg install wireguard

So, am I supposed to install the kernel module? I've read on this forum that it was experimental/beta.....

Confused....

Help appreciated.

[bartjsmit]

There are security risks in running privileged binaries such as WireGuard in user space. It leaves them accessible in ways that kernel modules do not.

On a firewall there shouldn't be (m)any users logging in regularly, so the risk is reduced.

Bart...

[manilx]

Yes but this doesn't answer my question.

Are we supposed to stop using wireguard-go and install the kernel module as the message implies?

Appreciating an answer from the developers on this.....

[franco]

The message is from the wireguard author and a bit on the nose. The debacle in FreeBSD was never fully recovered from it seems.

Here are the facts:

1. wireguard-go works reliably, securely and is still the default for us, but is slower
2. wireguard-kmod works in most use cases but has no plugin support, but is faster

General advice:

Ignore console messages, either install kmod manually or not...

# pkg install wireguard-kmod


Cheers,
Franco

[manilx]

Thx @franco!

I'll leave it as it is, tried kmod before and it was actually slower....

[franco]

Ok, glad you tried both. It's true that some have more success with kmod than others.


Cheers,
Franco

[manilx]

Hope someday soon you implement a kernel module, which is fully working/supported.

I use WG heavily and coming from Untangle/Linux it's SO much slower on OPNsense. From a 1GB download I get 50% speed and on Untangle 95%......

[franco]

Well, the plugin needs to be duplicated for kmod use and patched to show proper tunnel status. But besides that the ball is in the wireguard court either discontinuing the go package or working on the kernel module further...


Cheers,
Franco

[manilx]

I understand.
Does seem like a low priority job then for them as this doesn't go forward.

[manilx]

After the Upgrade to 22.7.5 I find that WG performance has been improved!

[franco]

Are you using Surciata IPS? At least on the WireGuard end nothing changed...


Cheers,
Franco

[manilx]

Yes, I am. But before I updated I noted that the WG plugin was also being updated.....

[franco]

If you mean this https://github.com/opnsense/ports/commit/beaae9739f0a ? It's an empty bump for go compiler version change...

Suricata was hogging CPU time it did not need so now more CPU time is there for WireGuard.


Cheers,
Franco

[manilx]

OK.  I just noted on the update info page that the wg-go was a newer version, so I thought this was the cause of the improvement.