Wireguard kernel mainstream support

Started by bbin, October 30, 2022, 06:30:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 30, 2022, 06:30:16 PM
Looks like wireguard was just committed to the FreeBSD kernel.

https://www.phoronix.com/news/FreeBSD-WireGuard-Lands-2022

What are the current plans for incorporating into opnsense?
November 10, 2022, 07:57:30 PM #1
I'm very keen to see this too.

And, support for wireguard-kmod follow CARP to ensure that wireguard only starts on the MASTER, like many other packages and if the firewall transitions to CARP backup status, then stop wireguard.

Without this, if wireguard is running on the backup firewall, then keepalive causes chaos on a clustered HA firewall pair.
November 10, 2022, 08:52:32 PM #2
Quote from: bbin on October 30, 2022, 06:30:16 PM
Looks like wireguard was just committed to the FreeBSD kernel.

https://www.phoronix.com/news/FreeBSD-WireGuard-Lands-2022

What are the current plans for incorporating into opnsense?

Hmm, I don't see FreeBSD 14 on the road map for 23.1

https://opnsense.org/about/road-map/
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 11, 2022, 08:22:15 AM #3
But, that's ok, because the link talks about Wireguard-kmod available as a package to be back ported to earlier FreeBSD versions and I quote:

Quoteor those on existing FreeBSD releases, the WireGuard module is also available via FreeBSD ports.
November 11, 2022, 10:25:55 AM #4
14.1 might be a target, certainly not for 23.1. ;)

The thing is the wireguard-kmod package is the same deal and we do favour packages over base tools, which are harder to patch and update. I also don't know what they did for the bash requirement of the wireguard tools but it remains to be seen.

For the time being: nothing new to see here, move along.


Cheers,
Franco
November 12, 2022, 07:56:16 AM #5
The non-bash tooling is still on the to-do list: https://git.zx2c4.com/wireguard-freebsd/tree/TODO.md
November 12, 2022, 11:14:33 AM #6
Truth be told I urged Jason to create this TODO file back in the day. I offered my help with the POSIX shell script conversion back when it was considered "fine" to have bash.

WireGuard sure is a weird case study of software engineering and project management. ;)


Cheers,
Franco
November 12, 2022, 07:18:01 PM #7
14.1 will have OpenVPN 2.6 and DSO which is quite the same speed as Wireguard
November 12, 2022, 08:38:37 PM #8
is not (only) about the speed. it's the philosophy (crypto straight forward, modern and onboard). and no bloat. it's also why LibreSSL is superior to OpenSSL. but nobody cares...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 14, 2022, 05:48:00 PM #9
Does anyone know if this kernel module would support VPP/intel-ipsec-mb and/or Intel QAT?

Was recently reading this very interesting Intel article on a "Performance Comparison of Kernel WireGuard, VPP WireGuard with Software Encryption, and VPP WireGuard with Hardware Lookaside Encryption". Page 12 is the good stuff :)
November 16, 2022, 05:59:09 AM #10
Quote from: chemlud on November 12, 2022, 08:38:37 PM
...but nobody cares...

I care! I care a lot which why I really want Wireguard which is just so simple and difficult to deploy insecurely because there are no choices left for you to make.
Print
Go Up Pages1
User actions