Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
wireguard kernel implementation
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: wireguard kernel implementation (Read 11202 times)
Kieeps
Newbie
Posts: 21
Karma: 0
wireguard kernel implementation
«
on:
January 17, 2021, 08:56:21 am »
Any new on the progress of the bsd kernel? Read somewhere a while back that it was being pushed to kernel, did it ever land?
And will the plugin currently in opnsense move from userspace to kernel when it gets implemented? :-)
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: wireguard kernel implementation
«
Reply #1 on:
January 17, 2021, 09:24:25 am »
FreeBSD 13 now has the kernel module so I guess it will come to OPNsense when 13 does (the 13 stable is tentatively scheduled for release by end March)
Logged
Kieeps
Newbie
Posts: 21
Karma: 0
Re: wireguard kernel implementation
«
Reply #2 on:
January 17, 2021, 09:26:59 am »
Good news :-) it'll be fun to see if it has any noticeable improvements over the current implementation :-D
Keep upnthe great work!
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: wireguard kernel implementation
«
Reply #3 on:
January 17, 2021, 09:29:22 am »
I’ve got no connection to OPNsense, just keen to see the kernel module too.
It will definitely have better performance
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: wireguard kernel implementation
«
Reply #4 on:
January 17, 2021, 09:31:02 am »
I’m also not sure how long typically OPNsense lags behind FreeBSD/HardenedBSD releases, so it could be a while after 13 stable is released
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: wireguard kernel implementation
«
Reply #5 on:
January 17, 2021, 09:36:11 am »
22.7 or 23.1?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: wireguard kernel implementation
«
Reply #6 on:
January 17, 2021, 11:24:50 am »
FreeBSD 13 itself is not even stable yet
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: wireguard kernel implementation
«
Reply #7 on:
January 17, 2021, 04:29:33 pm »
The wireguard module is a good candidate for stable/12. The iflib preparations for this module are already backported. With pfSense 2.5 almost out and being based on FreeBSD 12 it's very likely this is going to happen within this year since they always said the userspace implementation is bad and they would rather wait for the "real" thing.
https://redmine.pfsense.org/issues/8786
Cheers,
Franco
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: wireguard kernel implementation
«
Reply #8 on:
January 17, 2021, 08:21:04 pm »
Nice, thanks Franco!
Logged
JeGr
Hero Member
Posts: 1945
Karma: 227
old man standing
Re: wireguard kernel implementation
«
Reply #9 on:
January 20, 2021, 01:13:58 am »
https://www.netgate.com/blog/wireguard-for-pfsense-software.html
With a new snapshot of pfSense 2.5pre incoming tomorrow and as it's based on 12.2 I suspect the Kernel module if_wg is (al)ready (to be) backported? So it shouldn't take long to bring it further to HardenedBSD I suspect
Looking forward to a new kernel space implementation and read speed benchmarks
Logged
"It doesn't work!" is no valid error description!
- Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense!
If you're interested in german-speaking business support, feel free to reach out via PM.
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: wireguard kernel implementation
«
Reply #10 on:
January 20, 2021, 06:24:57 am »
Nice!
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: wireguard kernel implementation
«
Reply #11 on:
January 20, 2021, 08:54:28 am »
Does the kernel implementation have better logging? I could not find anything in my opnsense system logs, except for some errors when the peer is offline (for rebooting). Or does it need higher log level?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: wireguard kernel implementation
«
Reply #12 on:
January 20, 2021, 08:56:26 am »
I'd guess everything stays the same since the userland tool wg-quick doesn't change, it's only crypto offloading to kernel.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
JeGr
Hero Member
Posts: 1945
Karma: 227
old man standing
Re: wireguard kernel implementation
«
Reply #13 on:
January 20, 2021, 02:45:26 pm »
Couldn't find anything about more logging. Even the newly created docs of the pfsense snapshots tells you in the bullet points:
* It operates completely in the kernel
* Configuration is placed directly on the interfaces
* It has no concept of connections or sessions
* There is no “status” of the VPN (e.g. it isn’t considered up or down, it has no visible timers, etc.)
* It has no facilities for user authentication
* There is no service daemon to stop or start
*
There is only minimal logging from the kernel
* It does not bind to a specific interface or address on the firewall, it accepts traffic to any address on the firewall on its specified port
As it is virtually "service- and status-less" logging would be hard to implement besides errors/messages from the kernel(module) itself. But that's only my understanding, mimugmail may be deeper into that
Logged
"It doesn't work!" is no valid error description!
- Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense!
If you're interested in german-speaking business support, feel free to reach out via PM.
Patrick M. Hausen
Hero Member
Posts: 6826
Karma: 573
Re: wireguard kernel implementation
«
Reply #14 on:
January 20, 2021, 03:15:23 pm »
Quote
* It has no concept of connections or sessions
* There is no “status” of the VPN
That's a feature.
"Look, a packet matching my tunnel policy" --> Encrypt with peer's public key, encapsulate in UDP, send to peer instead. Is the peer alive? How the heck should I know?
"Look an encrypted packet" --> Does it come from a configured peer? Does it decrypt with my private key? OK, decrypt, de-encapsulate, throw into ip_input() again.
It's definitely more like GRE or IPIP than, say, OpenVPN. You can do something similar with IPSec, throw away all of ISAKM/IKE and phase 1 and just statically configure phase 2 SAs and keys. Similar result.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
wireguard kernel implementation