Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it

[TheLinuxGuy]

Hi,

I'm wondering if the 21.1 version may have the kernel module for wireguard rather than the golang version?

It seems like FreeBSD 13 will have it soon if https://www.phoronix.com/scan.php?page=news_item&px=FreeBSD-WireGuard-Lands is accurate.

[mimugmail]

Maybe 21.7 or 22.1 .. it depends on how fast backporting while be done.

[Greelan]

See https://forum.opnsense.org/index.php?topic=20947.msg97702#msg97702

[franco]

@Greelan: I stripped the taptalk redirect URL for the direct link. But thanks for linking, otherwise I would have done it


Cheers,
Franco

[TheLinuxGuy]

@Greelan: I stripped the taptalk redirect URL for the direct link. But thanks for linking, otherwise I would have done it


Cheers,
Franco

great thanks for the link. So if pfsense 2.5 includes it in FBSD 12 that would translate to opnsense adding it as well in the current FreeBSD 12 release and thus possibly coming on 21.1?

[JeGr]

I think 21.1 would be hard to match, wouldn't it? Franco?

Otherwise with screenshots already posted by Netgate about Wireguard Kernel Module hitting the next pfSense 2.5 Snapshots (https://www.netgate.com/blog/wireguard-for-pfsense-software.html) I suppose backporting to FreeBSD 12.x stable should be almost (or already?) done Sooo perhaps we'll see it later on in 21.1.x or 21.7?

Looking forward to the first benchmarks between the three in a S2S scenario

[mimugmail]

If I rememeber correctly, Olivier tested it on FBSD13 and it was around 2,9Gbit while IPsec 2,6Gbit or so

[franco]

21.1 is next week and more or less in freeze mode so that is a little out of scope, but 21.1.x seems possible if we can motivate Michael to bring this one home.


Cheers,
Franco

[mimugmail]

I'm all in 

[JeGr]

That sounds promising - both 21.1.x and the estimated throughput Could put many IPsec scenarios out of business if you control both ends

[Patrick M. Hausen]

That sounds promising - both 21.1.x and the estimated throughput Could put many IPsec scenarios out of business if you control both ends

In one of our offices even wireguard-go already does. Throughput limited by provider bandwidth, delay *much* better than any other VPN protocol I tried.

[mimugmail]

I did these tests with older Intels (without microcode updates) and wireguard-go was really close to IPsec (compared to OpenVPN):

https://www.routerperformance.net/comparing-opnsense-vpn-performance/

[FingerlessGloves]

I'm all in 

Where do I donate beer money or late late `git push` energy drinks 

[franco]

I have to disappoint, but Bavaria already has all the beer in the world to push through. 


Cheers,
Franco

[mimugmail]

Just discovered I have a small brewery nearby. Bergfeld Beer