Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it

[Greelan]

Fail. I remember reading a mailing list thread some months ago where, after learning that Netgate was working on a port, Donenfeld reached out to ask them to collaborate. The Netgate dev seemed strangely resistant. Can’t readily put my hands on the thread again but it was eye-opening

Edit: found it - https://lists.freebsd.org/pipermail/freebsd-net/2020-February/055414.html

[bubbagump]

Define "included". The kernel patch doesn't help anyone with the wireguard plugin yet so rushing this is not useful and creates false expectations.

Considering the Netgate cowboy kernel module fiasco, I will gladly take this approach any day of the week.

To say this is scathing is being kind.

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html

[chemlud]

Define "included". The kernel patch doesn't help anyone with the wireguard plugin yet so rushing this is not useful and creates false expectations.

Considering the Netgate cowboy kernel module fiasco, I will gladly take this approach any day of the week.

To say this is scathing is being kind.

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html

 

[134]

Is there any estimate on when OpnSense will have Jason's implementation of WG ? I'm currently fine with OpenVPN, but looking toward WG.

[chemlud]

Hmmm, as the cowboy wrote in his rant, Netgate will block any secure and reliable kernel implementation of wg.

So it would be HardendBSDs turn to implement that. Maybe we should start a fund-raiser here? I would be happy to do some testing, if necessary...

[bubbagump]

Is there any estimate on when OpnSense will have Jason's implementation of WG ? I'm currently fine with OpenVPN, but looking toward WG.

OPNSense already has it via the official Go module. It’s not kernel based which is slightly (very slightly) slower, but it’s secure and MUCH faster than anything else out there. Go Wireguard with reckless abandon now on OPNSense.

[Voodoo]

Wow netgate wireguard implementation reads great.

There were random sleeps added to “fix” race conditions, validation
functions that just returned true, catastrophic cryptographic
vulnerabilities, whole parts of the protocol unimplemented, kernel
panics, security bypasses, overflows, random printf statements deep in
crypto code, the most spectacular buffer overflows, and the whole litany
of awful things that go wrong when people aren’t careful when they write
C. Or, more simply, it seems typical of what happens when code ships
that wasn’t meant to. It was essentially an incomplete half-baked
implementation – nothing close to something anybody would want on a
production machine.

[franco]

Things are still developing in real time it seems. One thing that stands out is that Netgate owns this debacle and has a lot of pull (money) in FreeBSD that it can get away with the initial merge. Then it tries the same approach when the WireGuard author works on FreeBSD improvements to get WireGuard out of all the source trees because they say so?

I mean we have this disaster now but we want to still trust the same people to solve the situation by making it worse after it got better? FreeBSD has a structural issue within its ranks that it needs to address. It only hurts the FreeBSD reputation as a whole to let this situation continue into the next couple of years.

For now we will merge whatever upstream work is going into the kernel module no matter if it is removed over there at some point or not. We can always trust in the available userland implementation.


Cheers,
Franco

[mimugmail]

Guys .. you need to read the answer of Jason to what Scott wrote him directly ... somebody bring popcorn please ..

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006499.html

[chemlud]

Guys .. you need to read the answer of Jason to what Scott wrote him directly ... somebody bring popcorn please ..

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006499.html

Bavaria is a little late to this party, see the posts above :-p

[mimugmail]

6499 is a different one .. not everyone goes to threads and look at the replies in the archives, and this reply is even more joy to read

[chemlud]

Ok, we need a cross-link for you ;-p

https://forum.opnsense.org/index.php?topic=22081.msg104688#msg104688

[chemlud]

...at least the trash is gone from the kernel, hope to see something better soonish

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006504.html

[franco]

That means Netgate convinced FreeBSD to do what Scott Long suggested. Oh man, get ready for more shit in the next couple of years. This is just the beginning of the drama.


Cheers,
Franco

[bimmerdriver]

That means Netgate convinced FreeBSD to do what Scott Long suggested. Oh man, get ready for more shit in the next couple of years. This is just the beginning of the drama.


Cheers,
Franco

I'm not sure which is worse, that Netgate rammed their broken implementation of Wireguard into FreeBSD a few weeks before a release, expecting it to be part of the release, or that FreeBSD let them. It's amazing.