Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it

[Patrick M. Hausen]

The big question to me: Is pfsense 2.5 safe to be run with this trash code on board? I still have one running, which has to be updated soon... :-/

As long as you don't run WireGuard ... ;)

[franco]

It's in ports now, which is a perfectly sane approach in my book:
https://svnweb.freebsd.org/ports/head/net/wireguard-kmod/

I know, it's going to be available for early bird testing in 21.1.4 ;)

https://github.com/opnsense/tools/commit/7fbb0fc74cb6


Cheers,
Franco

[chemlud]

The big question to me: Is pfsense 2.5 safe to be run with this trash code on board? I still have one running, which has to be updated soon... :-/

As long as you don't run WireGuard ... ;)

...but that was the plan... :-(

[tusc]

Any idea when 21.1.4 will ship? :) No worries if you can't say.

[franco]

I can quite possibly say tomorrow :D


Cheers,
Franco

[chemlud]

I can quite possibly say tomorrow :D


Cheers,
Franco

There will be no problems for users of the WG-GO implementation?`:-)

[franco]

All we did was add wireguard-kmod to the binary packages without tying it a plugin or core. So as far as 21.1 is concerned nothing changes about WireGuard in production.


Cheers,
Franco

[tusc]

Now that 21.1.4 has released, how do you transition to the kernel wireguard module? Do you have to uninstall wireguard-go first? Thanks.

[MartB]

Im using if_wg.ko at the moment and i must say im impressed.
Im maxing out my 400/200 Mbit/s line with absolutely 0 issues.



On the download speed test i see the following system load:

Code Select Expand

CPU:  1.8% user,  0.0% nice, 15.3% system, 33.4% interrupt, 49.6% idle
Thats on a Intel(R) Celeron(R) J4115 CPU @ 1.80GHz (4 cores)

If you want to try it yourself on 21.1.4, all i did was the following:

Code Select Expand


pkg install wireguard
reboot (not strictly needed but cant hurt)

wg-quick down wg0
wg-quick up wg0


Verify that if_wg.ko is loaded with kldstat and check top or ps so that no wireguard-go process exists.

Nice work from the upstream devs and huge thanks to @franco for including it as a port!

Edit: See https://forum.opnsense.org/index.php?topic=20978.msg106204#msg106204 for the numbers i had before on wireguard-go.

[mimugmail]

What was your throughput before?

[MartB]

What was your throughput before?

~400 but i maxed 2 cores of the cpu during these peak times, im gonna switch back and update this post later!

Edit:

Code Select Expand


CPU: 29.7% user,  0.0% nice, 27.5% system, 33.5% interrupt,  9.3% idle
Mem: 1078M Active, 48M Inact, 568M Wired, 296M Buf, 14G Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
40505 root         12  52    0   715M    27M uwait    3   0:29 222.05% wireguard-go


Thats a hefty reduction in resource usage!

[chemlud]

Nice! Wanna have--- :-D

[tusc]

It looks like removing wireguard-go from the command line removes os-wireguard (which includes the UI interface for wireguard). Any way to remove this dependency?

Code Select Expand

[root@OPNsense ~]# pkg delete wireguard-go
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
os-wireguard: 1.5
wireguard-go: 0.0.20210323,1

Number of packages to be removed: 2

The operation will free 3 MiB.

Proceed with deinstalling packages? [y/N]

[MartB]

Do not remove wireguard-go its not needed in order to use the kmod.

Just install the kmod using the wireguard meta package, wg will automatically pick if_wg if its available.

See my post for more details

[tusc]

Cool, I managed to get the kernel module to work, was able to maintain 900Mbit/sec through the tunnel with iperf3 running on the firewall. I have to believe load will be lower if I just route through it.