Why are there two WireGuard plugins?

[hushcoden]

I'm trying to understand why there are two WireGuard plugins, os-wireguard & os-wireguard-go, both on the same version 1.13_5 (and same size, 55.5 KiB), and in case which one to install.

Tia.

[Seimus]

There are two different implementations of WG the GO version and the kernel version

os-wireguard       - Kernel Version
os-wireguard-go  - Go Version

The Kernel version can perform better because its implementation allows to use better resources. However the Kernel implementation is still new to OPN. When you check the NOTEs under the package it sways exactly that + that there can be some security/vulnerability implications.

I tried both, both work Okay (Kernel performs better). Didn't see any problems with it.

P.S. always read the attachment notes for a specific plugin/package

Regards,
S.

[hushcoden]

P.S. always read the attachment notes for a specific plugin/package

Thanks, much clearer now, but in my case if I click on the info icon on the right of the plugin, I get the same notes ??

[Seimus]

Have the same.

Not Sure why the notes are same for both of them when there is a difference in the implementation.

That was as well one of the reason why I tested both.

Regards,
S.

[tiermutter]

Fo me I can see no clear gain in speed but since using kmod, CPU load is much higher when daily backup runs through the tunnel.

[Seimus]

Same here seeing higher CPU load with kmod, but kinda thats what I would expect.

Regards,
S.

[franco]

The plugin code is the same for both. Only the dependencies are different... It's how WireGuard tools want to handle the situation.


Cheers,
Franco

[Seimus]

The plugin code is the same for both. Only the dependencies are different... It's how WireGuard tools want to handle the situation.


Cheers,
Franco

I really thought it had to be little bit re-implemented to have the kmod version on OPN. Now this gives sense, as well why the package notes are the same. Thanks for clearing this!

Regards,
S.

[Random999]

It gets more unclear when installing os-wireguard (version 2.3) seeing this installation message:

Code Select Expand

Message from wireguard-kmod-0.0.20220615_1:

--
buggy code warning removed
--
===>   NOTICE:
This port is deprecated; you may wish to reconsider installing it:

Only useful for FreeBSD 12 which is EoL soon.

It is scheduled to be removed on or after 2023-12-31.


Obviously the
This port is deprecated; you may wish to reconsider installing it

certainly raised my eyebrowes.

When you install the os-wireguard-go version, it's giving you this message:

Code Select Expand


[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2 (wg): Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘

I'm sticking to os-wireguard (although I did not notice any perfomance differences)
But let's see what happens after the mentioned date in the warning message....

[Seimus]

Cant say for sure, but.

At release 23.7.3 WG

https://docs.opnsense.org/releases/CE_23.7.html#august-30-2023

Regards,
S.

[franco]

This is all FreeBSD ports messaging and can safely be ignored. We're moving everything into the kernel/base system with minimal dependencies for 24.1 and FreeBSD deleting the kmod package at the end of the year makes that process more understandable why we are working on that migration...

As far as the original question goes: the wireguard and wireguard-go plugins are no longer the same code base with go variant being old and deprecated. What work was done for the kmod plugin will move to core for 24.1 and all plugins and obsolete packages will be removed.


Cheers,
Franco

[Random999]

thanks for the clarification, much appreciated Franco!

[GuruLee]

So after seeing that Zenarmor is not recognizing any Internet traffic from my Wireguard-kernel version and it also show only local traffic from wrong source interface. I found this Reddit post about wireguard-go plugin fixing that issue https://www.reddit.com/r/zenarmor/comments/13vaebn/troubleshooting_zenarmor_integration_with), so I uninstalled the kernel version and then installed the go version w/o any issue or re-configuration needed. I also tried restarting the Zenarmor packet engine....
BUT this did NOT resolve the issue. Zenarmor still does not see any wireguard vpn client Internet traffic and it only see the local traffic.
I did not see any performance hit switching from the kernel to the go version of the wireguard plugin.
However, I plan on switching back to the kernel version until I get a resolution from Zenarmor support.

[mb]

Hi @GuruLee,

OPNsense 24.1 RC1 has the wireguard kernel mode netmap support available. Any chances you can give that a try? Or alternatively you can wait for 24.1 to be generally available.

With OPNsense 24.1 and Zenarmor 1.16.1 and forward, Zenarmor (and Suricata in IPS mode) is able to handle kernel mode wireguard as well.