Language Selection

English French German Italian Portuguese Spanish

FreeBSD kernel-mode WireGuard moves forward out-of-tree

Filed under
Security
BSD

Earlier this week, we covered progress integrating an implementation of the WireGuard VPN protocol into the FreeBSD kernel. Two days later, there's an update—kernel-mode WireGuard has been moved out of FreeBSD 13 development entirely for the time being.
The change only affects kernel-mode WireGuard. User-mode WireGuard has been available in FreeBSD since 2019 and remains, unaffected. If you pkg install wireguard, you get user-mode WireGuard, better known as wireguard-go. Wireguard-go is potentially less performant than kernel-mode, but it's stable and more than fast enough to keep up with most use cases.

The removal is actually good news for FreeBSD users and WireGuard users. Although the new kernel work done by WireGuard founder Jason Donenfeld, FreeBSD developer Kyle Evans, and OpenBSD developer Matt Dunwoodie represented a clear step forward, it was deemed too rushed to go out in a production kernel. This is a decision heartily endorsed by Donenfeld himself, who prefers a steadier development process with more code reviews and consensus.

Donenfeld announced the migration of development from FreeBSD 13-CURRENT to his own git repository earlier today. The new snapshot no longer relies on ifconfig extensions to build tunnels; it uses wg and wg-quick commands similarly to Linux, Windows, and Android builds instead. Although the code works, Donenfeld warns that it shouldn't be considered production-ready yet...

Read more

WireGuard bounces off FreeBSD—for now

  • WireGuard bounces off FreeBSD—for now

    The WireGuard VPN tunnel is a fast and easy-to-use solution for those who need or want a secure tunnel for their traffic. The project has been around since 2016, but it has had a somewhat circuitous route into Linux; it was merged for the 5.6 kernel, which was released in March 2020. Getting into Linux required WireGuard developer Jason A. Donenfeld to acquiesce to having WireGuard use some of the existing kernel crypto primitives, rather than merging his Zinc crypto library. Some of the same tensions that were seen in that process seem to be cropping up again in the more recent efforts to add WireGuard support to several BSD kernels.

    [...]

    As alluded to in Donenfeld's original post, there have also been efforts to add WireGuard support in NetBSD, but those have not gone entirely smoothly, seemingly. An August 2020 thread started by Donenfeld on the tech-kern and tech-net mailing lists for NetBSD was similarly critical of an existing WireGuard implementation; he asked that the existing code be reverted in favor of an evaluation of the proper path forward. He offered to work with Taylor R Campbell, who had picked up some code written by Ryota Ozaki back in 2018; "it seemed to be in pretty good shape when I reviewed it this year, with a few small issues I saw, so I dusted it off and merged it".

    [...]

    By all accounts, WireGuard itself is an excellent VPN solution, but it would seem that unlike the usual approach for a network protocol, where multiple implementations are made independently based on a specification, WireGuard needs to be treated differently. Donenfeld is justifiably proud of his accomplishment, but his requirements for other implementations seem far too rigid—at least for some communities. As we have seen in several different operating system projects (Linux, FreeBSD, NetBSD), Donenfeld often expects that the other, much larger projects conform to his exacting standards and methods. In the end, that attitude may discomfit more than just graybeards.

[Older] WireGuard Is Coming To Your pfSense Router

  • [Older] WireGuard Is Coming To Your pfSense Router

    Even after a herculean amount of effort by Wireguard’s founder, Jason Donenfeld and developers Kyle Evans and Matt Dunwoodie, WireGuard will not be included in the upcoming release of FreeBSD 13.0. This will also mean that Netgate’s announcement of the inclusion of WireGuard in the next release of pfSense was premature, as that router OS is based off of FreeBSD. All three developers did their best to polish the existing code and bring it up to their high standards but unfortunately there was simply not enough time.

    If you haven’t run into WireGuard before, it is an open source VPN similar to OpenVPN or closed source ones, with a bit of a difference. The developers of WireGuard take their coding very seriously, while OpenVPN consists of 400,000 lines of code added to the kernel, WireGuard is a mere 4000. This makes it significantly faster and more robust than OpenVPN or other VPN programs, but is also why the release is delayed. Until the crew can reduce the current footprint of WireGuard they are not comfortable adding it.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.