Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard Removed from pfSense CE and pfSense Plus Software

    WireGuard
    16
    28
    7.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dennis_sD
      dennis_s
      last edited by

      As detailed in our latest blog, given that kernel-mode WireGuard has been removed from FreeBSD, and out of an abundance of caution, we are removing WireGuard from pfSense software pending a thorough review and audit.

      U 1 Reply Last reply Reply Quote 2
      • KOMK
        KOM
        last edited by

        When I upgraded my SG-1100 to pf+ 21.02 via fresh image install (couldn't upgrade due to pkg bug), I took the opportunity to convert my office RA config from OpenVPN to wireguard then nerfed the OpenVPN configs on server & clients. I guess I'm now in the position of having to choose between reconfiguring everything back to OpenVPN (ugh), or not upgrading pF+ (plus packages once a new release is out) for however many updates it takes until wireguard support is back in.

        G 1 Reply Last reply Reply Quote 1
        • G
          gabacho4 Rebel Alliance @KOM
          last edited by

          @kom do you not have a previous backup you can just restore? If not, that’s something you ought to really reconsider going forward. Wireguard was a brand new feature to Pfsense, regardless of the concerns with code quality. It would have been better to disable the openvpn setup but still keep it just in case of something like this or poor performance etc.

          KOMK 2 Replies Last reply Reply Quote 0
          • S
            SatCat16609
            last edited by

            Since I'm not using Wireguard on 2.5, should I just leave my setup as is, or should I download a fresh image that has Wireguard removed and reinstall?

            G 1 Reply Last reply Reply Quote 0
            • G
              gabacho4 Rebel Alliance @SatCat16609
              last edited by

              @satcat16609 I asked the same question in response to the Twitter post about this. No response yet. I assume they will push an update that will remove it but I could be wrong.

              1 Reply Last reply Reply Quote 1
              • B
                brians
                last edited by

                I had already reverted back to IPsec from a test site I had using WG. I had found that whenever I made any small changes on the remote router, Windows RDP sessions to that site would disconnect momentarily.

                For now I get as good performance with IPSec and OpenVPN (which are both easier to setup and manage).

                1 Reply Last reply Reply Quote 1
                • cmcdonaldC
                  cmcdonald Netgate Developer
                  last edited by

                  how does this impact the 2.6.x snapshots?

                  Need help fast? https://www.netgate.com/support

                  1 Reply Last reply Reply Quote 0
                  • dennis_sD
                    dennis_s
                    last edited by

                    We are working as quickly as we can to get to a release candidate where WireGuard is removed. That said, we do not advise users to run any RC in production. RC’s are meant for early look and testing purposes. Of course, some users may choose to run on RCs, and that is certainly their right. Post successful RC testing, we’ll march towards a new release.

                    As for current installations that have WireGuard, we’ve updated our March 16 blog to ask users to exercise caution with regards to the use of jumbo frames above the stated MTU size.

                    H 1 Reply Last reply Reply Quote 1
                    • KOMK
                      KOM @gabacho4
                      last edited by

                      @gabacho4 I do have config backups but I'm generally suspicious of restoring partial configs like that, especially on our main firewall. I'll probably have to give it a try though. It's virtual so at least I can snapshot it before I restore it like I do with all major updates & package updates.

                      1 Reply Last reply Reply Quote 0
                      • U
                        Ulrik @dennis_s
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 1
                        • cmcdonaldC
                          cmcdonald Netgate Developer
                          last edited by

                          So just so I'm understanding, Netgate is still committed to delivering Wireguard support on pfSense whenever it is accepted upstream?

                          Need help fast? https://www.netgate.com/support

                          1 Reply Last reply Reply Quote 3
                          • H
                            holunde @dennis_s
                            last edited by

                            Can we expect Wireguard to be reintroduced into pfSenseCE/Plus?
                            And if so then when approximately?

                            cmcdonaldC 1 Reply Last reply Reply Quote 0
                            • cmcdonaldC
                              cmcdonald Netgate Developer @holunde
                              last edited by cmcdonald

                              How about a compromise? How about only displaying the VPN > WireGuard UI if the kernel module is available? Additionally, require manual intervention to install it? Like having to download, compile and load the code manually from the shell. That way we can continue testing the implementation and netgate can continue working on it.

                              Also, is redmine still the place to report bugs? I've got a few but uncertain now if they are worth reporting...one has to do with a race situation when using DNS Resolver with WireGuard endpoints that are FQDNs. In this case, it seems that WireGuard is trying to resolve DNS but unbound is either not started or not started completely...the fix is to not use FQDNs as endpoints for me.

                              Need help fast? https://www.netgate.com/support

                              1 Reply Last reply Reply Quote 0
                              • FileCityF
                                FileCity
                                last edited by FileCity

                                According to what I've read here and there, I prefer to see it removed and wait for it. Better collaborative work with cleaned, audited and well written code for a future release will be beneficial. It's not always easy to step back but it's sometimes a better solution.

                                1 Reply Last reply Reply Quote 4
                                • D
                                  dsp3
                                  last edited by

                                  Does build 2.5.1.r.20210320.0824 still contain Wireguard? I'm not ready to give it up just yet!

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    MoonKnight @dsp3
                                    last edited by

                                    @dsp3 said in WireGuard Removed from pfSense CE and pfSense Plus Software:

                                    Does build 2.5.1.r.20210320.0824 still contain Wireguard? I'm not ready to give it up just yet!

                                    Hi,
                                    Yes is gone on 2.5.1 RC and 2.6.0 DEV :)

                                    --- 24.11 ---
                                    Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                                    Kingston DDR4 2666MHz 16GB ECC
                                    2 x HyperX Fury SSD 120GB (ZFS-mirror)
                                    2 x Intel i210 (ports)
                                    4 x Intel i350 (ports)

                                    1 Reply Last reply Reply Quote 0
                                    • X
                                      xxGBHxx
                                      last edited by

                                      Just caught up.

                                      That went well.

                                      Does anyone or has anyone posted anywhere about the risk we're exposing keeping it running? I'm way more stable than I ever was on OpenVPN so I'm hugely reluctant to swap back to it.

                                      If it's theoretical (as has been suggested) and it's just generally poor implementation I can live with that until it's sorted in FreeBSD and ported back in. I understand why Netgate want to pull it, it's the right thing for them to do for them, but I'm not so sure I need to for my use.

                                      As for the drama, it was an interesting few hours of reading. Netgate don't seem to have all that much respect in the FreeBSD development community with many allegations of high handed and arrogant dealings. Being an outsider it's hard to work out who's at fault without any of the history but that blog post was a difficult read and certainly didn't do Netgate any favours.

                                      G

                                      S 1 Reply Last reply Reply Quote 1
                                      • S
                                        stepheng @xxGBHxx
                                        last edited by

                                        @xxgbhxx I agree it is all a bit of a sad story. I fully understand Netgate's position and those of the various developers involved.

                                        It is a bit of a shame that those of us who jumped in quickly (and in my case found Wireguard to work well as a VPN to connect in and through our home networks) will now have to revert to OpenVPN (which works - although the upgrade to 2.5 did temporarily cause some problems in my case).

                                        I'm only a home hobbyist so I cannot complain and I certainly want well engineered code with a solid foundation. Perhaps the lesson is not to jump to quickly in future.

                                        1 Reply Last reply Reply Quote 1
                                        • KOMK
                                          KOM @gabacho4
                                          last edited by KOM

                                          @gabacho4 So I finally bit the biscuit and tried to restore my old OpenVPN config. It went exactly as I expected it would. It didn't restore the OpenVPN interface, nor the rules on WAN or the OpenVPN interface. For added fun, the service hung on startup with:

                                          Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server1/config.ovpn:34: data-ciphers (2.5.0)

                                          Looks like I'm nuking the whole damned thing and recreating it from scratch, just like I knew I would. I could try kludging it together but I just don't trust it at this point that I haven't been left with a FrankenVPN install.

                                          Edit: If anyone cares, the solution was to remove AES-128-CBC from my list of ciphers.

                                          GertjanG 1 Reply Last reply Reply Quote 1
                                          • O
                                            Ofloo
                                            last edited by Ofloo

                                            WireGuard was one big security blunder ! I still remember that it was thanks to netgate that we got wireguard into FreeBSD kernel. Makes you wonder what they where thinking at netgate. And how poor their code review is that it got in their code base.

                                            "Should WireGuard again be accepted into FreeBSD, we will re-evaluate it for inclusion in a future version of pfSense software."

                                            Probably a long time. You should be able to install it as a package though.

                                            pkg search wireguard
                                            wireguard-2,1                  Meta-port for Wireguard
                                            wireguard-go-0.0.20210323,1    WireGuard implementation in Go
                                            wireguard-kmod-0.0.20210323    WireGuard implementation for the FreeBSD kernel
                                            wireguard-tools-1.0.20210315_3 Fast, modern and secure VPN Tunnel
                                            wireguard-tools-lite-1.0.20210315_3 Fast, modern and secure VPN Tunnel (lite flavor)
                                            

                                            https://www.theregister.com/2021/03/23/freebsd_130_no_wireguard/

                                            JeGrJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.