WireGuard Removed from pfSense CE and pfSense Plus Software
-
As detailed in our latest blog, given that kernel-mode WireGuard has been removed from FreeBSD, and out of an abundance of caution, we are removing WireGuard from pfSense software pending a thorough review and audit.
-
When I upgraded my SG-1100 to pf+ 21.02 via fresh image install (couldn't upgrade due to pkg bug), I took the opportunity to convert my office RA config from OpenVPN to wireguard then nerfed the OpenVPN configs on server & clients. I guess I'm now in the position of having to choose between reconfiguring everything back to OpenVPN (ugh), or not upgrading pF+ (plus packages once a new release is out) for however many updates it takes until wireguard support is back in.
-
@kom do you not have a previous backup you can just restore? If not, that’s something you ought to really reconsider going forward. Wireguard was a brand new feature to Pfsense, regardless of the concerns with code quality. It would have been better to disable the openvpn setup but still keep it just in case of something like this or poor performance etc.
-
Since I'm not using Wireguard on 2.5, should I just leave my setup as is, or should I download a fresh image that has Wireguard removed and reinstall?
-
@satcat16609 I asked the same question in response to the Twitter post about this. No response yet. I assume they will push an update that will remove it but I could be wrong.
-
I had already reverted back to IPsec from a test site I had using WG. I had found that whenever I made any small changes on the remote router, Windows RDP sessions to that site would disconnect momentarily.
For now I get as good performance with IPSec and OpenVPN (which are both easier to setup and manage).
-
how does this impact the 2.6.x snapshots?
-
We are working as quickly as we can to get to a release candidate where WireGuard is removed. That said, we do not advise users to run any RC in production. RC’s are meant for early look and testing purposes. Of course, some users may choose to run on RCs, and that is certainly their right. Post successful RC testing, we’ll march towards a new release.
As for current installations that have WireGuard, we’ve updated our March 16 blog to ask users to exercise caution with regards to the use of jumbo frames above the stated MTU size.
-
@gabacho4 I do have config backups but I'm generally suspicious of restoring partial configs like that, especially on our main firewall. I'll probably have to give it a try though. It's virtual so at least I can snapshot it before I restore it like I do with all major updates & package updates.
-
This post is deleted! -
So just so I'm understanding, Netgate is still committed to delivering Wireguard support on pfSense whenever it is accepted upstream?
-
Can we expect Wireguard to be reintroduced into pfSenseCE/Plus?
And if so then when approximately? -
How about a compromise? How about only displaying the VPN > WireGuard UI if the kernel module is available? Additionally, require manual intervention to install it? Like having to download, compile and load the code manually from the shell. That way we can continue testing the implementation and netgate can continue working on it.
Also, is redmine still the place to report bugs? I've got a few but uncertain now if they are worth reporting...one has to do with a race situation when using DNS Resolver with WireGuard endpoints that are FQDNs. In this case, it seems that WireGuard is trying to resolve DNS but unbound is either not started or not started completely...the fix is to not use FQDNs as endpoints for me.
-
According to what I've read here and there, I prefer to see it removed and wait for it. Better collaborative work with cleaned, audited and well written code for a future release will be beneficial. It's not always easy to step back but it's sometimes a better solution.
-
Does build 2.5.1.r.20210320.0824 still contain Wireguard? I'm not ready to give it up just yet!
-
@dsp3 said in WireGuard Removed from pfSense CE and pfSense Plus Software:
Does build 2.5.1.r.20210320.0824 still contain Wireguard? I'm not ready to give it up just yet!
Hi,
Yes is gone on 2.5.1 RC and 2.6.0 DEV :) -
Just caught up.
That went well.
Does anyone or has anyone posted anywhere about the risk we're exposing keeping it running? I'm way more stable than I ever was on OpenVPN so I'm hugely reluctant to swap back to it.
If it's theoretical (as has been suggested) and it's just generally poor implementation I can live with that until it's sorted in FreeBSD and ported back in. I understand why Netgate want to pull it, it's the right thing for them to do for them, but I'm not so sure I need to for my use.
As for the drama, it was an interesting few hours of reading. Netgate don't seem to have all that much respect in the FreeBSD development community with many allegations of high handed and arrogant dealings. Being an outsider it's hard to work out who's at fault without any of the history but that blog post was a difficult read and certainly didn't do Netgate any favours.
G
-
@xxgbhxx I agree it is all a bit of a sad story. I fully understand Netgate's position and those of the various developers involved.
It is a bit of a shame that those of us who jumped in quickly (and in my case found Wireguard to work well as a VPN to connect in and through our home networks) will now have to revert to OpenVPN (which works - although the upgrade to 2.5 did temporarily cause some problems in my case).
I'm only a home hobbyist so I cannot complain and I certainly want well engineered code with a solid foundation. Perhaps the lesson is not to jump to quickly in future.
-
@gabacho4 So I finally bit the biscuit and tried to restore my old OpenVPN config. It went exactly as I expected it would. It didn't restore the OpenVPN interface, nor the rules on WAN or the OpenVPN interface. For added fun, the service hung on startup with:
Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server1/config.ovpn:34: data-ciphers (2.5.0)
Looks like I'm nuking the whole damned thing and recreating it from scratch, just like I knew I would. I could try kludging it together but I just don't trust it at this point that I haven't been left with a FrankenVPN install.
Edit: If anyone cares, the solution was to remove AES-128-CBC from my list of ciphers.
-
WireGuard was one big security blunder ! I still remember that it was thanks to netgate that we got wireguard into FreeBSD kernel. Makes you wonder what they where thinking at netgate. And how poor their code review is that it got in their code base.
"Should WireGuard again be accepted into FreeBSD, we will re-evaluate it for inclusion in a future version of pfSense software."
Probably a long time. You should be able to install it as a package though.
pkg search wireguard wireguard-2,1 Meta-port for Wireguard wireguard-go-0.0.20210323,1 WireGuard implementation in Go wireguard-kmod-0.0.20210323 WireGuard implementation for the FreeBSD kernel wireguard-tools-1.0.20210315_3 Fast, modern and secure VPN Tunnel wireguard-tools-lite-1.0.20210315_3 Fast, modern and secure VPN Tunnel (lite flavor)https://www.theregister.com/2021/03/23/freebsd_130_no_wireguard/
