Installing WireGuard VPN

eric.sysmin · Oct 29, 2018, 10:24 PM

Has anyone created an integration for this yet in pfSense? Just curious.

Wordo · Oct 30, 2018, 5:15 AM

Thee FreeBSD port itself is broken. There were some changes with 20181018 snapshot but you'll run into a stacktrace when restarting the service too often :)

yon 0 · Nov 16, 2018, 5:35 PM

My point of view should try to increase it now, although there is no official version, but everything has started, there is no absolute perfection, as long as it has no malicious security problems, you can try it, and now there are many people using it. To people More choices of the latest advanced technology.

Wordo · Nov 17, 2018, 9:57 AM

Indeed, but the port itself crashes the kernel when installed on UFS, this has to be fixed first.

jimp · Nov 27, 2018, 3:58 PM

@yon-0 said in Installing WireGuard VPN:

there is no absolute perfection,

While true, there is a big difference between an unstable, unaudited, alpha software package and one that has been tested and found to be stable.

as long as it has no malicious security problems, you can try it,

Their own page says it might have those: https://www.wireguard.com/#about-the-project

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

That should scare the hell out of you and anyone wanting to use it in production. If it doesn't, then you shouldn't be in charge of a firewall.

and now there are many people using it. To people More choices of the latest advanced technology.

Just because people use it doesn't make it good, secure, or desirable. Lots of people fall for phishing e-mails and scams, that doesn't mean they are a good idea.

After it passes 1.0 and is stable and audited as secure, then maybe it could be considered for a package.

yon 0 · Dec 4, 2018, 8:33 AM

Every new product has a starting process, but if it's a good project, you can provide an option for everyone to try. Only use it to find the problem. Any formal product can't guarantee that there are no security issues, you need more People use to find problems. This is just a feature that you can choose to use, so let everyone decide if they need to use it.

maglub · Dec 7, 2018, 1:49 PM

Given that wireguard already have a very strong following and is up for mainstream linux kernel adoption, I am not sure how to take on the sceptics in this thread.

https://lists.openwall.net/netdev/2018/08/02/124

Why not look into how to integrate this already now, and release it when it has the full blessing of everyone?

jimp · Dec 7, 2018, 1:49 PM

@maglub said in Installing WireGuard VPN:

Given that wireguard already have a very strong following and is up for mainstream linux kernel adoption, I am not sure how to take on the sceptics in this thread.

Because FreeBSD is not Linux, and it does not have a proven track record of stability on FreeBSD.

Why not look into how to integrate this already now, and release it when it has the full blessing of everyone?

Because we don't want to introduce a potentially unstable and insecure new VPN into a security-focused project until it's ready.

KOM · Dec 7, 2018, 2:11 PM

@maglub Feel free to package it up yourself just like others have done with other unofficial pfSense packages like E2Guardian and Squidalyzer because no matter how much you complain, Netgate is not going to introduce some bleeding-edge, relatively-untested code that comes with a heap of not-ready-yet disclaimers into a project focused on security. Not going to happen.

bobert · Dec 17, 2018, 1:33 AM

Wireguard is the future, it is 4k lines of code and Linus Torvalds declared it a piece of art compared to IPSEC/OpenVPN and recommended it be merged into the kernel ASAP.

jwt · Dec 17, 2018, 2:25 AM

@bobert Wireguard May well be the future, but not for pfsense while it’s only available as a GPLed package over tun/tap. When Wireguard is available as a kernel-native implementation on FreeBSD (as it is on Linux), without the external dependencies on Go, we’ll integrate it in pfsense.

Also, just to clarify Linus’ quote:

“Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.”

maglub · Jan 18, 2019, 1:18 PM

It seems like there are some work going on for this:

https://lists.freebsd.org/pipermail/freebsd-ports/2018-May/113434.html

The thread sort of dies in May last year, and I will have to research a bit more.

The go-dependency is only during build time, not during runtime, so I don't think that should be an issue.

Wordo · Jan 18, 2019, 1:37 PM

It's already available and working in FreeBSD, but in some cases you get some crazy stack traces https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233955

goodthings · Mar 1, 2019, 6:50 AM

I hope somebody sacrifices their time for an external wireguard package soon, there's a lot of talk about it and I'd like to try it. To my surprise it already has native macOS and iOS clients in the respective app stores.

Wordo · Mar 1, 2019, 8:31 AM

Please read the whole thread .. your pfSense installation will crash with most of your service restarts. This is a problem of Wireguard implementation in FreeBSD (or FreeBSD kernel). Doesn't make any sense to build an "external package"

musicwizard · Apr 13, 2019, 8:53 PM

Time will tell but would be nice if it can get into PFsense in a official way.

jwt · Apr 13, 2019, 9:11 PM

There is a plan, but I’m not ready to discuss in public.

jwt · Apr 13, 2019, 9:20 PM

@goodthings iOS and MacOS are far larger installed bases than FreeBSD

musicwizard · Apr 13, 2019, 9:23 PM

@jwt now you make me very curious about it :)

jwt · Apr 14, 2019, 2:50 AM

@musicwizard Great! Now you have me very curious what you would pay to have Wireguard in pfSense.