Installing WireGuard VPN

Wordo

Indeed, but the port itself crashes the kernel when installed on UFS, this has to be fixed first.

jimp

@yon-0 said in Installing WireGuard VPN:

there is no absolute perfection,

While true, there is a big difference between an unstable, unaudited, alpha software package and one that has been tested and found to be stable.

as long as it has no malicious security problems, you can try it,

Their own page says it might have those: https://www.wireguard.com/#about-the-project

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

That should scare the hell out of you and anyone wanting to use it in production. If it doesn't, then you shouldn't be in charge of a firewall.

and now there are many people using it. To people More choices of the latest advanced technology.

Just because people use it doesn't make it good, secure, or desirable. Lots of people fall for phishing e-mails and scams, that doesn't mean they are a good idea.

After it passes 1.0 and is stable and audited as secure, then maybe it could be considered for a package.

yon 0

Every new product has a starting process, but if it's a good project, you can provide an option for everyone to try. Only use it to find the problem. Any formal product can't guarantee that there are no security issues, you need more People use to find problems. This is just a feature that you can choose to use, so let everyone decide if they need to use it.

maglub

Given that wireguard already have a very strong following and is up for mainstream linux kernel adoption, I am not sure how to take on the sceptics in this thread.

https://lists.openwall.net/netdev/2018/08/02/124

Why not look into how to integrate this already now, and release it when it has the full blessing of everyone?

jimp

@maglub said in Installing WireGuard VPN:

Given that wireguard already have a very strong following and is up for mainstream linux kernel adoption, I am not sure how to take on the sceptics in this thread.

Because FreeBSD is not Linux, and it does not have a proven track record of stability on FreeBSD.

Why not look into how to integrate this already now, and release it when it has the full blessing of everyone?

Because we don't want to introduce a potentially unstable and insecure new VPN into a security-focused project until it's ready.

KOM

@maglub Feel free to package it up yourself just like others have done with other unofficial pfSense packages like E2Guardian and Squidalyzer because no matter how much you complain, Netgate is not going to introduce some bleeding-edge, relatively-untested code that comes with a heap of not-ready-yet disclaimers into a project focused on security. Not going to happen.

bobert

Wireguard is the future, it is 4k lines of code and Linus Torvalds declared it a piece of art compared to IPSEC/OpenVPN and recommended it be merged into the kernel ASAP.

jwt

@bobert Wireguard May well be the future, but not for pfsense while it’s only available as a GPLed package over tun/tap. When Wireguard is available as a kernel-native implementation on FreeBSD (as it is on Linux), without the external dependencies on Go, we’ll integrate it in pfsense.

Also, just to clarify Linus’ quote:

“Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.”

maglub

It seems like there are some work going on for this:

https://lists.freebsd.org/pipermail/freebsd-ports/2018-May/113434.html

The thread sort of dies in May last year, and I will have to research a bit more.

The go-dependency is only during build time, not during runtime, so I don't think that should be an issue.

Wordo

It's already available and working in FreeBSD, but in some cases you get some crazy stack traces https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233955

goodthings

I hope somebody sacrifices their time for an external wireguard package soon, there's a lot of talk about it and I'd like to try it. To my surprise it already has native macOS and iOS clients in the respective app stores.

Wordo

Please read the whole thread .. your pfSense installation will crash with most of your service restarts. This is a problem of Wireguard implementation in FreeBSD (or FreeBSD kernel). Doesn't make any sense to build an "external package"

musicwizard

Time will tell but would be nice if it can get into PFsense in a official way.

jwt

There is a plan, but I’m not ready to discuss in public.

jwt

@goodthings iOS and MacOS are far larger installed bases than FreeBSD

musicwizard

@jwt now you make me very curious about it :)

jwt

@musicwizard Great! Now you have me very curious what you would pay to have Wireguard in pfSense.

maglub

@jwt, I would easily pay a million bucks or less.

What kind of question is that anyway?

Together with fleet management or scriptable configuration/REST, this must be one of the most important feature additions to pfSense in quite some time. And that is for a feature that preferably should be/must be in a non paid version of pfSense.

The project that manages to make wireguard even more mainstream, will be the defacto go-to product for many integrators, such as myself, which will lead to revenue in one way or the other.

If you are struggling for money, there are probably better ways to communicate it than in this thread.

Reading this forum, I get the feeling that if a user does not immediately prove that they are extremely competent (i.e if you have to ask about something, you are not), they get shot down.

For myself, I am actually not really sure anymore why I stay "loyal" to pfSense. Whenever I get the chance, I place Netgate hw at customers' sites, with the drawback that I usually have to stock a few in my basement as cold stand-by.

I really do believe that wireguard is a very strategic component of pfSense. Close to be an "implement or die" kind of feature.

IPSEC is just not stable enough cross platform. It is complex and not at all easy to debug. In customer situations I use it when I have to, if a remote party does not have the means to set up an openvpn tunnel.

Openvpn is a mess when it comes to multicast and streaming media, and is a cpu hog. To reach gbit speed you need hw for a couple of thousand bucks.

I have strong hopes for wireguard. If netgate manage to set up even a half buggy admin gui page for it, they will attract many new users, of which some will actually pay for support.

They should not treat non paying users as second class citisens, but rather embrace them (us) and se them as a gate to new paying customers.

musicwizard

@jwt said in Installing WireGuard VPN:

@musicwizard Great! Now you have me very curious what you would pay to have Wireguard in pfSense.

@maglub said in Installing WireGuard VPN:

@jwt, I would easily pay a million bucks or less.

What kind of question is that anyway?

Together with fleet management or scriptable configuration/REST, this must be one of the most important feature additions to pfSense in quite some time. And that is for a feature that preferably should be/must be in a non paid version of pfSense.

The project that manages to make wireguard even more mainstream, will be the defacto go-to product for many integrators, such as myself, which will lead to revenue in one way or the other.

If you are struggling for money, there are probably better ways to communicate it than in this thread.

Reading this forum, I get the feeling that if a user does not immediately prove that they are extremely competent (i.e if you have to ask about something, you are not), they get shot down.

For myself, I am actually not really sure anymore why I stay "loyal" to pfSense. Whenever I get the chance, I place Netgate hw at customers' sites, with the drawback that I usually have to stock a few in my basement as cold stand-by.

I really do believe that wireguard is a very strategic component of pfSense. Close to be an "implement or die" kind of feature.

IPSEC is just not stable enough cross platform. It is complex and not at all easy to debug. In customer situations I use it when I have to, if a remote party does not have the means to set up an openvpn tunnel.

Openvpn is a mess when it comes to multicast and streaming media, and is a cpu hog. To reach gbit speed you need hw for a couple of thousand bucks.

I have strong hopes for wireguard. If netgate manage to set up even a half buggy admin gui page for it, they will attract many new users, of which some will actually pay for support.

They should not treat non paying users as second class citisens, but rather embrace them (us) and se them as a gate to new paying customers.

I do agree with you on that one @maglub If Wireguard gets integrated into pfSense standard or by addon it will attract many new users. Even small/medium companies etc would want it.

A lot of people don't know about it or not enough to want it in pfSense. All they see that it doesn't have it. And if it get pitched that its MUCH better then IPSEC and OpenVPN people will start using it. And mostly Companies will need/want support so indirectly you might sell more subscriptions.

Wordo

Oh boy .. if IPSec is too complicated you never had setup WireGuard in production. It's way different than IPSec AND OpenVPN. Also key exchange is quite pain if you don't use QR ...