Installing WireGuard VPN

maglub

Public key means you can transfer your public key in the clear. Super easy transfer of keys.

JeGr

@mephisto said in Installing WireGuard VPN:

veeam started using it https://www.veeam.com/blog/veeam-pn-v2-wireguard.html

Yeah Veeam guys play around on many grounds but not seldomly fail to play stable. It's nice to adapt new tech but you should be able to bring it stable. Also they are playing with it on Linux. As already pointed out: Linux version is a whole other playing field with their implementation status in Kernel etc.

BTW we played with "early implementations" of wireguard on FreeBSD and even took a HW like the SG-5100 (similar hardware) and installed OPNsense and their take on Wireguard. Installation/Configuration was messy (but everyone always blabs about the super-easy configuration ) and didn't work at first. At last we could stabilize it to make some tests and an IPerf test ran below even OpenVPN speeds. As stated: nice to play around but not merely stable/mature enough for it to be enterprise ready. And that's the biggest problem I see with "early adapting Wireguard": if it goes into main-pfSense core now with the buzz and hype everyone pushes around, people/companies are likely to try it without realizing, that the code/implementation on FreeBSD at least are still in an (early) alpha state and not stable/secure like IPSec and OpenVPN. Even the wireguard website tells that to everyone. Hiding that fact and just throwing it into e.g. the 2.5 release would show up to those users/companies as the software is ready to use. And for me (after our tests) it's clearly not. Especially if most of them would try to use it as RoadWarrior setup instead of using tunnels or meshes. For example we had one case, that the wirguard dial in wouldn't work anymore after an update on a client as the startup script and API call changed and some script wasn't adapted. So we had to fix it (or wait a day 'til the fixed version).

TL;DR
Would love to see it in pfSense (core at some time) but only if mature enought to actually work securely and (reasonably) fast.

mephisto

yeap that is a very good point, I was comparing it to linux and freebsd implementation of it is far behind. Well I guess we can just hope some people can devote their time to help polishing the code so it can eventually becomes more stable on freebsd. Thanks for the clarification :)

shannon

This post is deleted!

jimp

Why does that sound like a copy/paste marketing spam message? That kind of messaging isn't going to convince anyone.

The security review part was only one reason (not "excuse" -- a valid concern, and a valid reason), there are many others throughout the thread.

We are keeping an eye on it, but while most of that may be fine on Linux, last I saw, FreeBSD support was still not up to par.

johnpoz

That is pure spam dude ;) Do you want me to report it and delete it ;)

Well now another user has tagged it as spam jim - your call :) hehehehe

jimp

Locking this topic.

If and when the situation with Wireguard improves on FreeBSD, it can be revisited. Adding it before it's ready will lead to even more complaints and problems. Its status on Linux or other projects is irrelevant.

FYI- Insulting people, the project, or companies in general (especially via the reporting mechanism and not publicly) is not a tactic that will convince anyone that you are correct. In fact, it tends to have the opposite effect.

jwt

Remember when I said that there is a plan, but I’m not ready to reveal it yet?

Sometimes what you want takes longer than you hope, but I’m happy to report that the process of bringing a kernel-resident implementation of Wireguard to FreeBSD has begun to land changes in FreeBSD.

https://svnweb.freebsd.org/base?view=revision&revision=357986

https://svnweb.freebsd.org/base?view=revision&revision=357987

jwt

This is now finished. At lease phase one is finished.

https://www.netgate.com/blog/wireguard-for-pfsense-software.html