hngopher.com

       [HN Gopher] FreeBSD kernel-mode WireGuard moves forward out-of-tree
       ___________________________________________________________________
        
       FreeBSD kernel-mode WireGuard moves forward out-of-tree
        
       Author : TheGuyWhoCodes
       Score  : 59 points
       Date   : 2021-03-18 21:00 UTC (2 hours ago)
        
 (HTM) web link (arstechnica.com)
 (TXT) w3m dump (arstechnica.com)
        
       | encryptluks2 wrote:
       | Is there some actual concern about WireGuard itself or just the
       | FreeBSD implementation?
        
         | jumby wrote:
         | I think it's just lack of formal peer review [1]
         | 
         | [1]
         | https://lists.zx2c4.com/pipermail/wireguard/2021-March/00650...
        
         | technofiend wrote:
         | There were questions around the implementation. See
         | https://news.ycombinator.com/item?id=26475519
        
         | tptacek wrote:
         | To state this clearly: there are not concerns about WireGuard
         | itself.
        
         | asmr wrote:
         | Apparently the original implementation had issues. Apparently
         | NetGate shipped some bad code after hiring a FreeBSD
         | contributor for their implementation. Kyle Evans has even
         | decided to step away from maintaining wireguard-freebsd. Seems
         | like a mess.
        
           | teruakohatu wrote:
           | > Kyle Evans has even decided to step away from maintaining
           | wireguard-freebsd
           | 
           | That is not true. Everyone acknowledges the code is not up to
           | the required standard so it is being removed but Kyle and
           | others will continue to work on it with the aim of adding it
           | back.
        
             | asmr wrote:
             | https://lists.zx2c4.com/pipermail/wireguard/2021-March/0065
             | 2...
        
       | cromka wrote:
       | Just checked and there isn't any pfSense update available, so
       | even if they removed it from the source code, given that majority
       | doesn't compile pfSense themselves, I'd argue that it isn't
       | removed just yet.
        
       | jvolkman wrote:
       | Recent discussion about its addition:
       | https://news.ycombinator.com/item?id=26475519
        
       | jimmar wrote:
       | I'd read that WireGuard was supposed to be easier to implement
       | because it supports fewer distinct crypto protocols and has fewer
       | features overall compared to OpenVPN. But now this code is being
       | pulled. Was it just a rushed implementation? Or is WireGuard
       | harder to implement than initially thought?
        
         | turminal wrote:
         | Someone from netgate implemented it poorly and then the
         | original authors tried to fix it in a hurry but ran out of
         | time. There was also some mailing list drama I think.
        
         | heavyset_go wrote:
         | There was concern about code quality, and accusations of what
         | amounted to amateur mistakes in Netgate's particular
         | implementation. I don't know how accurate those accusations
         | are, though.
        
           | GekkePrutser wrote:
           | They were made by Jason Donenfeld, the author of WireGuard
           | which is of exemplary quality so I take it pretty seriously
           | :)
        
           | siebenmann wrote:
           | It's possible to browse the before-changes-started version of
           | the FreeBSD code, through either CVS or the FreeBSD Git
           | mirror. To save people the effort of finding the right git
           | revision and the path, the kernel module starts here:
           | https://github.com/freebsd/freebsd-
           | src/tree/95331c228a39b44c...
           | 
           | On a casual inspection, there are at least kernel printfs in
           | crypto code in __chacha20poly1305_decrypt (in
           | module/crypto/zinc/chacha20poly1305.c) that were not in the
           | original version of this from Linux.
        
             | xxpor wrote:
             | The original version would be GPL v2 right? If that's the
             | case it'd make sense that the two don't match because you
             | can't reuse the code for FreeBSD. You'd want a completely
             | clean implemention just to avoid any appearance of
             | impropriety, unless the new implementation was done by the
             | copyright holder themselves.
        
         | cpach wrote:
         | See https://news.ycombinator.com/item?id=26475519
        
         | jamal-kumar wrote:
         | Wireguard works really well in OpenBSD since like November. I
         | find it WAY less painful to use than openvpn. I switched
         | clients over to this implementation and they're happy as clams.
         | Incredibly easy to set up and use, all out of a base install of
         | a rock solid operating system that got this introduced without
         | any kerfuffle. I think one of the weirdest sticking points
         | about how ridiculous this whole situation is how they didn't
         | even try to write this with that already-done implementation in
         | mind, even after this was suggested by jason... It would have
         | made their job a lot easier
        
       | jamescun wrote:
       | WireGuard is being removed from FreeBSD 13 (the base for
       | pfSense).
       | 
       | There were some tit-for-tat messages between devs here, and while
       | the implementation was probably fine, it is pretty reasonable to
       | take a step back here, take stock, and take it from there.
       | 
       | https://lists.zx2c4.com/pipermail/wireguard/2021-March/00650...
        
         | 1over137 wrote:
         | pfSense is currently based on FreeBSD 12, not 13. And it only
         | just moved to 12 a month ago.
        
       | louwrentius wrote:
       | Whore those who care, the podcast 2.5 Admins had a nice
       | discussion about the WireGuard 'drama'.
       | 
       | https://2.5admins.com/2-5-admins-30/
        
       | xoa wrote:
       | Ars Technica had a more in-depth follow up, "FreeBSD kernel-mode
       | WireGuard moves forward out-of-tree" [0], and essentially it's
       | just moving into Donenfield's own repository for
       | maturation/testing until fully baked. It was announced on zx2c4
       | yesterday, ("WireGuard for FreeBSD snapshot 0.0.20210317 is
       | available" [1]).
       | 
       | It appears that for some reason Macy, whom Netgate hired, spent a
       | year trying to port the Linux kernel version (with ample kludging
       | and ifdefs to make it work) rather than the more portable
       | original core standalone version. The result wasn't great. But
       | the rushed replacement Jason volunteered a lot of time for was,
       | well, rushed, and everyone agreed that while kernel-mode wg in
       | FreeBSD is very desirable the whole point of the project is to be
       | really reliable and secure so worth taking more time to do right.
       | 
       | This presumably won't represent that much of a delay in the end.
       | And while it's too bad Netgate couldn't have been more
       | collaborative and gotten it right from the start, it's also
       | impressive and humbling to see skilled people rallying to get it
       | together in the end. Wireguard is such a great project.
       | 
       | ----
       | 
       | 0: https://arstechnica.com/gadgets/2021/03/freebsd-kernel-
       | mode-...
       | 
       | 1:
       | https://lists.zx2c4.com/pipermail/wireguard/2021-March/00651...
        
         | dang wrote:
         | Ok, perhaps we'll change the article from
         | https://www.netgate.com/blog/wireguard-removed-from-pfsense-...
         | to that (thanks!). If there's a better article, we can change
         | it again.
        
       ___________________________________________________________________
       (page generated 2021-03-18 23:01 UTC)