Bug 253790

Summary: if_wg(4) lacks persistent keepalive
Product: Base System Reporter: crest
Component: kernAssignee: Kyle Evans <kevans>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: crest, decke, kevans, ltning-freebsd, net, peter
Priority: ---    
Version: 13.0-STABLE   
Hardware: Any   
OS: Any   

Description crest 2021-02-23 10:31:58 UTC 
I have to run a WireGuard tunnel through a NAT and the tunnel is used for bursty traffic and without the keepalives supported by wireguard-go, OpenBSD and Linux the NAT state times out between bursts.

I've found no way to configure a persistent keepalive interval on FreeBSD 13.0-BETA3 and from a quick glance at the ifconfig and if_wg sources it appears this feature is missing. If I configure a keepalive interval at the other end of the tunnel the key exchange fails.

The only workaround for this is to generate traffic at all times to keep the tunnel open e.g. while true; ping -c1 $peer_internal; sleep 10; done

One of the really nice things about WireGuard is the interoperability between all existing implementations. This limitation is the first incompatibility between implementations I've encountered.
Comment 1 Kyle Evans freebsd_committer freebsd_triage 2021-03-09 03:08:28 UTC 
This is, funnily enough, basically there; it just needed a little bit of plumbing. I had it ready to go because I'm also in need, I'll go ahead and tag this PR in the commit.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-03-09 11:18:31 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b3dac3913dc90fbc6f909ee5c4a876097cd90791

commit b3dac3913dc90fbc6f909ee5c4a876097cd90791
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2021-03-08 01:00:58 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2021-03-09 11:16:42 +0000

    ifconfig: allow displaying/setting persistent-keepalive

    The kernel-side already accepted a persistent-keepalive-interval, so
    just add a verb to ifconfig(8) for it and start exporting it so that
    ifconfig(8) can view it.

    PR:             253790
    MFC after:      3 days
    Discussed with: decke

 sbin/ifconfig/ifwg.c          | 28 +++++++++++++++++++++++++++-
 sys/dev/if_wg/module/module.c |  8 ++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
Comment 3 crest 2021-03-14 20:06:05 UTC 
Will this be merged into FreeBSD 13.0 before RC3 (it's missing in the 13.0-RC3)?
Comment 4 Kyle Evans freebsd_committer freebsd_triage 2021-03-14 20:07:57 UTC 
(In reply to crest from comment #3)

My current hope is to be able to merge a pile of WireGuard fixes in time for -RC3.
Comment 5 crest 2021-03-22 09:40:31 UTC 
This PR has been overcome by events (depending on your point of view). For now WireGuard has been pulled from FreeBSD base. Development will continue out of tree for now.
Comment 6 Bernhard Froehlich freebsd_committer freebsd_triage 2021-03-22 10:33:17 UTC 
The port net/wireguard-kmod is available now. Persistent keepalive is working there.