Bug 247853 - Port OpenBSD Wireguard kernel module to FreeBSD kernel
Summary: Port OpenBSD Wireguard kernel module to FreeBSD kernel
Status: Closed Not Accepted
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-08 17:21 UTC by Peter Libassi
Modified: 2020-07-28 12:38 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Libassi 2020-07-08 17:21:32 UTC
The WireGuard authors just released OpenBSD kernel driver for WireGuard vpn communication. This is request to have it this ported over to FreeBSD.

https://lists.zx2c4.com/pipermail/wireguard/2020-June/005588.html

https://marc.info/?l=openbsd-cvs&m=159274150512676&w=2
Comment 1 Li-Wen Hsu freebsd_committer 2020-07-08 17:45:47 UTC
I suggest checking and testing this https://reviews.freebsd.org/D25425
Comment 2 Conrad Meyer freebsd_committer 2020-07-08 17:57:06 UTC
Porting isn’t really straightforward. Most of the work is in the OS-specific glue. Matt Macy has been working on a FreeBSD implementation for some time. Please find a draft in the link above.
Comment 3 Peter Libassi 2020-07-08 18:31:57 UTC
Ok, Thanks
Comment 4 Peter Libassi 2020-07-08 18:51:39 UTC
It's in review, which could mean its ready for testing? I'm willing to do some beta testing, I have today in (home) production 12.1 with Wireguard-go peer2peer running 24/7/365.
Comment 5 Li-Wen Hsu freebsd_committer 2020-07-09 07:50:11 UTC
(In reply to Peter Libassi from comment #4)
It's nice that you are able and willing to do the tests.  I suggest it's better to discuss further questions on the -net mailing list:

https://lists.freebsd.org/mailman/listinfo/freebsd-net
Comment 6 Osku Äs 2020-07-14 14:19:16 UTC
I've been running tests on the lkm version on -CURRENT. It'd need -CURRENT to compile.

In so far there has been 4 observations I've made;

1) It does connect to Linux version well. Packets that are routed through Wireguard FreeBSD machine work well.

2) There's something funny with traffic that is destined to the machine running wireguard, therefore to the wgX interface; ping induced echo requests work, and FreeBSD traceroutes are responded to - however, tcp connections blackhole somehow and won't work.

Connections to/from the other endpoint of Wireguard tunnel do work.

3) netstat counters for wgX interface aren't increasing, if the traffic is routed to elswhere.

4) wg show will coredump on the line where last keepalive handshake should show.

All in all, impressive work. Probably would benefit a lot by fixing 2) and 3), 4) is more of a "meh, ok".
Comment 7 Matt Macy freebsd_committer 2020-07-27 00:52:52 UTC
I got CoVid-19 right about the time I actually started working on it in the beginning of March it and I've had CFS-like fatigue from the post-viral syndrome which has severely limited my productive hours outside of $DAYJOB. Nonetheless, It's essentially done modulo the issues pointed out by Osku As. 

Jason had insisted that the code needed to be reviewed by him, but he won't actually spend any time on reviewing the code unless I'm actually sitting there engaging with him directly. The OpenBSD dev appears to have spent many dozens of hours with him. However, I simply have no time or inclination for that. I'm not sure who in the FreeBSD community has the crypto background to review the protocol bits as well as the energy to do so.
Comment 8 Peter Libassi 2020-07-28 12:38:31 UTC
I can confirm issue 2) in comment 6. 

I set up if_wg peer to a freebsd wireguard-go peer. ping both directions ok. ssh no contact in any direction, even tried ssh -b. 

Then I created a remote host (jail with epair interfaces) from there i can access the wireguard-host local services. so it seems that the traffic coming from the freeBSD wireguard peer does not pass up the stack, if the traffic is from a remote host it is passed up the stack. 

Then i set up if_wg peer to a void linux peer. Now ssh works in both directions!