I have to run a WireGuard tunnel through a NAT and the tunnel is used for bursty traffic and without the keepalives supported by wireguard-go, OpenBSD and Linux the NAT state times out between bursts.
I've found no way to configure a persistent keepalive interval on FreeBSD 13.0-BETA3 and from a quick glance at the ifconfig and if_wg sources it appears this feature is missing. If I configure a keepalive interval at the other end of the tunnel the key exchange fails.
The only workaround for this is to generate traffic at all times to keep the tunnel open e.g. while true; ping -c1 $peer_internal; sleep 10; done
One of the really nice things about WireGuard is the interoperability between all existing implementations. This limitation is the first incompatibility between implementations I've encountered.
This is, funnily enough, basically there; it just needed a little bit of plumbing. I had it ready to go because I'm also in need, I'll go ahead and tag this PR in the commit.
A commit in branch main references this bug:
Author: Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2021-03-08 01:00:58 +0000
Commit: Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2021-03-09 11:16:42 +0000
ifconfig: allow displaying/setting persistent-keepalive
The kernel-side already accepted a persistent-keepalive-interval, so
just add a verb to ifconfig(8) for it and start exporting it so that
ifconfig(8) can view it.
MFC after: 3 days
Discussed with: decke
sbin/ifconfig/ifwg.c | 28 +++++++++++++++++++++++++++-
sys/dev/if_wg/module/module.c | 8 ++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
Will this be merged into FreeBSD 13.0 before RC3 (it's missing in the 13.0-RC3)?
(In reply to crest from comment #3)
My current hope is to be able to merge a pile of WireGuard fixes in time for -RC3.
This PR has been overcome by events (depending on your point of view). For now WireGuard has been pulled from FreeBSD base. Development will continue out of tree for now.
The port net/wireguard-kmod is available now. Persistent keepalive is working there.