Pop go the tunnel! ♫ “/>Aurich Lawson
Earlier this week, we covered the progress of integrating an implementation of the WireGuard VPN protocol into the FreeBSD kernel. Two days later, there is an update – the WireGuard kernel mode has been removed from the development of FreeBSD 13 entirely for the time being.
The change affects only WireGuard in kernel mode. WireGuard in user mode has been available on FreeBSD since 2019 and remains unchanged. If you pkg install wireguard, you get the User Mode WireGuard, better known as wireguard-go. Wireguard-go has potentially less performance than kernel mode, but it is stable and more than fast enough to keep up with most use cases.
The removal is actually good news for FreeBSD users and WireGuard users. While the new kernel work done by WireGuard founder Jason Donenfeld, FreeBSD developer Kyle Evans and OpenBSD developer Matt Dunwoodie represents a clear step forward, it was considered too rushed to come out on a production kernel. This is a decision endorsed wholeheartedly by Donenfeld himself, who prefers a more stable development process, with more code reviews and consensus.
Donenfeld announced the migration of the development from FreeBSD 13-CURRENT to his own git repository earlier today. The new snapshot no longer depends on ifconfig extensions to build tunnels; use wg and wg-quick commands similar to Linux, Windows and Android. Although the code works, Donenfeld warns that it should not yet be considered production-ready:
This code is currently new, untested, possibly with errors, and should be considered “experimental”. It may contain security problems. We welcome your tests and bug reports, but keep in mind that this code is new, so some care should be taken when using it in mission critical environments.
In my little test so far, however, it seems to “basically work”. And, at least, those who rely on the code prior to the FreeBSD tree now have some immediate continuity.
In the coming days and weeks, this repository can be expected to improve and grow.
To enjoy!
Eventually, this FreeBSD WireGuard in kernel mode should be available in the FreeBSD ports tree. For now, those interested in testing it will need git clone WireGuard resumes, followed by BSD style make load ; make install commands to build from source code.
This is an ongoing story and we will continue to follow events as they unfold.