Wireguard Kernel Modules Safe?

B

BawdyAnarchist

Recently ran pkg upgrage on my VPN jails, and I am now getting the following message:
Code: 
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
I remember that wg was removed at the last minute from 13.0-RELEASE kernel, to ensure the quality of the implementation. So for now I'm running the wireguard-go implementation; but it seems I can install the kernel module manually. Is this safe? Have the issues been resolved? Will this be included in the next point release?

Thanks
 
If you trust this arstechnica article back from March, probably not a good idea to use this if your utmost priority is security...
arstechnica.com

Buffer overruns, license violations, and bad code: FreeBSD 13’s close call

40,000 lines of flawed code almost made it into FreeBSD's kernel—we examine how.
arstechnica.com arstechnica.com

Then again, there isn't much other news material on the matter, so further research might be worthwhile. I've refrained from using it in production for the moment, following the old adage "where there's smoke, there's fire". I know, this may be unfair - I just don't want any serious, unresolved issues with my VPN solution.
 
Code: 
Message from wireguard-kmod-0.0.20210503:

--
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
=====
The mailing lists have no news (you could write to freebsd-current). There are two open bug reports concerning "wireguard", PR 254795, and PR 253813.
 
Denis Shaposhnikov said:
If I remember right, wireguard-kmod implemented by wireguard's author. I don't see reasons do not trust him.
Click to expand...
Correct:

This is not the implementation discussed in the Ars Technica muckraking article. The latter was discussed here
forums.FreeBSD.org

Ars Technica article focused on Wireguard regarding FreeBSD

https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/ This article is kind of negative, but I don't know what to make of it. The title says it's about FreeBSD, but it's really focused on something related to Wireguard for criticisms of...
forums.FreeBSD.org forums.FreeBSD.org

The new module seems to be in active development

But it does warn of its experimental nature
RypPn said:
Think I'll be sticking with the openbsd variant at least until this stabilises.
Click to expand...
You mean the Go implementation? That's not specific to Openbsd.
 
For wireguard, yes, for now. I have more passion for bsd than specific flavours. Best tool for the job wins for me.
 
wireguard-kmod make my NIC watchdog timeout, when try do speedtest on the other side. If replace it with wireguard-go, then no issue. Maybe this is a realtek NIC issue..
Code: 
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
 
You must log in or register to reply here.
Back
Top