Aurich Lawson
Earlier this week, we covered progress integrating an implementation of the WireGuard VPN protocol into the FreeBSD kernel. Two days later, there’s an update—kernel-mode WireGuard has been moved out of FreeBSD 13 development entirely for the time being.
The change only affects kernel-mode WireGuard. User-mode WireGuard has been available in FreeBSD since 2019 and remains, unaffected. If you pkg install freebsd, you get user-mode WireGuard, better known as wireguard-go. Wireguard-go is potentially less performant than kernel-mode, but it’s stable and more than fast enough to keep up with most use cases.
The removal is actually good news for FreeBSD users and WireGuard users. Although the new kernel work done by WireGuard founder Jason Donenfeld and FreeBSD developers Kyle Evans and Matt Dunwoodie represented a clear step forward, it was deemed too rushed to go out in a production kernel. This is a decision heartily endorsed by Donenfeld himself, who prefers a steadier development process with more code reviews and consensus.
Donenfeld announced the migration of development from FreeBSD 13-CURRENT to his own git repository earlier today. The new snapshot no longer relies on ifconfig extensions to build tunnels; it uses wg and wg-quick commands similarly to Linux, Windows, and Android builds instead. Although the code works, Donenfeld warns that it shouldn’t be considered production-ready yet:
At this time this code is new, unvetted, possibly buggy, and should be considered “experimental”. It might contain security issues. We gladly welcome your testing and bug reports, but do keep in mind that this code is new, so some caution should be exercised at the moment for using it in mission critical environments.
In my small testing so far, however, it seems to “basically work”. And at the very least, those relying on the code that was prior in the FreeBSD tree now have some immediate continuity.
Over the next days and weeks, it can be expected that this repository will improve and grow.
Enjoy!
Eventually, this kernel-mode FreeBSD WireGuard should be available from FreeBSD’s ports tree. For the moment, those interested in testing it will need to git clone it from the WireGuard repos themselves, followed by the BSD-style make load ; make install commands to build from source.
This is an ongoing story, and we will continue to follow events as they develop.
