<img src = "https://cdn.arstechnica.net/wp-content/uploads/2021/03/wireguard-in-the-box-800×450.jpg" alt = "♫ pop goes the tunnel! ♫ "/> enlarge /. ♫ Pop goes in the tunnel! ♫
Earlier this week we looked at progress in integrating an implementation of the WireGuard VPN protocol into the FreeBSD kernel. Two days later there is an update: WireGuard in kernel mode has been completely removed from FreeBSD 13 development for the time being.
The change only affects WireGuard in kernel mode. The WireGuard user mode has been available in FreeBSD since 2019 and remains unaffected. When you install pgg wireguard, you get WireGuard in user mode, better known as wireguard-go. Wireguard-go may be less powerful than kernel mode, but it's stable and more than fast enough to keep up with most use cases.
Removing it is actually good news for FreeBSD and WireGuard users. Although the new kernel work from WireGuard founder Jason Donenfeld, FreeBSD developer Kyle Evans, and OpenBSD developer Matt Dunwoodie was a clear step forward, it was seen as too fast to work in a production kernel. This is a decision that is heartily endorsed by Donenfeld himself, who favors a more steady development process with more code reviews and consensus.
Donenfeld announced early this morning that the development will be migrated from FreeBSD 13-CURRENT to his own Git repository. The new snapshot no longer relies on ifconfig extensions to create tunnels. Instead, it uses the wg and wg-quick commands, similar to what happens with Linux, Windows, and Android builds. Although the code works, Donenfeld warns that it should not be considered production-ready just yet:
Currently this code is new, unreviewed, potentially buggy, and should be considered "experimental". It can contain security issues. We look forward to your test and bug reports. Note, however, that this code is new. Therefore, for now, caution should be exercised when using it in business-critical environments.
However, in my little tests, it seems to "basically work". And at least those who have relied on the code previously in the FreeBSD tree now have immediate continuity.
Over the next few days and weeks, it is expected that this repository will improve and expand.
Finally, this FreeBSD WireGuard should be available in kernel mode in the FreeBSD port tree. For now, those interested in testing it will have to clone it from the WireGuard repos themselves, followed by the BSD-esque make-load. Create installation commands to build from source code.
This is an ongoing story and we will continue to follow events as they unfold.