WireGuard for FreeBSD

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

WireGuard for FreeBSD

Jason A. Donenfeld
[cross-posted to the WireGuard mailing list]

Hello FreeBSD Ports List,

I'm the author of WireGuard [1], a secure network tunnel protocol [2]
and a set of implementations of it. It was originally designed for the
Linux kernel, but we're now beginning to have implementations for
other platforms. Recently, parts of the Internet got excited [3] when
we put a Darwin version in Homebrew. The last few days Brian (CC'd)
and I have been working on getting an implementation running on
FreeBSD, and things are coming along pretty smoothly.

I'm not entirely familiar with the ports/pkg adding process, and so I
was hoping to find somebody who is part of the FreeBSD community to
adopt WireGuard and help maintain packages for it. We currently have
packages for many Linux distros [4], but FreeBSD will be the first
open source BSD project. There are two packages to add:

1. wireguard-tools, providing wg(8) and wg-quick(8)
Runtime dependencies: bash, wireguard-go
Buildtime dependencies: gmake, c compiler, libc
Build: gmake -C src/tools WITH_WGQUICK=yes
Install: gmake -C src/tools PREFIX=/usr/local install
URL template: https://git.zx2c4.com/WireGuard/snapshot/WireGuard-VERSION.tar.xz

2. wireguard-go
Runtime dependencies: none
Buildtime dependencies: gmake, go
Build: export GOPATH=$(pwd)/gopath; go get -d; gmake
Install: gmake PREFIX=/usr/local install
URL template: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-VERSION.tar.xz

For reference, these two packages in Homebrew look like this:
https://github.com/Homebrew/homebrew-core/blob/master/Formula/wireguard-tools.rb
https://github.com/Homebrew/homebrew-core/blob/master/Formula/wireguard-go.rb

And for your horror, I've made a please-dont-pipe-like-that
copy-and-paste install script:
# curl https://xn--4db.cc/0BwTeeYe | sh

That script won't work as-is at the moment, since I haven't yet tagged
tarballs with FreeBSD support, but in the coming days, I'll tag one
that has this latest FreeBSD code in it. (In the meantime, you can run
`# curl https://xn--4db.cc/0BwTeeYe | sh /dev/stdin --master` to get
it from git master.) I was hoping that in the time between now and
then, we might find somebody willing and interested in packaging this
properly.

Does this sound fun to anyone?

Best regards,
Jason


[1] https://www.wireguard.com/
[2] https://www.wireguard.com/papers/wireguard.pdf
[3] http://latacora.singles/2018/05/16/there-will-be.html
[4] https://www.wireguard.com/install/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Chris H-5
On Mon, 21 May 2018 23:35:45 +0200 "Jason A. Donenfeld" <[hidden email]> said

> [cross-posted to the WireGuard mailing list]
>
> Hello FreeBSD Ports List,
>
> I'm the author of WireGuard [1], a secure network tunnel protocol [2]
> and a set of implementations of it. It was originally designed for the
> Linux kernel, but we're now beginning to have implementations for
> other platforms. Recently, parts of the Internet got excited [3] when
> we put a Darwin version in Homebrew. The last few days Brian (CC'd)
> and I have been working on getting an implementation running on
> FreeBSD, and things are coming along pretty smoothly.
>
> I'm not entirely familiar with the ports/pkg adding process, and so I
> was hoping to find somebody who is part of the FreeBSD community to
> adopt WireGuard and help maintain packages for it.
I'm in!
I'll start the necessary research now.
Any additional pointers, and such you think may be helpful are
greatly appreciated.

Thanks, Jason!

--Chris

> We currently have
> packages for many Linux distros [4], but FreeBSD will be the first
> open source BSD project. There are two packages to add:
>
> 1. wireguard-tools, providing wg(8) and wg-quick(8)
> Runtime dependencies: bash, wireguard-go
> Buildtime dependencies: gmake, c compiler, libc
> Build: gmake -C src/tools WITH_WGQUICK=yes
> Install: gmake -C src/tools PREFIX=/usr/local install
> URL template:
> https://git.zx2c4.com/WireGuard/snapshot/WireGuard-VERSION.tar.xz
>
> 2. wireguard-go
> Runtime dependencies: none
> Buildtime dependencies: gmake, go
> Build: export GOPATH=$(pwd)/gopath; go get -d; gmake
> Install: gmake PREFIX=/usr/local install
> URL template:
> https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-VERSION.tar.xz
>
> For reference, these two packages in Homebrew look like this:
> https://github.com/Homebrew/homebrew-core/blob/master/Formula/wireguard-tools.rb
> https://github.com/Homebrew/homebrew-core/blob/master/Formula/wireguard-go.rb
>
> And for your horror, I've made a please-dont-pipe-like-that
> copy-and-paste install script:
> # curl https://xn--4db.cc/0BwTeeYe | sh
>
> That script won't work as-is at the moment, since I haven't yet tagged
> tarballs with FreeBSD support, but in the coming days, I'll tag one
> that has this latest FreeBSD code in it. (In the meantime, you can run
> `# curl https://xn--4db.cc/0BwTeeYe | sh /dev/stdin --master` to get
> it from git master.) I was hoping that in the time between now and
> then, we might find somebody willing and interested in packaging this
> properly.
>
> Does this sound fun to anyone?
>
> Best regards,
> Jason
>
>
> [1] https://www.wireguard.com/
> [2] https://www.wireguard.com/papers/wireguard.pdf
> [3] http://latacora.singles/2018/05/16/there-will-be.html
> [4] https://www.wireguard.com/install/
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "[hidden email]"


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
Hi Chris,

Wonderful! Feel free to poke me on IRC -- I'm zx2c4 in #wireguard on
Freenode -- if you need any pointers in real time.

Some odds and ends that might help: to have a tarball of the latest
git master, you can use these links:

https://git.zx2c4.com/WireGuard/snapshot/WireGuard-master.tar.xz
https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-master.tar.xz

In a few days these will be released:

https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.201805XX.tar.xz
https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.201805XX.tar.xz

If you want to try setting up a quick tunnel using `wg-quick(8)`, you
can use the demo server -- for testing purposes only; please don't use
this for anything real -- via this simple script:

https://git.zx2c4.com/WireGuard/plain/contrib/examples/ncat-client-server/client-quick.sh

After it's up, you can try pinging 192.168.4.1 or visiting that in your browser.

Looking forward,
Jason
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
In reply to this post by Jason A. Donenfeld
On Tue, May 22, 2018 at 2:33 AM, Outback Dingo <[hidden email]> wrote:
> to be honest, while it sounds nice, i for one would prefer to see a
> kernel module ported to FreeBSD instead of userland
> second to that, building a freebsd port of it is not all that hard,
> however that being said, it also needs to be accepted
> upstream and committed by a ports maintainer, while i can help with
> creating it, i still feel a kernel module is a better fit

I too would prefer this, and maybe at some point down the line I'll
put some real time and effort into porting WireGuard from the Linux
kernel to kFreeBSD. But it's not the case that it's "not that hard";
doing so will be a pretty serious undertaking. That's going to take a
lot of time. Until that day arrives, what you speak of doesn't exist.
What we have instead today is tons of hard work that's gone into
bringing a userspace implementation.

So please, don't derail the current efforts in favor of an effort that
doesn't even exist at the moment.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
In reply to this post by Jason A. Donenfeld
Hi Bernhard,

Thanks for this. Hopefully this will be good inspiration for Chris'
research in making the official package.

Chris -- one thing to note is that Bernhard used the "-master"
tarballs, which aren't real tarballs and have changing unstable
checksums, so you'll of course want to swap this out with real
tarballs once released.

Jason
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
In reply to this post by Jason A. Donenfeld
On Mon, May 21, 2018 at 11:35 PM, Jason A. Donenfeld <[hidden email]> wrote:
> 2. wireguard-go
> Runtime dependencies: none
> Buildtime dependencies: gmake, go
> Build: export GOPATH=$(pwd)/gopath; go get -d; gmake
> Install: gmake PREFIX=/usr/local install
> URL template: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-VERSION.tar.xz

This has now been simplified slightly and uses proper vendoring of dependencies:

Runtime dependencies: none
Buildtime dependencies: gmake, go, dep
Build: gmake
Install: gmake PREFIX=/usr/local install
URL template: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-VERSION.tar.xz
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
We now have a release, so the full instructions for the packages are:

1. wireguard-tools, providing wg(8) and wg-quick(8)
Runtime dependencies: bash, wireguard-go
Buildtime dependencies: gmake, c compiler, libc
Build: gmake -C src/tools WITH_WGQUICK=yes
Install: gmake -C src/tools PREFIX=/usr/local install
URL: https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20180524.tar.xz

2. wireguard-go
Runtime dependencies: libc
Buildtime dependencies: gmake, go, dep
Build: gmake
Install: gmake PREFIX=/usr/local install
URL: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20180524.tar.xz

I believe decke is already working on a port in his repository.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Bernhard Fröhlich-2
On Thu, May 24, 2018 at 3:06 AM, Jason A. Donenfeld <[hidden email]> wrote:

> We now have a release, so the full instructions for the packages are:
>
> 1. wireguard-tools, providing wg(8) and wg-quick(8)
> Runtime dependencies: bash, wireguard-go
> Buildtime dependencies: gmake, c compiler, libc
> Build: gmake -C src/tools WITH_WGQUICK=yes
> Install: gmake -C src/tools PREFIX=/usr/local install
> URL: https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20180524.tar.xz
>
> 2. wireguard-go
> Runtime dependencies: libc
> Buildtime dependencies: gmake, go, dep
> Build: gmake
> Install: gmake PREFIX=/usr/local install
> URL: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20180524.tar.xz
>
> I believe decke is already working on a port in his repository.

Ports are already updated on github. I will do some final checks and
expect to commit
the wireguard ports to the official tree today.

--
Bernhard Froehlich
http://www.bluelife.at/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jan Bramkamp-2
On 24.05.18 09:15, Bernhard Fröhlich wrote:

> On Thu, May 24, 2018 at 3:06 AM, Jason A. Donenfeld <[hidden email]> wrote:
>> We now have a release, so the full instructions for the packages are:
>>
>> 1. wireguard-tools, providing wg(8) and wg-quick(8)
>> Runtime dependencies: bash, wireguard-go
>> Buildtime dependencies: gmake, c compiler, libc
>> Build: gmake -C src/tools WITH_WGQUICK=yes
>> Install: gmake -C src/tools PREFIX=/usr/local install
>> URL: https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20180524.tar.xz
>>
>> 2. wireguard-go
>> Runtime dependencies: libc
>> Buildtime dependencies: gmake, go, dep
>> Build: gmake
>> Install: gmake PREFIX=/usr/local install
>> URL: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20180524.tar.xz
>>
>> I believe decke is already working on a port in his repository.
>
> Ports are already updated on github. I will do some final checks and
> expect to commit
> the wireguard ports to the official tree today.

Did I understand correctly that both these ports are userspace
implementations and have a similar per packet overhead to OpenVPN and fastd?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jason A. Donenfeld
On Thu, May 24, 2018 at 12:43 PM, Jan Bramkamp <[hidden email]> wrote:
> Did I understand correctly that both these ports are userspace
> implementations and have a similar per packet overhead to OpenVPN and fastd?

Indeed they're userspace ports. Maybe down the line this will be
ported to the FreeBSD kernel like we have on Linux.
However, performance wise, even the userspace implementation seems to
have better performance than OpenVPN in my testing.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Chris H-5
In reply to this post by Bernhard Fröhlich-2
On Thu, 24 May 2018 09:15:28 +0200 "Bernhard Fröhlich" <[hidden email]> said

> On Thu, May 24, 2018 at 3:06 AM, Jason A. Donenfeld <[hidden email]> wrote:
> > We now have a release, so the full instructions for the packages are:
> >
> > 1. wireguard-tools, providing wg(8) and wg-quick(8)
> > Runtime dependencies: bash, wireguard-go
> > Buildtime dependencies: gmake, c compiler, libc
> > Build: gmake -C src/tools WITH_WGQUICK=yes
> > Install: gmake -C src/tools PREFIX=/usr/local install
> > URL: https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20180524.tar.xz
> >
> > 2. wireguard-go
> > Runtime dependencies: libc
> > Buildtime dependencies: gmake, go, dep
> > Build: gmake
> > Install: gmake PREFIX=/usr/local install
> > URL:
> > https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20180524.tar.xz
> >
> > I believe decke is already working on a port in his repository.
>
> Ports are already updated on github. I will do some final checks and
> expect to commit
> the wireguard ports to the official tree today.
I should have no trouble introducing Wireguard to the ports system today.
While I could have submitted it sooner. As the Maintainer of ~130 ports. It
is not entirely unusual to have pr(1)'s to deal with. Especially with the
introduction (updrade) of clang/llvm in $BASE to v.5, and now v.6.
Thanks for your understanding.

--Chris
>
> --
> Bernhard Froehlich
> http://www.bluelife.at/
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "[hidden email]"


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Chris H-5
In reply to this post by Jason A. Donenfeld
On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld" <[hidden email]> said

> Hi Chris,
>
> On Thu, May 24, 2018 at 3:38 PM, Chris H <[hidden email]> wrote:
> > I should have no trouble introducing Wireguard to the ports system today.
>
> I'm not a native fluent speaker of FreeBSDese, but my understanding is:
> a) Bernhard committed the two new packages to ports today.
> b) If you update ports with portsnap, you can build them locally.
> c) If you run `pkg install wireguard`, it fails because the build
> servers haven't gotten to them and won't for several days.
>
> Does your statement about "introducing WireGuard to the ports system"
> mean that you intend to rectify (c) immediately, so we don't have to
> wait several days for the build snapshot scripts to tick in cron? Or
> is it mostly just related to not realizing (a)?
Sigh...
It was my understanding that when I stepped up to adopt WireGuard,
and your ack to that. That *I* would be adding the port. I wasn't able
to produce the port that same, or next day, as I am already Maintainer
for nearly 150 ports. I have no trouble with that list, except that
clang/llvm v5, and shortly after v6 became the default versions in $BASE.
Which introduced a few pr(1)'s I needed to deal with.
Now all the time I have spent researching, and staging to build the port
have been laid to waste. Apparently you rescinded, and gave it to Bernhard.
This project doesn't feel like a good match to me.
No hard feelings, Bernhard. Have fun with the port.

All the best.

--Chris

>
> Jason


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Bernhard Fröhlich-2
On Thu, May 24, 2018 at 9:06 PM, Chris H <[hidden email]> wrote:

> On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld" <[hidden email]>
> said
>
>> Hi Chris,
>>
>> On Thu, May 24, 2018 at 3:38 PM, Chris H <[hidden email]> wrote:
>> > I should have no trouble introducing Wireguard to the ports system
>> > today.
>>
>> I'm not a native fluent speaker of FreeBSDese, but my understanding is:
>> a) Bernhard committed the two new packages to ports today.
>> b) If you update ports with portsnap, you can build them locally.
>> c) If you run `pkg install wireguard`, it fails because the build
>> servers haven't gotten to them and won't for several days.
>>
>> Does your statement about "introducing WireGuard to the ports system"
>> mean that you intend to rectify (c) immediately, so we don't have to
>> wait several days for the build snapshot scripts to tick in cron? Or
>> is it mostly just related to not realizing (a)?
>
> Sigh...
> It was my understanding that when I stepped up to adopt WireGuard,
> and your ack to that. That *I* would be adding the port. I wasn't able
> to produce the port that same, or next day, as I am already Maintainer
> for nearly 150 ports. I have no trouble with that list, except that
> clang/llvm v5, and shortly after v6 became the default versions in $BASE.
> Which introduced a few pr(1)'s I needed to deal with.
> Now all the time I have spent researching, and staging to build the port
> have been laid to waste. Apparently you rescinded, and gave it to Bernhard.
> This project doesn't feel like a good match to me.
> No hard feelings, Bernhard. Have fun with the port.

(resend because the mailinglist blocked it)

Hi Chris,

I'm sorry that I was confusing people which was really not my
intention. I have also
seen your ACK to create the ports and replied to you in private to
offer my help. Then
I joined in IRC and just wanted to get an idea how far the FreeBSD
support was. I
ended up creating two very rough ports which did build but not pass
poudriere and
called it a day. I also did send you and the list a mail to avoid
duplicate work - and
hoped you take it as a base.

But I did not get any reply on the next day so I kept going and
finished the ports
yesterday with some good help from upstream.

Sorry for how that developed but I hoped you get in contact with
either me or upstream
which neither happened. We usually do not have the problem that too many people
want to help out so I did not expect that this will be a problem for anyone.

--
Bernhard Froehlich
http://www.bluelife.at/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Bernhard Fröhlich-2
In reply to this post by Jason A. Donenfeld
On Fri, May 25, 2018 at 12:24 AM, Chris H <[hidden email]> wrote:

> On Thu, 24 May 2018 22:16:42 +0200 "Bernhard Froehlich" <[hidden email]>
> said
>
>> Am 24.05.2018 21:06 schrieb Chris H <[hidden email]>:
>> >
>> > On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld"
>> > <[hidden email]>
>> > said >
>> > > Hi Chris, > > > > On Thu, May 24, 2018 at 3:38 PM, Chris H
>> > > <[hidden email]> wrote: > > > I should have no trouble introducing
>> > > Wireguard to the ports system today.
>> > > > > > I'm not a native fluent speaker of FreeBSDese, but my
>> > > > > > understanding is: > > a) Bernhard committed the two new packages to ports
>> > > > > > today. > > b) If you update ports with portsnap, you can build them locally.
>> > > > > > > > c) If you run `pkg install wireguard`, it fails because the build > >
>> > > > > > servers haven't gotten to them and won't for several days. > > > > Does your
>> > > > > > statement about "introducing WireGuard to the ports system" > > mean that
>> > > > > > you intend to rectify (c) immediately, so we don't have to > > wait several
>> > > > > > days for the build snapshot scripts to tick in cron? Or > > is it mostly
>> > > > > > just related to not realizing (a)? > Sigh... > It was my understanding that
>> > > > > > when I stepped up to adopt WireGuard, > and your ack to that. That *I* would
>> > > > > > be adding the port. I wasn't able > to produce the port that same, or next
>> > > > > > day, as I am already Maintainer > for nearly 150 ports. I have no trouble
>> > > > > > with that list, except that > clang/llvm v5, and shortly after v6 became the
>> > > > > > default versions in $BASE. > Which introduced a few pr(1)'s I needed to deal
>> > > > > > with. > Now all the time I have spent researching, and staging to build the
>> > > > > > port > have been laid to waste. Apparently you rescinded, and gave it to
>> > > > > > Bernhard. > This project doesn't feel like a good match to me. > No hard
>> > > > > > feelings, Bernhard. Have fun with the port.
>> Hi Chris,
>>
>> I'm sorry that I was confusing people which was really not my intention. I
>> have also seen your ACK to create the ports and replied to you in private
>> to
>> offer my help. Then I joined in IRC and just wanted to get an idea how far
>> the FreeBSD support was. I ended up creating two very rough ports which
>> did
>> build but not pass poudriere and called it a day. I also did send you and
>> the
>> list a mail to avoid duplicate work - and hoped you take it as a base.
>>
>> But I did not get any reply on the next day so I kept going and finished
>> the
>> ports yesterday with some good help from upstream.
>>
>> Sorry for how that developed but I hoped you get in contact with either me
>> or
>> upstream which neither happened. We usually do not have the problem that
>> too
>> many people want to help out so I did not expect that this will be a
>> problem
>> for anyone.
>
> Ahem. OK thank you for the kind words, and intentions, Bernhard. Like I
> said;
> no hard feelings. If you've already gotten that far. You might as well
> finish.
> FWIW while you *did* indeed shoot me, and the list a couple of notes. I was
> never under the impression you were going to take it so far. Which
> *ultimately*
> left everyone concerned believing *you* were going to maintain it.
> I only mention it, in hopes all of us might use the --verbose switch in the
> future, in hopes of avoiding this sort of nonsense. :-) :-)
>
> Thanks again, Bernhard!
>
> --Chris
>
> P.S. just in case it wasn't clear; feel free to finish, and submit your
> work.
> P.P.S. Just so you (and everyone else) knows; I'm already working on the
> kernel module. Please keep in touch, should you also be interested, and have
> any work of your own.

Hi chris,

to be crystal clear about that. My motivation is not to be maintainer
of any specific
port or anything like that but only to have technology available on
FreeBSD that I
personally need and/or want.

Usually for more complex ports this did lead to team efforts on our porting work
which was also what I did expect to happen for wireguard. Well it
turned out to be
easier than thought and upstream was also very helpful so in the end
that was more
like a one day of work effort to get the basic ports.

Nevertheless I would still be very happy to increase the bus factor
and team up with
multiple people to maintain wireguard. I think there will be more work
to be done in the
near future for wireguard on FreeBSD where a team effort would speed
up things for
sure:

- we need to support FreeNAS and pfsense to get it into their package systems
- documentation is still needed because it differs a bit from upstream
documentation (Handbook page?)
- wireguard kernel module (can that work already be seen somewhere?
upstream will be interested for sure)
- rc script(s)
- the regular maintenance for the port

--
Bernhard Froehlich
http://www.bluelife.at/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jan Bramkamp-2


On 25.05.18 09:29, Bernhard Fröhlich wrote:

> On Fri, May 25, 2018 at 12:24 AM, Chris H <[hidden email]> wrote:
>> On Thu, 24 May 2018 22:16:42 +0200 "Bernhard Froehlich" <[hidden email]>
>> said
>>
>>> Am 24.05.2018 21:06 schrieb Chris H <[hidden email]>:
>>>>
>>>> On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld"
>>>> <[hidden email]>
>>>> said >
>>>>> Hi Chris, > > > > On Thu, May 24, 2018 at 3:38 PM, Chris H
>>>>> <[hidden email]> wrote: > > > I should have no trouble introducing
>>>>> Wireguard to the ports system today.
>>>>>>>> I'm not a native fluent speaker of FreeBSDese, but my
>>>>>>>> understanding is: > > a) Bernhard committed the two new packages to ports
>>>>>>>> today. > > b) If you update ports with portsnap, you can build them locally.
>>>>>>>>>> c) If you run `pkg install wireguard`, it fails because the build > >
>>>>>>>> servers haven't gotten to them and won't for several days. > > > > Does your
>>>>>>>> statement about "introducing WireGuard to the ports system" > > mean that
>>>>>>>> you intend to rectify (c) immediately, so we don't have to > > wait several
>>>>>>>> days for the build snapshot scripts to tick in cron? Or > > is it mostly
>>>>>>>> just related to not realizing (a)? > Sigh... > It was my understanding that
>>>>>>>> when I stepped up to adopt WireGuard, > and your ack to that. That *I* would
>>>>>>>> be adding the port. I wasn't able > to produce the port that same, or next
>>>>>>>> day, as I am already Maintainer > for nearly 150 ports. I have no trouble
>>>>>>>> with that list, except that > clang/llvm v5, and shortly after v6 became the
>>>>>>>> default versions in $BASE. > Which introduced a few pr(1)'s I needed to deal
>>>>>>>> with. > Now all the time I have spent researching, and staging to build the
>>>>>>>> port > have been laid to waste. Apparently you rescinded, and gave it to
>>>>>>>> Bernhard. > This project doesn't feel like a good match to me. > No hard
>>>>>>>> feelings, Bernhard. Have fun with the port.
>>> Hi Chris,
>>>
>>> I'm sorry that I was confusing people which was really not my intention. I
>>> have also seen your ACK to create the ports and replied to you in private
>>> to
>>> offer my help. Then I joined in IRC and just wanted to get an idea how far
>>> the FreeBSD support was. I ended up creating two very rough ports which
>>> did
>>> build but not pass poudriere and called it a day. I also did send you and
>>> the
>>> list a mail to avoid duplicate work - and hoped you take it as a base.
>>>
>>> But I did not get any reply on the next day so I kept going and finished
>>> the
>>> ports yesterday with some good help from upstream.
>>>
>>> Sorry for how that developed but I hoped you get in contact with either me
>>> or
>>> upstream which neither happened. We usually do not have the problem that
>>> too
>>> many people want to help out so I did not expect that this will be a
>>> problem
>>> for anyone.
>>
>> Ahem. OK thank you for the kind words, and intentions, Bernhard. Like I
>> said;
>> no hard feelings. If you've already gotten that far. You might as well
>> finish.
>> FWIW while you *did* indeed shoot me, and the list a couple of notes. I was
>> never under the impression you were going to take it so far. Which
>> *ultimately*
>> left everyone concerned believing *you* were going to maintain it.
>> I only mention it, in hopes all of us might use the --verbose switch in the
>> future, in hopes of avoiding this sort of nonsense. :-) :-)
>>
>> Thanks again, Bernhard!
>>
>> --Chris
>>
>> P.S. just in case it wasn't clear; feel free to finish, and submit your
>> work.
>> P.P.S. Just so you (and everyone else) knows; I'm already working on the
>> kernel module. Please keep in touch, should you also be interested, and have
>> any work of your own.
>
> Hi chris,
>
> to be crystal clear about that. My motivation is not to be maintainer
> of any specific
> port or anything like that but only to have technology available on
> FreeBSD that I
> personally need and/or want.
>
> Usually for more complex ports this did lead to team efforts on our porting work
> which was also what I did expect to happen for wireguard. Well it
> turned out to be
> easier than thought and upstream was also very helpful so in the end
> that was more
> like a one day of work effort to get the basic ports.
>
> Nevertheless I would still be very happy to increase the bus factor
> and team up with
> multiple people to maintain wireguard. I think there will be more work
> to be done in the
> near future for wireguard on FreeBSD where a team effort would speed
> up things for
> sure:
>
> - we need to support FreeNAS and pfsense to get it into their package systems
> - documentation is still needed because it differs a bit from upstream
> documentation (Handbook page?)
> - wireguard kernel module (can that work already be seen somewhere?
> upstream will be interested for sure)
> - rc script(s)
> - the regular maintenance for the port

The wireguard userspace tooling isn't that simple to use reliably. You
have to spawn the wireguard-go process before the config can be loaded
and it can die in the meantime and to you want to terminate it and
destroy the tun interface if the config contains errors. Doing this
without ugly hacks isn't possible given the interfaces offered by
wireguard-go. It would be really nice to be able to terminate
wireguard-go over the unix domain socket instead of a pkill.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jan Bramkamp-2
In reply to this post by Jason A. Donenfeld
On 24.05.18 13:07, Jason A. Donenfeld wrote:
> On Thu, May 24, 2018 at 12:43 PM, Jan Bramkamp <[hidden email]> wrote:
>> Did I understand correctly that both these ports are userspace
>> implementations and have a similar per packet overhead to OpenVPN and fastd?
>
> Indeed they're userspace ports. Maybe down the line this will be
> ported to the FreeBSD kernel like we have on Linux.
> However, performance wise, even the userspace implementation seems to
> have better performance than OpenVPN in my testing.

I tried wireguard-go on OpenBSD and FreeBSD. I want to use WireGuard as
replacement for OpenVPN point to point tunnels with dynamic routing
(OSPF, iBGP). Especially this requires the right interface flags for the
tun interface. So far wireguard-go on *BSD configures the tun interfaces
as multicast incapable, broadcast interface which confuses the OpenBSD
OSPF daemon completely and doesn't make any sense for a point to point
tunnel. I get that wireguard-go tries to fake point to multipoint
support that way. Is there a better solution than changing the hardwired
argument ioctl() in tun/tun_*bsd.go?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Jan Bramkamp-2
In reply to this post by Jan Bramkamp-2
On 25.05.18 15:11, Bernhard Fröhlich wrote:

> On Fri, May 25, 2018 at 12:05 PM, Jan Bramkamp <[hidden email]> wrote:
>>
>>
>> On 25.05.18 09:29, Bernhard Fröhlich wrote:
>>>
>>> On Fri, May 25, 2018 at 12:24 AM, Chris H <[hidden email]> wrote:
>>>>
>>>> On Thu, 24 May 2018 22:16:42 +0200 "Bernhard Froehlich"
>>>> <[hidden email]>
>>>> said
>>>>
>>>>> Am 24.05.2018 21:06 schrieb Chris H <[hidden email]>:
>>>>>>
>>>>>>
>>>>>> On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld"
>>>>>> <[hidden email]>
>>>>>> said >
>>>>>>>
>>>>>>> Hi Chris, > > > > On Thu, May 24, 2018 at 3:38 PM, Chris H
>>>>>>> <[hidden email]> wrote: > > > I should have no trouble
>>>>>>> introducing
>>>>>>> Wireguard to the ports system today.
>>>>>>>>>>
>>>>>>>>>> I'm not a native fluent speaker of FreeBSDese, but my
>>>>>>>>>> understanding is: > > a) Bernhard committed the two new packages to
>>>>>>>>>> ports
>>>>>>>>>> today. > > b) If you update ports with portsnap, you can build them
>>>>>>>>>> locally.
>>>>>>>>>>>>
>>>>>>>>>>>> c) If you run `pkg install wireguard`, it fails because the build
>>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> servers haven't gotten to them and won't for several days. > > > >
>>>>>>>>>> Does your
>>>>>>>>>> statement about "introducing WireGuard to the ports system" > >
>>>>>>>>>> mean that
>>>>>>>>>> you intend to rectify (c) immediately, so we don't have to > > wait
>>>>>>>>>> several
>>>>>>>>>> days for the build snapshot scripts to tick in cron? Or > > is it
>>>>>>>>>> mostly
>>>>>>>>>> just related to not realizing (a)? > Sigh... > It was my
>>>>>>>>>> understanding that
>>>>>>>>>> when I stepped up to adopt WireGuard, > and your ack to that. That
>>>>>>>>>> *I* would
>>>>>>>>>> be adding the port. I wasn't able > to produce the port that same,
>>>>>>>>>> or next
>>>>>>>>>> day, as I am already Maintainer > for nearly 150 ports. I have no
>>>>>>>>>> trouble
>>>>>>>>>> with that list, except that > clang/llvm v5, and shortly after v6
>>>>>>>>>> became the
>>>>>>>>>> default versions in $BASE. > Which introduced a few pr(1)'s I
>>>>>>>>>> needed to deal
>>>>>>>>>> with. > Now all the time I have spent researching, and staging to
>>>>>>>>>> build the
>>>>>>>>>> port > have been laid to waste. Apparently you rescinded, and gave
>>>>>>>>>> it to
>>>>>>>>>> Bernhard. > This project doesn't feel like a good match to me. > No
>>>>>>>>>> hard
>>>>>>>>>> feelings, Bernhard. Have fun with the port.
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> I'm sorry that I was confusing people which was really not my intention.
>>>>> I
>>>>> have also seen your ACK to create the ports and replied to you in
>>>>> private
>>>>> to
>>>>> offer my help. Then I joined in IRC and just wanted to get an idea how
>>>>> far
>>>>> the FreeBSD support was. I ended up creating two very rough ports which
>>>>> did
>>>>> build but not pass poudriere and called it a day. I also did send you
>>>>> and
>>>>> the
>>>>> list a mail to avoid duplicate work - and hoped you take it as a base.
>>>>>
>>>>> But I did not get any reply on the next day so I kept going and finished
>>>>> the
>>>>> ports yesterday with some good help from upstream.
>>>>>
>>>>> Sorry for how that developed but I hoped you get in contact with either
>>>>> me
>>>>> or
>>>>> upstream which neither happened. We usually do not have the problem that
>>>>> too
>>>>> many people want to help out so I did not expect that this will be a
>>>>> problem
>>>>> for anyone.
>>>>
>>>>
>>>> Ahem. OK thank you for the kind words, and intentions, Bernhard. Like I
>>>> said;
>>>> no hard feelings. If you've already gotten that far. You might as well
>>>> finish.
>>>> FWIW while you *did* indeed shoot me, and the list a couple of notes. I
>>>> was
>>>> never under the impression you were going to take it so far. Which
>>>> *ultimately*
>>>> left everyone concerned believing *you* were going to maintain it.
>>>> I only mention it, in hopes all of us might use the --verbose switch in
>>>> the
>>>> future, in hopes of avoiding this sort of nonsense. :-) :-)
>>>>
>>>> Thanks again, Bernhard!
>>>>
>>>> --Chris
>>>>
>>>> P.S. just in case it wasn't clear; feel free to finish, and submit your
>>>> work.
>>>> P.P.S. Just so you (and everyone else) knows; I'm already working on the
>>>> kernel module. Please keep in touch, should you also be interested, and
>>>> have
>>>> any work of your own.
>>>
>>>
>>> Hi chris,
>>>
>>> to be crystal clear about that. My motivation is not to be maintainer
>>> of any specific
>>> port or anything like that but only to have technology available on
>>> FreeBSD that I
>>> personally need and/or want.
>>>
>>> Usually for more complex ports this did lead to team efforts on our
>>> porting work
>>> which was also what I did expect to happen for wireguard. Well it
>>> turned out to be
>>> easier than thought and upstream was also very helpful so in the end
>>> that was more
>>> like a one day of work effort to get the basic ports.
>>>
>>> Nevertheless I would still be very happy to increase the bus factor
>>> and team up with
>>> multiple people to maintain wireguard. I think there will be more work
>>> to be done in the
>>> near future for wireguard on FreeBSD where a team effort would speed
>>> up things for
>>> sure:
>>>
>>> - we need to support FreeNAS and pfsense to get it into their package
>>> systems
>>> - documentation is still needed because it differs a bit from upstream
>>> documentation (Handbook page?)
>>> - wireguard kernel module (can that work already be seen somewhere?
>>> upstream will be interested for sure)
>>> - rc script(s)
>>> - the regular maintenance for the port
>>
>>
>> The wireguard userspace tooling isn't that simple to use reliably. You have
>> to spawn the wireguard-go process before the config can be loaded and it can
>> die in the meantime and to you want to terminate it and destroy the tun
>> interface if the config contains errors. Doing this without ugly hacks isn't
>> possible given the interfaces offered by wireguard-go. It would be really
>> nice to be able to terminate wireguard-go over the unix domain socket
>> instead of a pkill.
>
> I found it quite okay on FreeBSD that way:
>
> - create keys with "wg" like in the quickstart
> - create the config file /usr/local/etc/wg0.conf and fill appropriate
> (see manpages
> of wg and wg-quick)
> - start: wg-quick up wg0
> - stop: wg-quick down wg0
>
> Though I think the OpenBSD support is still very very rough (3 days old).

The problem isn't that these tools don't work in the common case. The
problem is that their implementation is inherently racy. Here is what
has to happen to bring up a tunnel:

* wireguard-go tun0
* wg setconf tun0 /etc/wg/tun0.conf
* service netif start tun0 (or sh /etc/netstart tun0 on OpenBSD)

The problem is that both of these configuration steps (wg setconf and
the rc scripts) can fail and wireguard-go can die any time. I care about
these corner cases because I plan to run wireguard-go under process
supervision (runit, s6) on FreeBSD and OpenBSD. To get the most out of
process supervision everything has start correctly or fail hard with
sane timeouts. If the ./run script spawns a subshell before exec()ing
into wireguard-go and the wireguard-go process dies it can't just save
the pid with PID="$$" and kill it if the config fails to apply. In that
case the PID could've been reused.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: WireGuard for FreeBSD

Chris H-5
In reply to this post by Jan Bramkamp-2
On Fri, 25 May 2018 12:05:40 +0200 "Jan Bramkamp" <[hidden email]> said

> On 25.05.18 09:29, Bernhard Fröhlich wrote:
> > On Fri, May 25, 2018 at 12:24 AM, Chris H <[hidden email]> wrote:
> >> On Thu, 24 May 2018 22:16:42 +0200 "Bernhard Froehlich" <[hidden email]>
> >> said
> >>
> >>> Am 24.05.2018 21:06 schrieb Chris H <[hidden email]>:
> >>>>
> >>>> On Thu, 24 May 2018 19:39:22 +0200 "Jason A. Donenfeld"
> >>>> <[hidden email]>
> >>>> said >
> >>>>> Hi Chris, > > > > On Thu, May 24, 2018 at 3:38 PM, Chris H
> >>>>> <[hidden email]> wrote: > > > I should have no trouble
> > introducing
> >>>>> Wireguard to the ports system today.
> >>>>>>>> I'm not a native fluent speaker of FreeBSDese, but my
> >>>>>>>> understanding is: > > a) Bernhard committed the two new packages to
> > ports
> >>>>>>>> today. > > b) If you update ports with portsnap, you can build them
> > locally.
> >>>>>>>>>> c) If you run `pkg install wireguard`, it fails because the build >
> > >
> >>>>>>>> servers haven't gotten to them and won't for several days. > > > >
> > Does your
> >>>>>>>> statement about "introducing WireGuard to the ports system" > > mean
> > that
> >>>>>>>> you intend to rectify (c) immediately, so we don't have to > > wait
> > several
> >>>>>>>> days for the build snapshot scripts to tick in cron? Or > > is it
> > mostly
> >>>>>>>> just related to not realizing (a)? > Sigh... > It was my understanding
> > that
> >>>>>>>> when I stepped up to adopt WireGuard, > and your ack to that. That *I*
> > would
> >>>>>>>> be adding the port. I wasn't able > to produce the port that same, or
> > next
> >>>>>>>> day, as I am already Maintainer > for nearly 150 ports. I have no
> > trouble
> >>>>>>>> with that list, except that > clang/llvm v5, and shortly after v6
> > became the
> >>>>>>>> default versions in $BASE. > Which introduced a few pr(1)'s I needed
> > to deal
> >>>>>>>> with. > Now all the time I have spent researching, and staging to
> > build the
> >>>>>>>> port > have been laid to waste. Apparently you rescinded, and gave it
> > to
> >>>>>>>> Bernhard. > This project doesn't feel like a good match to me. > No
> > hard
> >>>>>>>> feelings, Bernhard. Have fun with the port.
> >>> Hi Chris,
> >>>
> >>> I'm sorry that I was confusing people which was really not my intention. I
> >>> have also seen your ACK to create the ports and replied to you in private
> >>> to
> >>> offer my help. Then I joined in IRC and just wanted to get an idea how far
> >>> the FreeBSD support was. I ended up creating two very rough ports which
> >>> did
> >>> build but not pass poudriere and called it a day. I also did send you and
> >>> the
> >>> list a mail to avoid duplicate work - and hoped you take it as a base.
> >>>
> >>> But I did not get any reply on the next day so I kept going and finished
> >>> the
> >>> ports yesterday with some good help from upstream.
> >>>
> >>> Sorry for how that developed but I hoped you get in contact with either me
> >>> or
> >>> upstream which neither happened. We usually do not have the problem that
> >>> too
> >>> many people want to help out so I did not expect that this will be a
> >>> problem
> >>> for anyone.
> >>
> >> Ahem. OK thank you for the kind words, and intentions, Bernhard. Like I
> >> said;
> >> no hard feelings. If you've already gotten that far. You might as well
> >> finish.
> >> FWIW while you *did* indeed shoot me, and the list a couple of notes. I was
> >> never under the impression you were going to take it so far. Which
> >> *ultimately*
> >> left everyone concerned believing *you* were going to maintain it.
> >> I only mention it, in hopes all of us might use the --verbose switch in the
> >> future, in hopes of avoiding this sort of nonsense. :-) :-)
> >>
> >> Thanks again, Bernhard!
> >>
> >> --Chris
> >>
> >> P.S. just in case it wasn't clear; feel free to finish, and submit your
> >> work.
> >> P.P.S. Just so you (and everyone else) knows; I'm already working on the
> >> kernel module. Please keep in touch, should you also be interested, and
> > have
> >> any work of your own.
> >
> > Hi chris,
> >
> > to be crystal clear about that. My motivation is not to be maintainer
> > of any specific
> > port or anything like that but only to have technology available on
> > FreeBSD that I
> > personally need and/or want.
> >
> > Usually for more complex ports this did lead to team efforts on our porting
> > work
> > which was also what I did expect to happen for wireguard. Well it
> > turned out to be
> > easier than thought and upstream was also very helpful so in the end
> > that was more
> > like a one day of work effort to get the basic ports.
> >
> > Nevertheless I would still be very happy to increase the bus factor
> > and team up with
> > multiple people to maintain wireguard. I think there will be more work
> > to be done in the
> > near future for wireguard on FreeBSD where a team effort would speed
> > up things for
> > sure:
> >
> > - we need to support FreeNAS and pfsense to get it into their package
> > systems
> > - documentation is still needed because it differs a bit from upstream
> > documentation (Handbook page?)
> > - wireguard kernel module (can that work already be seen somewhere?
> > upstream will be interested for sure)
> > - rc script(s)
> > - the regular maintenance for the port
>
> The wireguard userspace tooling isn't that simple to use reliably. You
> have to spawn the wireguard-go process before the config can be loaded
> and it can die in the meantime and to you want to terminate it and
> destroy the tun interface if the config contains errors. Doing this
> without ugly hacks isn't possible given the interfaces offered by
> wireguard-go. It would be really nice to be able to terminate
> wireguard-go over the unix domain socket instead of a pkill.
Agreed. This bugged me too. Plumbing all this through a UNIX socket
should be mandatory IMHO.

--Chris
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "[hidden email]"


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[hidden email]"