Ars Technica had a more in-depth follow up, "FreeBSD kernel-mode WireGuard moves forward out-of-tree" [0], and essentially it's just moving into Donenfield's own repository for maturation/testing until fully baked. It was announced on zx2c4 yesterday, ("WireGuard for FreeBSD snapshot 0.0.20210317 is available" [1]).
It appears that for some reason Macy, whom Netgate hired, spent a year trying to port the Linux kernel version (with ample kludging and ifdefs to make it work) rather than the more portable original core standalone version. The result wasn't great. But the rushed replacement Jason volunteered a lot of time for was, well, rushed, and everyone agreed that while kernel-mode wg in FreeBSD is very desirable the whole point of the project is to be really reliable and secure so worth taking more time to do right.
This presumably won't represent that much of a delay in the end. And while it's too bad Netgate couldn't have been more collaborative and gotten it right from the start, it's also impressive and humbling to see skilled people rallying to get it together in the end. Wireguard is such a great project.
I've been trying to stay quiet here because I just want to part ways, but the last sentences here got to me.
This wasn't a "mission to fix if_wg," at least it didn't start that way, and I think that it's important to acknowledge that my motivations here weren't exactly what's happened.
Let me start with: folks can hate me for this, but I generally like mmacy. I don't like specific things he did with this driver, but we usually get along. I don't really like how he's getting dragged around like this.
Now, this didn't start as a campaign to fix what was put into the tree, or to get Matt hit with the crap-bombs he's been dealt. This is the rough sequence of events:
- I use openvpn
- I don't like my openvpn setup, let's try if_wg
- oh, there are a couple problems here, let's fix those
- ok, what would it take to get wireguard-tools support?
This is where I get in touch with Jason.
- "oh, we gotta fix this"
- yeah, I can believe that
Cue hackathon session, we fix:
- All the jail bugs I can spot
- The race conditions we spot
- Number of panics
- Buffer overflow
- Privilege check
- Resync a lot of stuff with OpenBSD
- A number of things that I don't see, but I'm not a qualified expert in the area
Then we're here, where the stories start dropping and all hell breaks loose. For me, this isn't a story about how skilled people rallied to get it together, this is a story I'm not particularly proud of.
No further comment, because I'd like to get back to what I do. I know this isn't going to end well for me, so I likely won't check back.
I've run into the Netgate folks plenty of times, and so have many others. They are not nice people. Just look over Reddit or their Forums (especially during the AES situation where I was banned for life for a post saying I was unhappy with the decision even though I apologized).
I kept hand waving it away and using pfSense but no more. They do not deserve anybody's business. They are not good partners for the community.
My point, for you, is you did nothing wrong. The blame lays on their side.
I didn't mean to spin this for Netgate. But Donenfeld hasn't seemed to want to make a big thing over it, and I just wanted to try to respect that for a summary. Kind of figured anyone really interested would read the stories and comments and get the gory details, but I'm genuinely sorry if you felt I disrespected the situation by being too breezy. And I do think there was an impressive rally to try to meet an admittedly artificial deadline and get something better in place rather then letting it slide or throwing more bombs then necessary. I do recognize it was serious.
It should tell you all you need to know about Netgate and pfSense when they hid the build tools without warning, changed the license, and hired a convicted residential terrorist like Macy who can't be trusted to show the restraint of civilized behavior. Use opnsense instead.
The original netgate blog post is about a slightly different event from arstechnica's follow-up (in this FreeBSD/WireGuard saga).
Arstechnica's article is about the removal of the 'rushed' WireGuard implementation that was supposed to go into FreeBSD 13 and the fact that development is continuing out of tree.
Netgate/pfSense had backported the old (pre-rushed) implementation that they had commissioned to the FreeBSD 12 kernel version which was released as part of pfSense 2.5 several weeks ago.
They have now chosen to rip it back out again.
WireGuard is being removed from FreeBSD 13 (the base for pfSense).
There were some tit-for-tat messages between devs here, and while the implementation was probably fine, it is pretty reasonable to take a step back here, take stock, and take it from there.
I'd read that WireGuard was supposed to be easier to implement because it supports fewer distinct crypto protocols and has fewer features overall compared to OpenVPN. But now this code is being pulled. Was it just a rushed implementation? Or is WireGuard harder to implement than initially thought?
There was concern about code quality, and accusations of what amounted to amateur mistakes in Netgate's particular implementation. I don't know how accurate those accusations are, though.
It's possible to browse the before-changes-started version of the FreeBSD code, through either CVS or the FreeBSD Git mirror. To save people the effort of finding the right git revision and the path, the kernel module starts here: https://github.com/freebsd/freebsd-src/tree/95331c228a39b44c...
On a casual inspection, there are at least kernel printfs in crypto code in __chacha20poly1305_decrypt (in module/crypto/zinc/chacha20poly1305.c) that were not in the original version of this from Linux.
Wireguard works really well in OpenBSD since like November. I find it WAY less painful to use than openvpn. I switched clients over to this implementation and they're happy as clams. Incredibly easy to set up and use, all out of a base install of a rock solid operating system that got this introduced without any kerfuffle. I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier
> I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier
Absolutely Agree.
The whole thing is pretty crazy and makes me lose even more respect for Netgate than I had already[1].
Also, as a long time FreeBSD user, it also makes me worried about the quality of other things in FreeBSD now, if this was _almost_ allowed to get shoehorned in, in such bad condition. Not sure if this is just an unlucky one-off, or a sign of deeper problems in FreeBSD development (not enough devs, process problems, etc).
Someone from netgate implemented it poorly and then the original authors tried to fix it in a hurry but ran out of time. There was also some mailing list drama I think.
Just checked and there isn't any pfSense update available, so even if they removed it from the source code, given that majority doesn't compile pfSense themselves, I'd argue that it isn't removed just yet.
Apparently the original implementation had issues. Apparently NetGate shipped some bad code after hiring a FreeBSD contributor for their implementation. Kyle Evans has even decided to step away from maintaining wireguard-freebsd. Seems like a mess.
> Kyle Evans has even decided to step away from maintaining wireguard-freebsd
That is not true. Everyone acknowledges the code is not up to the required standard so it is being removed but Kyle and others will continue to work on it with the aim of adding it back.
Edit: as @asmr below linked to, he has has since announced that he is quitting.
To be double-clear - the problems being discussed are in the freebsd kernel-mode implementation. The freebsd userspace implementation is fine, and implementations on other OSes are fine :)
I don't get where all the hype about WireGuard comes from. It's just another VPN, of which we already have several perfectly well working ones. What is so special about it over all the other things that go into Linux and FreeBSD, and that actually do something new and unique and don't make the news?
I'm personally ready to ignore it and add it to my BS bingo card. Blockchain anyone?
As someone who just wants to maintain a few VPN tunnels without having to be an expert in OVPN/IPSec/whatever, the ease-of-setup and conceptual simplicity of WireGuard is like a cup of ice water in hell.
The order-of-magnitude better performance and excellent security properties are just the icing on the cake, as far as I'm concerned.
@dang doesn't work - you have to email hn@ycombinator.com. That's in the guidelines:
https://news.ycombinator.com/newsguidelines.html. Fortunately another user alerted me that way - it's the only reliable way to get information to us.
A nice side effect is that it doesn't add off-topic meta stuff to the thread.
p.s. I hope that didn't sound too critical. I appreciate your helpful intention!
You posted like 6 of these all over this thread. Can you please not? That's vandalism, and I've banned the account.
If you have a solid critique to make, of course that's welcome, but it needs to be done thoughtfully and with substantive information, not personal attack.
They're removing it from the tree because they're tired of Jason controlling the narrative. Jason had more than three months to review the original patch and he's upset that they haven't done everything on his terms. I don't think you need to worry about NetGate being involved any more.
Obvious pfSense shill is obvious? Especially given pfSense history on issues like this (e.g. OPNsense https://opnsense.org/opnsense-com/). It's really unfortunate how you're treating Jason after he seems to have heroically stepped in to rescue the WireGuard patch and try to get it in FreeBSD 13. He didn't even call out pfSense or NetGate in his original email. If there hadn't have been all this drama I would have never even known that pfSense was involved and would have just assumed "some developer" contributed wg to FreeBSD and the Wire Guard author did a nice thing and cleaned up their code.
Ars Technica had a more in-depth follow up, "FreeBSD kernel-mode WireGuard moves forward out-of-tree" [0], and essentially it's just moving into Donenfield's own repository for maturation/testing until fully baked. It was announced on zx2c4 yesterday, ("WireGuard for FreeBSD snapshot 0.0.20210317 is available" [1]).
It appears that for some reason Macy, whom Netgate hired, spent a year trying to port the Linux kernel version (with ample kludging and ifdefs to make it work) rather than the more portable original core standalone version. The result wasn't great. But the rushed replacement Jason volunteered a lot of time for was, well, rushed, and everyone agreed that while kernel-mode wg in FreeBSD is very desirable the whole point of the project is to be really reliable and secure so worth taking more time to do right.
This presumably won't represent that much of a delay in the end. And while it's too bad Netgate couldn't have been more collaborative and gotten it right from the start, it's also impressive and humbling to see skilled people rallying to get it together in the end. Wireguard is such a great project.
----
0: https://arstechnica.com/gadgets/2021/03/freebsd-kernel-mode-...
1: https://lists.zx2c4.com/pipermail/wireguard/2021-March/00651...
I've been trying to stay quiet here because I just want to part ways, but the last sentences here got to me.
This wasn't a "mission to fix if_wg," at least it didn't start that way, and I think that it's important to acknowledge that my motivations here weren't exactly what's happened.
Let me start with: folks can hate me for this, but I generally like mmacy. I don't like specific things he did with this driver, but we usually get along. I don't really like how he's getting dragged around like this.
Now, this didn't start as a campaign to fix what was put into the tree, or to get Matt hit with the crap-bombs he's been dealt. This is the rough sequence of events:
- I use openvpn
- I don't like my openvpn setup, let's try if_wg
- oh, there are a couple problems here, let's fix those
- ok, what would it take to get wireguard-tools support?
This is where I get in touch with Jason.
- "oh, we gotta fix this"
- yeah, I can believe that
Cue hackathon session, we fix:
- All the jail bugs I can spot
- The race conditions we spot
- Number of panics
- Buffer overflow
- Privilege check
- Resync a lot of stuff with OpenBSD
- A number of things that I don't see, but I'm not a qualified expert in the area
Then we're here, where the stories start dropping and all hell breaks loose. For me, this isn't a story about how skilled people rallied to get it together, this is a story I'm not particularly proud of.
No further comment, because I'd like to get back to what I do. I know this isn't going to end well for me, so I likely won't check back.
I've run into the Netgate folks plenty of times, and so have many others. They are not nice people. Just look over Reddit or their Forums (especially during the AES situation where I was banned for life for a post saying I was unhappy with the decision even though I apologized).
I kept hand waving it away and using pfSense but no more. They do not deserve anybody's business. They are not good partners for the community.
My point, for you, is you did nothing wrong. The blame lays on their side.
5 replies →
I didn't mean to spin this for Netgate. But Donenfeld hasn't seemed to want to make a big thing over it, and I just wanted to try to respect that for a summary. Kind of figured anyone really interested would read the stories and comments and get the gory details, but I'm genuinely sorry if you felt I disrespected the situation by being too breezy. And I do think there was an impressive rally to try to meet an admittedly artificial deadline and get something better in place rather then letting it slide or throwing more bombs then necessary. I do recognize it was serious.
1 reply →
It should tell you all you need to know about Netgate and pfSense when they hid the build tools without warning, changed the license, and hired a convicted residential terrorist like Macy who can't be trusted to show the restraint of civilized behavior. Use opnsense instead.
Ok, perhaps we'll change the article from https://www.netgate.com/blog/wireguard-removed-from-pfsense-... to that (thanks!). If there's a better article, we can change it again.
The original netgate blog post is about a slightly different event from arstechnica's follow-up (in this FreeBSD/WireGuard saga).
Arstechnica's article is about the removal of the 'rushed' WireGuard implementation that was supposed to go into FreeBSD 13 and the fact that development is continuing out of tree.
Netgate/pfSense had backported the old (pre-rushed) implementation that they had commissioned to the FreeBSD 12 kernel version which was released as part of pfSense 2.5 several weeks ago. They have now chosen to rip it back out again.
WireGuard is being removed from FreeBSD 13 (the base for pfSense).
There were some tit-for-tat messages between devs here, and while the implementation was probably fine, it is pretty reasonable to take a step back here, take stock, and take it from there.
https://lists.zx2c4.com/pipermail/wireguard/2021-March/00650...
pfSense is currently based on FreeBSD 12, not 13. And it only just moved to 12 a month ago.
Recent discussion about its addition: https://news.ycombinator.com/item?id=26475519
I'd read that WireGuard was supposed to be easier to implement because it supports fewer distinct crypto protocols and has fewer features overall compared to OpenVPN. But now this code is being pulled. Was it just a rushed implementation? Or is WireGuard harder to implement than initially thought?
There was concern about code quality, and accusations of what amounted to amateur mistakes in Netgate's particular implementation. I don't know how accurate those accusations are, though.
They were made by Jason Donenfeld, the author of WireGuard which is of exemplary quality so I take it pretty seriously :)
1 reply →
It's possible to browse the before-changes-started version of the FreeBSD code, through either CVS or the FreeBSD Git mirror. To save people the effort of finding the right git revision and the path, the kernel module starts here: https://github.com/freebsd/freebsd-src/tree/95331c228a39b44c...
On a casual inspection, there are at least kernel printfs in crypto code in __chacha20poly1305_decrypt (in module/crypto/zinc/chacha20poly1305.c) that were not in the original version of this from Linux.
2 replies →
Wireguard works really well in OpenBSD since like November. I find it WAY less painful to use than openvpn. I switched clients over to this implementation and they're happy as clams. Incredibly easy to set up and use, all out of a base install of a rock solid operating system that got this introduced without any kerfuffle. I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier
> I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier
Absolutely Agree.
The whole thing is pretty crazy and makes me lose even more respect for Netgate than I had already[1].
Also, as a long time FreeBSD user, it also makes me worried about the quality of other things in FreeBSD now, if this was _almost_ allowed to get shoehorned in, in such bad condition. Not sure if this is just an unlucky one-off, or a sign of deeper problems in FreeBSD development (not enough devs, process problems, etc).
[1]: the whole opnsense stuff was super distasteful https://en.wikipedia.org/wiki/OPNsense#cite_note-7
Someone from netgate implemented it poorly and then the original authors tried to fix it in a hurry but ran out of time. There was also some mailing list drama I think.
See https://news.ycombinator.com/item?id=26475519
Just checked and there isn't any pfSense update available, so even if they removed it from the source code, given that majority doesn't compile pfSense themselves, I'd argue that it isn't removed just yet.
Is there some actual concern about WireGuard itself or just the FreeBSD implementation?
Apparently the original implementation had issues. Apparently NetGate shipped some bad code after hiring a FreeBSD contributor for their implementation. Kyle Evans has even decided to step away from maintaining wireguard-freebsd. Seems like a mess.
> Kyle Evans has even decided to step away from maintaining wireguard-freebsd
That is not true. Everyone acknowledges the code is not up to the required standard so it is being removed but Kyle and others will continue to work on it with the aim of adding it back.
Edit: as @asmr below linked to, he has has since announced that he is quitting.
3 replies →
I think it's just lack of formal peer review [1]
[1] https://lists.zx2c4.com/pipermail/wireguard/2021-March/00650...
To state this clearly: there are not concerns about WireGuard itself.
To be double-clear - the problems being discussed are in the freebsd kernel-mode implementation. The freebsd userspace implementation is fine, and implementations on other OSes are fine :)
There were questions around the implementation. See https://news.ycombinator.com/item?id=26475519
I don't get where all the hype about WireGuard comes from. It's just another VPN, of which we already have several perfectly well working ones. What is so special about it over all the other things that go into Linux and FreeBSD, and that actually do something new and unique and don't make the news?
I'm personally ready to ignore it and add it to my BS bingo card. Blockchain anyone?
I would suggest watching https://www.youtube.com/watch?v=88GyLoZbDNw .
As someone who just wants to maintain a few VPN tunnels without having to be an expert in OVPN/IPSec/whatever, the ease-of-setup and conceptual simplicity of WireGuard is like a cup of ice water in hell.
The order-of-magnitude better performance and excellent security properties are just the icing on the cake, as far as I'm concerned.
Not sure where you get that idea. It was directly based on a snapshot of the openbsd version. Jason is just gaslighting you.
Every time Jason "fixes" something in the FreeBSD code, it stops compiling. So I'm not sure about that.
For those who care, the podcast 2.5 Admins had a nice discussion about the WireGuard 'drama'.
https://2.5admins.com/2-5-admins-30/
"Not up to the standard" means "not pandering to or paying Jason"
Edit: email sent.
@dang doesn't work - you have to email hn@ycombinator.com. That's in the guidelines: https://news.ycombinator.com/newsguidelines.html. Fortunately another user alerted me that way - it's the only reliable way to get information to us.
A nice side effect is that it doesn't add off-topic meta stuff to the thread.
p.s. I hope that didn't sound too critical. I appreciate your helpful intention!
“more collaborative” here is cover for “pay Jason to work on it” and “skilled people” is code for “people Jason approves”
You posted like 6 of these all over this thread. Can you please not? That's vandalism, and I've banned the account.
If you have a solid critique to make, of course that's welcome, but it needs to be done thoughtfully and with substantive information, not personal attack.
https://news.ycombinator.com/newsguidelines.html
They're removing it from the tree because they're tired of Jason controlling the narrative. Jason had more than three months to review the original patch and he's upset that they haven't done everything on his terms. I don't think you need to worry about NetGate being involved any more.
Obvious pfSense shill is obvious? Especially given pfSense history on issues like this (e.g. OPNsense https://opnsense.org/opnsense-com/). It's really unfortunate how you're treating Jason after he seems to have heroically stepped in to rescue the WireGuard patch and try to get it in FreeBSD 13. He didn't even call out pfSense or NetGate in his original email. If there hadn't have been all this drama I would have never even known that pfSense was involved and would have just assumed "some developer" contributed wg to FreeBSD and the Wire Guard author did a nice thing and cleaned up their code.