← Back to context

Comment by jimmar

5 years ago

I'd read that WireGuard was supposed to be easier to implement because it supports fewer distinct crypto protocols and has fewer features overall compared to OpenVPN. But now this code is being pulled. Was it just a rushed implementation? Or is WireGuard harder to implement than initially thought?

10 comments

jimmar

Reply
heavyset_go  5 years ago

There was concern about code quality, and accusations of what amounted to amateur mistakes in Netgate's particular implementation. I don't know how accurate those accusations are, though.

  • GekkePrutser  5 years ago

    They were made by Jason Donenfeld, the author of WireGuard which is of exemplary quality so I take it pretty seriously :)

  • siebenmann  5 years ago

    It's possible to browse the before-changes-started version of the FreeBSD code, through either CVS or the FreeBSD Git mirror. To save people the effort of finding the right git revision and the path, the kernel module starts here: https://github.com/freebsd/freebsd-src/tree/95331c228a39b44c...

    On a casual inspection, there are at least kernel printfs in crypto code in __chacha20poly1305_decrypt (in module/crypto/zinc/chacha20poly1305.c) that were not in the original version of this from Linux.

    • xxpor  5 years ago

      The original version would be GPL v2 right? If that's the case it'd make sense that the two don't match because you can't reuse the code for FreeBSD. You'd want a completely clean implemention just to avoid any appearance of impropriety, unless the new implementation was done by the copyright holder themselves.

      1 reply →

jamal-kumar  5 years ago

Wireguard works really well in OpenBSD since like November. I find it WAY less painful to use than openvpn. I switched clients over to this implementation and they're happy as clams. Incredibly easy to set up and use, all out of a base install of a rock solid operating system that got this introduced without any kerfuffle. I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier

  • stock_toaster  5 years ago

    > I think one of the weirdest sticking points about how ridiculous this whole situation is how they didn't even try to write this with that already-done implementation in mind, even after this was suggested by jason... It would have made their job a lot easier

    Absolutely Agree.

    The whole thing is pretty crazy and makes me lose even more respect for Netgate than I had already[1].

    Also, as a long time FreeBSD user, it also makes me worried about the quality of other things in FreeBSD now, if this was _almost_ allowed to get shoehorned in, in such bad condition. Not sure if this is just an unlucky one-off, or a sign of deeper problems in FreeBSD development (not enough devs, process problems, etc).

    [1]: the whole opnsense stuff was super distasteful https://en.wikipedia.org/wiki/OPNsense#cite_note-7

turminal  5 years ago

Someone from netgate implemented it poorly and then the original authors tried to fix it in a hurry but ran out of time. There was also some mailing list drama I think.