# Wireguard Kernel Modules Safe?



## BawdyAnarchist (May 27, 2021)

Recently ran `pkg upgrage` on my VPN jails, and I am now getting the following message:

```
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
```
I remember that wg was removed at the last minute from 13.0-RELEASE kernel, to ensure the quality of the implementation. So for now I'm running the wireguard-go implementation; but it seems I can install the kernel module manually. Is this safe? Have the issues been resolved? Will this be included in the next point release?

Thanks


----------



## cmoerz (May 27, 2021)

If you trust this arstechnica article back from March, probably not a good idea to use this if your utmost priority is security...








						Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
					

40,000 lines of flawed code almost made it into FreeBSD's kernel—we examine how.




					arstechnica.com
				




Then again, there isn't much other news material on the matter, so further research might be worthwhile. I've refrained from using it in production for the moment, following the old adage "where there's smoke, there's fire". I know, this may be unfair - I just don't want any serious, unresolved issues with my VPN solution.


----------



## George (May 27, 2021)

```
Message from wireguard-kmod-0.0.20210503:

--
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
=====
```
The mailing lists have no news (you could write to freebsd-current). There are two open bug reports concerning "wireguard", PR 254795, and PR 253813.


----------



## Denis Shaposhnikov (May 27, 2021)

I use wireguard-kmod on my 13.0 server, no issues.


----------



## BawdyAnarchist (May 27, 2021)

Denis Shaposhnikov said:


> I use wireguard-kmod on my 13.0 server, no issues.


Yeah I doubt you would notice any. But the question is regarding whether the implementation is secure, given the questions that occurred back in March


----------



## Denis Shaposhnikov (May 27, 2021)

If I remember right, wireguard-kmod implemented by wireguard's author. I don't see reasons do not trust him.


----------



## RypPn (May 27, 2021)

Think I'll be sticking with the openbsd variant at least until this stabilises.


----------



## Jose (May 27, 2021)

Denis Shaposhnikov said:


> If I remember right, wireguard-kmod implemented by wireguard's author. I don't see reasons do not trust him.


Correct:


			[ANNOUNCE] WireGuard for FreeBSD in development for 13.y – and a note of how we got here
		


This is not the implementation discussed in the Ars Technica muckraking article. The latter was discussed here








						Ars Technica article focused on Wireguard regarding FreeBSD
					

https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/  This article is kind of negative, but I don't know what to make of it. The title says it's about FreeBSD, but it's really focused on something related to Wireguard for criticisms of...




					forums.FreeBSD.org
				




The new module seems to be in active development


			[ANNOUNCE] wireguard-freebsd snapshot v0.0.20210503 is available
		


But it does warn of its experimental nature


RypPn said:


> Think I'll be sticking with the openbsd variant at least until this stabilises.


You mean the Go implementation? That's not specific to Openbsd.


----------



## RypPn (May 27, 2021)

No, it's not the go implementation, it's in-kernel, wg driver introduced in 6.8


----------



## Jose (May 27, 2021)

RypPn said:


> No, it's not the go implementation, it's in-kernel, wg driver introduced in 6.8


So you're running Openbsd, then.


----------



## RypPn (May 27, 2021)

For wireguard, yes, for now. I have more passion for bsd than specific flavours. Best tool for the job wins for me.


----------



## chk.jxcn (May 27, 2021)

wireguard-kmod make my NIC watchdog timeout, when try do speedtest on the other side. If replace it with wireguard-go, then no issue. Maybe this is a realtek NIC issue..

```
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
re0: watchdog timeout
re0: link state changed to DOWN
re0: link state changed to UP
```


----------



## Jose (May 28, 2021)

You should report the problem on the Wireguard mailing list


			WireGuard Info Page
		


Thank you for testing.


----------

