[HN Gopher] WireGuard Merged into OpenBSD ___________________________________________________________________ WireGuard Merged into OpenBSD Author : axiomdata316 Score : 206 points Date : 2020-06-21 19:34 UTC (3 hours ago) (HTM) web link (marc.info) (TXT) w3m dump (marc.info) | greatjack613 wrote: | Incredible, so excited to see wireguard start making it into | mainstream distros. | | Personally I see this as the most exciting thing to happen to | linux in the past 2 - 3 years. | asveikau wrote: | Enthusiasm noted, but OpenBSD is not Linux. | talideon wrote: | My guess is that GP is referring to WireGuard, not this | specifically. | nindalf wrote: | I'm confused about their mention of Go. The Linux implementation | of WireGuard is written in C - https://git.zx2c4.com/wireguard- | linux | zahllos wrote: | There's a portable userspace implementation written in Go, for | places where a kernel driver is unavailable at present. | [deleted] | skrause wrote: | OpenBSD doesn't want any GPL code, so they couldn't just port | the Linux kernel module. | | The OpenBSD kernel module is also written in C: | http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_wg.c... | | But the code looks quite different from | https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireg... | tptacek wrote: | This is a C implementation that is distinct from the Linux | kernel implementation. The most common WireGuard _desktop_ | implementation is in Go; the kernel commit is comparing their C | WireGuard to the Go desktop WireGuard. | athoik wrote: | Just great! | | Hope to release wireguard on FreeBSD soon as well. | | In order pfSense to include it: | https://redmine.pfsense.org/issues/8786 | leeoniya wrote: | hopefully OPNSense gets the same soon. they already ship it (i | think as a kernel module). | manduz wrote: | can someone ELI5 to me? i dont even know what opnBSD is but i | know wireguard is a vpn protocol. | cpach wrote: | Very good call from the OpenBSD project to include this in their | kernel. | atonse wrote: | I've always wanted to run OpenBSD for our Wireguard bastion host | (the one machine that is "open". Not sure it makes a difference | over Linux but OpenBSD has an even stronger security culture. | | Was satisfied with the state of affairs before but genuinely | excited about this development. | tptacek wrote: | OpenBSD has a different security culture. "Stronger" hasn't | been the right word in over a decade. | atonse wrote: | Yeah I don't know if at this point it even matters. I was | nervous about even leaving this comment. Maybe showing my | decade old bias. | jooize wrote: | What do you mean? | bch wrote: | WireGuard: https://en.wikipedia.org/wiki/WireGuard | MintelIE wrote: | Go won't be allowed in main because it's too bloated. It's great | to see a more sane and cross platform (and lightweight!) | implementation. | cpach wrote: | I'm not sure I agree about it being bloated, but I guess that | they want to avoid a go dependency for main. And it's also not | possible to write a kernel module in Go for the OpenBSD kernel | :) | aargh_aargh wrote: | This reminded me of Theo de Raadt's reply to 'Integrating | "safe" languages into OpenBSD?': | | https://marc.info/?l=openbsd-misc&m=151233345723889&w=2 | unixhero wrote: | Interesting response. | | Pretty backwards of Theo to snub Rust-lang like that. It's | pretty much attempting to achieve the same ideals as some | of OpenBSD's. | smabie wrote: | Eh, not really. OpenBSD is about simplicity more than | anything else. It's no surprise that they don't want | Rust, which is very complicated, into the OS. Also rustc | is super complicated, and very slow. | | For example, for a time OpenBSD was trying to switch to | pcc, a super simple C compiler so they could get off gcc. | They eventually went with clang instead, which is not | simple, but presumably the cost of using an alternative | to gcc or clang was too high. | secondcoming wrote: | It's not a snub of the language, it's a complaint about | the compiler using all your memory. That's not an | unreasonable complaint. | | It was also written 3 or so years ago, so hopefully rust | has improved. | tialaramex wrote: | de Raadt is a remnant of the "real men" programming era. | The upside of "real men" is that they write code, but then | of course some Rust proponents write code too, and their | code is in fact safer because to err is human. | | There's an ACME (e.g. for Let's Encrypt) client included in | OpenBSD which is _exactly_ what you 'd expect a real man | ACME client to look like. It uses OpenBSD-only pledge() and | similar features to do privilege separation, it has guards | and checks throughout and so long as there aren't any | missing (but there's no way to verify...) it's probably | safe to use it - but it's written in C rather than a safer | language. | | There are some obvious security considerations you'd put in | an ACME client, and somebody who thought OpenBSD was about | security would probably expect them. But they are absent | because it's not about security it's about being a real | man. Examples: Using CSRs is safer as now the ACME client | doesn't know your private keys, but acme-client doesn't | provide any way to do that. Using the dns-01 challenge | rather than http-01 or tls-alpn-01 allows you to do | issuance from a system that isn't accessible from the | outside world rather than having to open ports but acme- | client only supports http-01 challenges. | zx2c4 wrote: | WireGuard project announcement is here: | https://lists.zx2c4.com/pipermail/wireguard/2020-June/005588... | schoolornot wrote: | Does the underlying crypto in WireGuard lend itself to hardware | acceleration/implementation in ASICs? If so, when do we expect to | see such devices available? | 867-5309 wrote: | I believe Wireguard is up to 4x faster than OpenVPN where | OpenVPN uses AES-NI. processors with this instruction set is | possibly the closest thing to an ASIC for VPN en/decryption, so | I dare say Wireguard will neither need nor benefit from a | purpose-built instruction set | api wrote: | AES is as fast or faster than ChaCha if there is hardware | acceleration. OpenVPN is slow for other reasons, and honestly | the crypto is usually not the bottleneck in most cases unless | you are really pushing multiple gigabits or it's a very small | CPU. | wmf wrote: | I would expect ASIC support no earlier than 2-3 years after the | WireGuard RFC is finalized. ___________________________________________________________________ (page generated 2020-06-21 23:00 UTC)