[HN Gopher] WireGuard Merged into OpenBSD
___________________________________________________________________
WireGuard Merged into OpenBSD
Author : axiomdata316
Score : 206 points
Date : 2020-06-21 19:34 UTC (3 hours ago)
(HTM) web link (marc.info)
(TXT) w3m dump (marc.info)
| greatjack613 wrote:
| Incredible, so excited to see wireguard start making it into
| mainstream distros.
|
| Personally I see this as the most exciting thing to happen to
| linux in the past 2 - 3 years.
| asveikau wrote:
| Enthusiasm noted, but OpenBSD is not Linux.
| talideon wrote:
| My guess is that GP is referring to WireGuard, not this
| specifically.
| nindalf wrote:
| I'm confused about their mention of Go. The Linux implementation
| of WireGuard is written in C - https://git.zx2c4.com/wireguard-
| linux
| zahllos wrote:
| There's a portable userspace implementation written in Go, for
| places where a kernel driver is unavailable at present.
| [deleted]
| skrause wrote:
| OpenBSD doesn't want any GPL code, so they couldn't just port
| the Linux kernel module.
|
| The OpenBSD kernel module is also written in C:
| http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_wg.c...
|
| But the code looks quite different from
| https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireg...
| tptacek wrote:
| This is a C implementation that is distinct from the Linux
| kernel implementation. The most common WireGuard _desktop_
| implementation is in Go; the kernel commit is comparing their C
| WireGuard to the Go desktop WireGuard.
| athoik wrote:
| Just great!
|
| Hope to release wireguard on FreeBSD soon as well.
|
| In order pfSense to include it:
| https://redmine.pfsense.org/issues/8786
| leeoniya wrote:
| hopefully OPNSense gets the same soon. they already ship it (i
| think as a kernel module).
| manduz wrote:
| can someone ELI5 to me? i dont even know what opnBSD is but i
| know wireguard is a vpn protocol.
| cpach wrote:
| Very good call from the OpenBSD project to include this in their
| kernel.
| atonse wrote:
| I've always wanted to run OpenBSD for our Wireguard bastion host
| (the one machine that is "open". Not sure it makes a difference
| over Linux but OpenBSD has an even stronger security culture.
|
| Was satisfied with the state of affairs before but genuinely
| excited about this development.
| tptacek wrote:
| OpenBSD has a different security culture. "Stronger" hasn't
| been the right word in over a decade.
| atonse wrote:
| Yeah I don't know if at this point it even matters. I was
| nervous about even leaving this comment. Maybe showing my
| decade old bias.
| jooize wrote:
| What do you mean?
| bch wrote:
| WireGuard: https://en.wikipedia.org/wiki/WireGuard
| MintelIE wrote:
| Go won't be allowed in main because it's too bloated. It's great
| to see a more sane and cross platform (and lightweight!)
| implementation.
| cpach wrote:
| I'm not sure I agree about it being bloated, but I guess that
| they want to avoid a go dependency for main. And it's also not
| possible to write a kernel module in Go for the OpenBSD kernel
| :)
| aargh_aargh wrote:
| This reminded me of Theo de Raadt's reply to 'Integrating
| "safe" languages into OpenBSD?':
|
| https://marc.info/?l=openbsd-misc&m=151233345723889&w=2
| unixhero wrote:
| Interesting response.
|
| Pretty backwards of Theo to snub Rust-lang like that. It's
| pretty much attempting to achieve the same ideals as some
| of OpenBSD's.
| smabie wrote:
| Eh, not really. OpenBSD is about simplicity more than
| anything else. It's no surprise that they don't want
| Rust, which is very complicated, into the OS. Also rustc
| is super complicated, and very slow.
|
| For example, for a time OpenBSD was trying to switch to
| pcc, a super simple C compiler so they could get off gcc.
| They eventually went with clang instead, which is not
| simple, but presumably the cost of using an alternative
| to gcc or clang was too high.
| secondcoming wrote:
| It's not a snub of the language, it's a complaint about
| the compiler using all your memory. That's not an
| unreasonable complaint.
|
| It was also written 3 or so years ago, so hopefully rust
| has improved.
| tialaramex wrote:
| de Raadt is a remnant of the "real men" programming era.
| The upside of "real men" is that they write code, but then
| of course some Rust proponents write code too, and their
| code is in fact safer because to err is human.
|
| There's an ACME (e.g. for Let's Encrypt) client included in
| OpenBSD which is _exactly_ what you 'd expect a real man
| ACME client to look like. It uses OpenBSD-only pledge() and
| similar features to do privilege separation, it has guards
| and checks throughout and so long as there aren't any
| missing (but there's no way to verify...) it's probably
| safe to use it - but it's written in C rather than a safer
| language.
|
| There are some obvious security considerations you'd put in
| an ACME client, and somebody who thought OpenBSD was about
| security would probably expect them. But they are absent
| because it's not about security it's about being a real
| man. Examples: Using CSRs is safer as now the ACME client
| doesn't know your private keys, but acme-client doesn't
| provide any way to do that. Using the dns-01 challenge
| rather than http-01 or tls-alpn-01 allows you to do
| issuance from a system that isn't accessible from the
| outside world rather than having to open ports but acme-
| client only supports http-01 challenges.
| zx2c4 wrote:
| WireGuard project announcement is here:
| https://lists.zx2c4.com/pipermail/wireguard/2020-June/005588...
| schoolornot wrote:
| Does the underlying crypto in WireGuard lend itself to hardware
| acceleration/implementation in ASICs? If so, when do we expect to
| see such devices available?
| 867-5309 wrote:
| I believe Wireguard is up to 4x faster than OpenVPN where
| OpenVPN uses AES-NI. processors with this instruction set is
| possibly the closest thing to an ASIC for VPN en/decryption, so
| I dare say Wireguard will neither need nor benefit from a
| purpose-built instruction set
| api wrote:
| AES is as fast or faster than ChaCha if there is hardware
| acceleration. OpenVPN is slow for other reasons, and honestly
| the crypto is usually not the bottleneck in most cases unless
| you are really pushing multiple gigabits or it's a very small
| CPU.
| wmf wrote:
| I would expect ASIC support no earlier than 2-3 years after the
| WireGuard RFC is finalized.
___________________________________________________________________
(page generated 2020-06-21 23:00 UTC)