[HN Gopher] In-kernel WireGuard is on its way to FreeBSD and the... ___________________________________________________________________ In-kernel WireGuard is on its way to FreeBSD and the pfSense router Author : xoa Score : 269 points Date : 2021-03-16 11:53 UTC (11 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | SigmundA wrote: | Scott Long from Netgate's response: | https://www.netgate.com/blog/painful-lessons-learned-in-secu... | | "Unfortunately, the public discussion has also veered into vague | claims and slanderous attacks. This is where the lack of | transparency, the lack of respect, and the inflation of ego is | damaging and unproductive. We had hoped for a better | collaboration than this, and it makes me doubt the motives of the | attackers. And yes, I make deliberate use of the word "attacker" | here, because that's what this is, an attack on Netgate and on | the FreeBSD and pfSense communities. Beware of anyone who says | that they have all the answers. I also worry about the integrity | of those who make vague statements and blanket, over-the-top | accusations." | tptacek wrote: | I think this... pretty much speaks for itself. Wow. | intellirogue wrote: | Wow. I'm a complete outsider to this, not using FreeBSD or | pfSense or Wireguard - but this blog post makes Netgate seem | incredibly unprofessional. Especially to anyone who actually | read the mailing list exchanges. | tptacek wrote: | It is not great. | | I think this is all pretty much over now, right? FreeBSD is | pulling back from a kernel WireGuard I think everyone agrees | wasn't ready for prime time in mainline FreeBSD, and | everyone's working getting it ready for a future release. | | I don't really understand what pfSense had to gain from a | post like this, but, it's their blog. | lambda_obrien wrote: | I'll have to take a look at freebsd, does anyone have a good | reference to the differences in a bsd versus Linux? | tachion wrote: | https://docs.freebsd.org/en/articles/explaining-bsd/comparin... | annoyingnoob wrote: | If it helps, OSX is based on BSD. I've had great success with | pfSense. | | I found great tuning advice here: https://calomel.org | | Edit: Not sure why I'm getting down votes for trying to provide | info. I didn't down vote anything in this thread. | WarOnPrivacy wrote: | I can't find any logic in downvoting a declaration like this | (and the parent Q). It really seems like lashing out at good- | faith. | Datagenerator wrote: | BSD adheres the POLA principle and is serving many PB of | data in production at work. Rock solid and no sudden | changes. The manual pages are to me of higher quality when | compared to Linux. | | POLA Principle Of Least Astonishment | WarOnPrivacy wrote: | I can't argue with any of that. | anoki wrote: | I didn't downvote but it could be you got some downvotes | because calomel has a bad reputation among BSD people. They | have put bad and dangerous advice in their tuning and | performance posts. People who follow this advice and shoot | themselves in the foot sometimes come to the mailing lists | looking for help, and it turns out their problems were caused | by copy pasting from an unofficial source instead of reading | and understanding the documentation. | sgt wrote: | OSX changed its name 5 years ago to macOS. For what it's | worth, I've also had great success with pfSense. Ran it for | years at our company. Recently we've migrated to Mikrotik, | but to be honest I fail to see any major advantage. It's | perhaps easier to train people in learning to use Mikrotik. | aborsy wrote: | If true, this calls into question the security of the rest of | pfsense as well (not just the WG piece). | andrius4669 wrote: | Link to relevant announcement email: | https://lists.zx2c4.com/pipermail/wireguard/2021-March/00649... | | There's also Jason's reply to apparently not-nice feedback of | someone from NetGate: | https://lists.zx2c4.com/pipermail/wireguard/2021-March/00649... | Arnavion wrote: | Damage control: https://www.netgate.com/blog/painful-lessons- | learned-in-secu... | Jonnax wrote: | Wow. Netgate come off as incredibly unprofessional. | | According to the article linked and the info here in that email | you linked this is my conclusion: | | * Netgate tried to ship flawed code that has multiple security | issues. | | * Jason Donenfeld, one of the lead Wireguard developers, went | out of his way to work on rewriting it to be better in time for | the 13.0 release of FreeBSD | | * This Netgate employee is angry that they weren't able to ship | their bad code and starts throwing accusations of a smear | campaign. | | Am I understanding what happened correctly? Because it really | makes this Firewall/Router look really bad. | stonogo wrote: | NetGate spends a lot on FreeBSD development, which is great, | but they also spend a lot of time running smear campaigns | against people who offend them, which is ridiculous. They | even started /r/opnsense on Reddit just to post shit-talking | memes, and camp on the namespace to this day. | kbenson wrote: | That was my impression too, then I went back a couple prior | messages, and looked at the earlier announcement. Wihle | Netgate looks to have overreacted (at least from the info we | have), I can understand why they would be upset. This was in | the original announcement: | | _The first step was assessing the current state of the code | the previous developer had dumped into the tree. It was not | pretty. I imagined strange Internet voices jeering, "this is | what gives C a bad name!" There were random sleeps added to | "fix" race conditions, validation functions that just | returned true, catastrophic cryptographic vulnerabilities, | whole parts of the protocol unimplemented, kernel panics, | security bypasses, overflows, random printf statements deep | in crypto code, the most spectacular buffer overflows, and | the whole litany of awful things that go wrong when people | aren't careful when they write C. Or, more simply, it seems | typical of what happens when code ships that wasn't meant to. | It was essentially an incomplete half-baked implementation - | nothing close to something anybody would want on a production | machine. Matt had to talk me out of just insisting they pull | the code entirely, and rework it more slowly and carefully | for the next release cycle._ | | I can understand being upset if that's how you're portrayed | publicly. | 1vuio0pswjnm7 wrote: | Reminded me of the type of statements he made last year on | another mailing list: | | https://news.ycombinator.com/item?id=24430424 | | https://mail-index.netbsd.org/tech- | net/2020/08/22/msg007842.... | | https://mail-index.NetBSD.org/current- | users/2020/08/22/msg03... | | https://mail-index.NetBSD.org/tech- | kern/2020/08/23/msg026693... | tomxor wrote: | I duno, if true about the code I find it very difficult to | empathize with Netgate | | From what has been said it's not like they found and fixed | a subtle and cryptic vulnerability in an otherwise | reasonable implementation and then failed to disclose it | properly. It's more like they turned over a rock and found | a murder victim. The guy from Netgate is also coming across | as very inward looking and seems to assume everyone else's | motivations are also purely selfish (referring to his | comment implying a "shower of contracts" they might receive | for the publicity). His focus should be on how to prevent | this mistake from happening in future. | tw04 wrote: | Keep in mind, back in February of 2020 when Kip Macy first | announced that Netgate had hired him to port Wireguard, | Jason offered to help. First Kip declines the offer, then | seems to warm slightly to it, but ultimately appears to | have not actually engaged Jason. | | If I'm Jason and I offer my help (for free), they don't | take me up on my offer, then try to release code that would | make my baby look quite ugly, I would probably also have a | pretty severe reaction. | | Could Jason have been slightly more professional? | Absolutely. But we're all human and I can't entirely blame | him, I'm sure he was frustrated that he offered to help | multiple times and they both didn't take him up on the | offer, and tried to release a hatchet job with his name | (indirectly) attached to it. | CameronNemo wrote: | Sounds like Jason should trademark Wireguard (the name). | Or build an alternative brand. That way Netgate's | actions, or the actions of other wireguard | implementations, will not reflect on the reputation of | his project/product/technology. | tw04 wrote: | He did trademark the name. I don't think Jason is going | to tell the FreeBSD project that they can't use the name | "wireguard" for their implementation of "wireguard" just | because Netgate put out shoddy code. It's not the FreeBSD | project's fault. | | https://www.wireguard.com/trademark-policy/ | Reventlov wrote: | "Kip Macy" don't you mean Matt Macy ? | tw04 wrote: | There's not a good way for me to respond to that without | going off-topic. The following is assuming that wasn't a | rhetorical question, if it was rhetorical I guess we may | just agree to disagree: | | Until he issues a public apology for his actions, I'll | refer to him as Kip. Changing your name to run from the | google searches is completely understandable, and I | support second chances, but you need to show a bit of | remorse IMO. | | https://abcnews.go.com/US/exclusive-landlord-hell- | defends-te... | jimbob45 wrote: | Damn that link was an adventure from start to end. | generalizations wrote: | I don't really think that the 'online mob' has the right | to hold someone's past actions over their head, and | expect some public appeasement before it relents. | kbenson wrote: | > Could Jason have been slightly more professional? | Absolutely. But we're all human and I can't entirely | blame him | | Oh, I don't entirely blame him. I just partially blame | him for not seeing the obvious way this _could_ devolve | into a problem, even if it would (justifiably) seem | unlikely to go to this level so fast. That is, he shouldn | 't be surprised there was a problem with what he said, | although the scope of the problem is a bit more than I | think most would expect. | | Professionalism isn't just about making others feel good, | it's about optimizing for useful outcomes, which includes | covering yourself. Not taking care with your words is | just like not taking care with your code. Sometimes | there's a weird interaction and things go boom. | Jonnax wrote: | Well if it's true, then they were trying to put flawed code | into freebsd which they would then ship to customers in | their security product. | | They're not some random person but are representing their | company with their code. | | If there was a security exploit with their Wireguard | implementation, would Netgate get blamed or Wireguard? | [deleted] | ksec wrote: | Similar reaction here. My first impression was Netgate | being an arse. But then when you read the announcement I | kind of understand why Scott is angry. Because while the | post may have been in "good faith" in an Open Development | and Open Source world, it surely isn't in a professional | and business world especially when the work is sponsored ( | being paid ). | | Jason should have informed Netgate the quality of the code | is shit in private and FreeBSD dev should have told Netgate | will not be shipping any of it in Rel 13. | | It is then up to Netgate to decide What to do with their | Rel 2.5 | tptacek wrote: | WireGuard is an open-source project, and an important | one. It seems to me that if you want to push to create | the authoritative WireGuard implementation for a major | open source OS, the commercial norms need to take a back | seat. | tw04 wrote: | > it surely isn't in a professional and business world | especially when the work is sponsored ( being paid ). | | To play devil's advocate: Netgate isn't paying Jason, and | they're taking his open source code to create a | proprietary commercial project. I'd say Jason owes them | exactly nothing in the way of courtesy or consideration. | Could he have been more polite for the sake of being | polite and community goodwill? Probably. | ksec wrote: | >and they're taking his open source code to create a | proprietary commercial project. | | I am not sure if that is the case. Netgate seems to have | used their old crappy sponsored work for their Pfsense. | | That is judging from the two pieces of information here. | Jason doesn't need to be of consideration for Netgate. | There could be other communication we dont know about. I | can certainly understand why Scott is frustrated. | tw04 wrote: | >I am not sure if that is the case. Netgate seems to have | used their old crappy sponsored work for their Pfsense. | | Their sponsored work was based off of the Linux and | OpenBSD code that Jason and others wrote. And even if it | didn't utilize that code, you literally can't write a | wireguard client without building on Jason's work. | axaxs wrote: | Yeah, same. | | Even if all of the above is true, it reads like an | elaborate insult. And that's fine if that what the author | set out to do for some reason. Pretending it wasn't after | the fact isn't being honest, in my opinion. | | A more professional and neutral announcement could just | talk about code that needs to be refactored due to some | incompleteness and vulnerabilities. | tptacek wrote: | It's not an elaborate insult. | | To a much greater extent than in other security | protocols, implementation security is a goal of | WireGuard. The protocol itself was designed to support | secure kernel implementations; for instance, it's | designed in such a way as to not require on-demand | dynamic memory allocation. | | It's part of the premise of the security model of | WireGuard that it has secure kernel implementations. If | you're building a kernel WireGuard implementation for a | major open source OS without taking advantage of the | WireGuard implementation design concepts, you're not | really building WireGuard; you're building a compatible | fork and calling it "WireGuard". | | The "ask" here from Jason was for everyone to slow their | roll, take the flawed WireGuard implementation out of the | tree, and give everyone a chance to make it more | resilient. Considering the amount of work Jason had to go | through to get WireGuard into the Linux tree, that seems | like a very reasonable request. | | Instead, the WireGuard project seems to have been put | into a position where they had to scramble to fix up an | implementation that was being pushed into FreeBSD, as | WireGuard _qua_ WireGuard. I can imagine that being a | frustrating experience. It certainly didn 't generate the | most political response ever, but I think you'd be | reaching to call it a deliberate insult. | kbenson wrote: | > It's not an elaborate insult. | | My read on it wasn't that it was an elaborate insult, but | more that it was far more denigrating than it needed to | be, if he was trying to be professional. That doesn't | mean it was purposeful, sometimes people just don't | really associate the statements they make with how it may | be perceived. | | I think it could have been communicated clearly and | succinctly with something along the lines of: "The first | step was assessing the current state of the code the | previous developer had dumped into the tree. We noticed | some quality problems, some unimplemented protocol | sections and more concerning, security issues with the | code. Given these issues, we considered asking they | remove the code, but instead Matt convinced me that we | should rework it slowly and carefully for the next | release cycle." | | Notably, I think omission of the following inflammatory | statements would have prevented a lot of problems: | | - "It was not pretty." | | - "I imagined strange Internet voices jeering, "this is | what gives C a bad name!"" | | - "the most spectacular buffer overflows" | | - "the whole litany of awful things that go wrong when | people aren't careful when they write C." | | Whether those entirely subjective statements are | accurate, they are not the things you say about someone | else's work output when you expect a useful dialogue with | them, which is exactly why they are considered | unprofessional. | | I'm not defending Netgate's code here, or even the | vehemence of their reaction and how they went about it, | but merely noting that not only can I see how it devolved | into this, I would go so far as to say it's _obvious_ | that this is why that type of language is avoided by most | people trying to work professionally. Jason wrote some | very unkind things, and Netgate blew up about it. There | 's enough blame here that they can both share some. | | > The "ask" here from Jason was for everyone to slow | their roll, take the flawed WireGuard implementation out | of the tree, and give everyone a chance to make it more | resilient. Considering the amount of work Jason had to go | through to get WireGuard into the Linux tree, that seems | like a very reasonable request. | | Err, wasn't that actually not the ask, because he thought | they wouldn't do so, so instead they worked it over in a | short time-frame, only for it _then_ to be removed when | this argument broke out and it came to light? | zx2c4 wrote: | I get your point about perceptions, but there's also | another aspect of why I found it important and necessary | to describe just how poor the code was: | | When you're talking about replacing and rewriting the | implementation on the eve of release, you better have a | good reason for doing so. Stuffing a rewrite of security | critical code into the kernel at the last minute is a big | red flag. The main question that _immediately_ comes up | in that context is, "how is it possible that having a | last minute rewrite would be better than the code that | was there before? You've only looked at this for a week." | And that's a really good and important question. | | That much code churn is not something I wanted when I set | out to get started with this, but it's ultimately where | things wound up. Why? For exactly the reasons I described | in my email. The idea wasn't to be _insulting_, but | rather to accurately and vividly describe the state of | the code, as a motivating factor for the rewrite. I see | how perceptions could view that instead as denigrating, | but that wasn't really the motivation. And it's not as | though anybody really is rushing to defend that code | either; it doesn't take a lot to look at that and make up | your mind that it was probably unfinished stuff, not | coded with much love, that was committed prematurely. | | It also had the, I think, positive effect of leading to | more scrutiny of the review process. A few people have | piped up and mentioned to me that their concerns during | that review weren't addressed. And as a consequence of | everything, all of the code, including the rewrite, is | being removed from FreeBSD until it can be carefully | examined and completed, which is really the best of | conclusions. | jamal-kumar wrote: | You did good, Jason. Honestly after this streissand | effect from them taking technical criticism personally | and threatening you, I'm probably just going to avoid | anything using code they might have written... that's on | them. Responding to a perceived non-professionalism by | talking like that to you -- from their COMPANY EMAIL at | that? If I were their boss I'd definitely start making | some considerations. | kbenson wrote: | > The idea wasn't to be _insulting_ | | Sure, I didn't really interpret it as you attempting to | be insulting, more that you were accidentally insulting | through your explanation of what you found. | | > but rather to accurately and vividly describe the state | of the code, as a motivating factor for the rewrite | | Sure, but is any of that really needed beyond "there were | numerous security problems we had to address"? When | talking about shipping crypto, I think most involved | would agree not shipping it is better than shipping | something possibly exploitable. | | I think the core of what I was trying to express is that | words should be crafted with care when expected to be | read in a public forum like this, just like any code | expected to be used by many should be crafted with care. | For the same reason it's useful to remove quadratic | algorithms from places where the input is somewhat not | entirely vetted, it's useful to take care with words to | reduce the chance of misinterpretation. | | That doesn't mean scour your statements for the smallest | possible misinterpretation, but there's a lot of room to | improve things like "I imagined strange Internet voices | jeering, "this is what gives C a bad name!"" while still | expressing your point constructively. The low hanging | fruit is easy to pick, so you might as well pick it. | | To be clear, I feel for you with regards to this | situation. Nobody really expects weird accusations like | you got from simple emails, and that's on Netgate, but a | less extreme response that also publicly notes the soured | relationship would also be a negative outcome from this | in my opinion, if one of lower magnitude. | tptacek wrote: | Sure, but it's easy to clinically examine any | communication and refine it with the benefit of both | hindsight and low cortisol levels. My read of this | situation is that everyone involved was stuck in a shitty | situation; it got _very briefly_ heated, and ended up | where it should have: with another dev cycle to iterate | on FreeBSD WireGuard. | kbenson wrote: | I agree on both counts, but I think (constructive) | criticism is warranted in a mistake. To absolve Jason of | all responsibility would be to possibly not provide that | useful feedback of why not to do this the same way next | time. | | Hopefully I accurately expressed that as what I was | trying to convey. I don't think Jason is close to even | half the problem in this case, just the small spark that | allowed it to continue and explode (continue because is | started with a substandard implementation to begin with). | At the same time, he's also the one easier to critique | constructively because the other party is hard to relate | to (I'm not one to jump to conspiracy theories about | implicit efforts to defame). | 1vuio0pswjnm7 wrote: | The patch, showing the fixes made: | | https://cgit.freebsd.org/src/commit/?id=74ae3f3e33b810248da1... | seany wrote: | Netgate is weirdly hostile to a lot of opensource stuff, which | should be strange given what all their tech is built on top of. | This has been going on for years. (see opnsense etc) | cperciva wrote: | Netgate funds a lot of FreeBSD work, and employs FreeBSD | committers. I certainly wouldn't describe them as hostile to | open source. | WarOnPrivacy wrote: | I didn't know that. That's kind of awesome. | tedunangst wrote: | They can be a touch snotty towards developers who aren't | freebsd committees. | cperciva wrote: | I think every project has people like that. I can think | of some open source projects which are _led_ by people | with attitude problems. | tptacek wrote: | Real subtle, Colin. | cperciva wrote: | I mean, Linus has openly acknowledged that he has behaved | unprofessionally in the emails he sends to people who are | trying to contribute. There isn't anything secret here. | Crontab wrote: | LOL, my first thought was that you were talking about | Theo. | tptacek wrote: | I think he was. :) | droopyEyelids wrote: | It seems clear to me this is a case of passionate coders | with different personalities struggling with the difficult | work of human communication in a world with limited | resources and time. | | No one has to be the bad guy here or end up hostile to open | source. | tomxor wrote: | Perhaps entitled is the right word then. | cperciva wrote: | Maybe. It's not necessarily without reason -- if you make | a lot of contributions and they are generally very well | received, it's quite sensible to anticipate that further | contributions will be equally well received and to be | surprised if they're not. | | This was made worse by the unfortunate timing -- the | final release candidate is just 3 days away. Any other | time, we would have gone slower, had more discussion, et | cetera; unfortunately this turned into an emergency. | m463 wrote: | I was about to buy a netgate router when I read the | background of everything here on HN. | | Basically, all the opensource claims don't amount to a hill | of beans, because you cannot compile pfsense yourself, even | for their hardware. | | (I'm sure someone could come up with the link) | | The firewall should be the ONE place where this would be | critical. You have to run their binary. | | I also think it phones home. | colordrops wrote: | They've recently forked their open and closed source | products, so a lot of people have been migrating to OPNSense. | I've been using it for a couple months now and recommend it. | bjustin wrote: | Jason's reply is an impressive display of de-escalation. The | NetGate person's message has a lot of hostility and Jason | really doesn't return any of it. Hope NetGate comes around to | working with the WireGuard maintainers more in the future. | megous wrote: | Good read, I saved crypto.{c,h} for later use. Nice and tidy | crypto code. | sschueller wrote: | Im confused, pfsense 2.5 is out and has wireguard support. Is | that version full holes I should be aware off? | jandrese wrote: | It's a userland implementation. This is for the in-kernel | implementation. It should be faster. Also, there are some | comments that the userland version is rather hacky and probably | should be transitioned away from once you can. | JStanton617 wrote: | OPNSense (the pfSense fork) is using the userland version. | pfSense 2.5 is using this kernel code - https://docs.netgate. | com/pfsense/en/latest/releases/2-5-0.ht... | | "pfSense(r) Plus software version 21.02 and pfSense Community | Edition (CE) software version 2.5.0 include a major OS | version upgrade, a kernel WireGuard implementation..." | pimeys wrote: | The userland version is also from the original author of | WireGuard and not that bad actually. | | I'm currently running it in an OPNsense box to serve our | internet needs. I have a connection that without VPN can push | through about 400-800 Mbps, and when I put the VPN on for all | traffic, I can still push 400-800 Mbps through my connection. | | The in-kernel version can do the same with less CPU usage, | and can probably drive multi-gigabit connections without any | trouble. | JStanton617 wrote: | Yes. The code you're running is described as having "random | sleeps added to "fix" race conditions, validation functions | that just returned true, catastrophic cryptographic | vulnerabilities, whole parts of the protocol unimplemented, | kernel panics, security bypasses, overflows, random printf | statements deep in crypto code, the most spectacular buffer | overflows" | | This is a kernel RCE just waiting to happen. | api wrote: | > random sleeps added to "fix" race conditions | | That's just horrifying. It shows someone who knows next to | nothing about multithreaded code and is kludging their way | through. Not someone you want within a hundred feet of | anything other than maybe front-end web, and even there | they're going to be the kind of person who blocks the node.js | event loop (because async coding is like the junior cousin of | multithreading). | Godel_unicode wrote: | Anyone who wants to be able to throw some crypto CVEs on | their resume could do worse than spending some quality time | with this code. | kevans91 wrote: | Note that there's additional follow-up available here: | https://lists.freebsd.org/pipermail/freebsd-hackers/2021-Mar... | darkwater wrote: | Came here to post that, looks like they are pulling out the | recent effort | | EDIT: removed the "and revert to the original freebsd (broken?) | implementation" | cperciva wrote: | WireGuard is gone from the kernel in 13.0-RELEASE. Given the | choice between "buggy" and "less than a week old", we're | going with the third option of "you can ship a kernel module | via the ports tree". | zx2c4 wrote: | Which is really the absolute best outcome: | | https://lists.freebsd.org/pipermail/freebsd- | hackers/2021-Mar... | | https://lists.freebsd.org/pipermail/freebsd- | hackers/2021-Mar... | beatrobot wrote: | They are removing both implementations(the new and the broken | one) in order to put more work and review on the new one, and | release it properly at a later time. | WarOnPrivacy wrote: | I've been waiting for pfSense+Wireguard for a while. OpenVPN has | been very good to me but I'm psyched to trade up. | BuildTheRobots wrote: | The opnsense fork has supported wireguard for a while, and has | far less restrictive licensing. I highly recommend having a | look. | WarOnPrivacy wrote: | Only if BBCan177 jumps ship. He's my hero. | Arnavion wrote: | Assuming you're referring to pfblockerng, you can have DNS | blocking and IP blocking in OPNsense without the need for | any plugins. | LeSaucy wrote: | OPNsense is criminally underrated. My main routers for my | office are virtualized OPNsense VM's in high availability | with CARP, DHCP, DNS, VPN endpoints, inter-vlan routing, | gateway policies, outbound nat... I could go on. It all works | extremely well I can't fathom why people still choose pfSense | with all of the community shenanigans and closed source | versions. | | My only gripe with it over 3 years has been the documentation | on their API's for programatically updating firewall | rules/aliases could use some more examples, or just mention | "use browser's network requests developer mode to see what | calls you need to make". | pimeys wrote: | I did LOTS of research on what firewall/router distro to | install to my new router a few months ago. See my comment | history for considering different options. | | I have to say choosing OPNsense has been a great choice. | All the things you said I can agree on, but I have to add | one more thing: | | That quick search bar on the top-right corner where you can | quickly type where you want to go. That thing is just super | nice when jumping through places in the router. | | Now if I'd need to build a new router, I'd like to try my | luck with NixOS. Would be great if I could just build a new | router from a reproducible configuration. | ulzeraj wrote: | Same here but I've concluded that there is nothing better | than a simple install of pure OpenBSD or FreeBSD and | setting the rules on /etc/pf.conf. Its safer, faster, | lighter and I could argue that is also easier to admin | with just SSH and no web code in between. | | For example, in the latest version of OpenBSD which has a | Wireguard kernel implementation, the management tool has | been basically included in the ifconfig command. | ifconfig wg0 create wgport 5180 wgkey ... | | And then you are set. For persistence you create a | /etc/hostname.wg0 file containing the commands to bring | the interface up. | accountofme wrote: | Agree. I run openbsd, its simple. | WarOnPrivacy wrote: | > OPNsense is criminally underrated. | | When I came into FW distros, my practical choices were | MonoWall, SmoothWall and pfSense. IPfire wasn't even on the | scene yet. pfSense won me early. I figure there are a lot | of similar stories of pfSense being there for us when not | much else was. | closeparen wrote: | pfSense has the only friendly admin GUI for OpenVPN that I know | of, besides the proprietary Access Server. Will they do the | same for Wireguard? | sschueller wrote: | Wireguard is already in the latest version (2.5). UI is ok | but you need to understand how wireguard works what the | fields mean. | [deleted] | sandGorgon wrote: | is there any linux equivalent of pfsense+freebsd ? | bubblethink wrote: | openwrt works well enough for routing, qos, adblock, vpn, etc. | josteink wrote: | So what does people typically use pfSense/OPNsense for which | OpenWRT can't do, or is a bad fit for? | | Asking as a curious OpenWRT devotee. | fullstop wrote: | Untangle NG Firewall, perhaps. [1] | | 1. https://wiki.untangle.com/index.php/NG_Firewall_Installation | sandGorgon wrote: | what about vyos ? | | https://vyos.io/products/#vyos-router | thaumasiotes wrote: | OpenWrt? I'd be interested to know what the differences are. | pimeys wrote: | OpenWrt is more of a replacement for the market routers. It's | a nice Linux-based router distro with a good/great ui in | LuCI. The downside of this is that upgrading OpenWRT is a bit | similar than upgrading a closed-source OS of the consumer | routers: you flash it and you must reinstall all packages | after the upgrade. This means an upgrade between major | versions is maybe a bit too much of work. | | OPNsense/pfSense have similar upgrade strategies as FreeBSD | has: you upgrade the core os to the latest version, then all | ports. This is usually a really simple and kind of boring | system, which is something you really value in a computer | that manages your whole house's internet traffic... | freedom42 wrote: | PSA: | | pfSense is closed-source [1]. It was discussed last month here on | HN [2]. OPNsense is the equivalent FOSS alternative [3]. | | [1] https://github.com/rapi3/pfsense-is-closed-source | | [2] https://news.ycombinator.com/item?id=25894420 | | [3] https://en.wikipedia.org/wiki/OPNsense | jaytaylor wrote: | The dramas [0] between PFSense, OPNsense, and IPFire [1] always | seems to come up. | | I ended up going with PFSense and it works fine. It's open | enough that you can always dive in to figure out what's going | on. Perhaps philosophically suboptimal, but for all practical | purposes it's worked great for my home! | | [0] | https://www.reddit.com/r/homelab/comments/dg2wme/opnsense_vs... | | [1] https://www.ipfire.org/ | whalesalad wrote: | Woah, I have been using pfsense for quite a while but never | knew it was closed source until now. | WarOnPrivacy wrote: | The shade I occasionally see thrown toward pfSense is curious | to me. This isn't push-back at the parent comment but me | expressing a bit of confusion. | | I've used pfSense since 2009 or so. I was skeptical when | Netgate entered the picture but since I've had no reason to | complain. It's been a continuous and usually smooth timeline of | serving me well. | | A relevant sidebar is that I've been part of different, stellar | volunteer efforts - started by a core team that was trying to | improve or fix something worthwhile. It is inevitable that core | teams members will eventually run low on time/energy and | changes must follow. Those changes can be anything and usually | are. | anfogoat wrote: | > _The shade I occasionally see thrown toward pfSense is | curious to me._ | | Every last bit of it is deserved. They made a promise to keep | pfSense open source and they broke it as soon as they could. | I see them hiding behind _it 's the newly announced pfSense | Plus that is closed source, not pfSense CE_ and it's pure | weaseling. | | I still use pfSense but I feel bad for ever being excited | about it and contributing to their popularity. | WarOnPrivacy wrote: | However, you are directing your disdain (about pfSense) | toward us. To what end? What is it you want to achieve? | anfogoat wrote: | > _However, you are directing your disdain (about | pfSense) toward us._ | | I don't think I am; who's _us_ in that sentence? | | > _To what end? What is it you want to achieve?_ | | I'm scratching an itch. If Netgate can screw the | community that helped pfSense gain popularity then surely | it is perfectly acceptable for a member of that community | to express a little disdain. | WarOnPrivacy wrote: | > who's us in that sentence? | | Everyone in this thread. | | > it is perfectly acceptable for a member of that | community to express a little disdain. | | Okay. I never inferred otherwise. If venting is the total | of your goal here are you okay we blow that off or is | there something else you're hoping for? | | To be clear, I've no animosity toward your posts. My | 'hidden' agenda is this: Because hostility takes a toll | on the recipients (us), I'm curious if what you're | getting in return is worth it. | | No judgment. We all do this. | anfogoat wrote: | > _To be clear, I 've no animosity toward your posts._ | | No worries, no animosity assumed. | | > If venting is the total of your goal here are you okay | we blow that off or is there something else you're hoping | for? | | I don't like _venting_. I said I was scratching an itch | but _venting_ makes it sound like it had no substance at | all and suggests what Netgate did was alright. To be | clear, I think the more Netgate gets criticized and | called out the better. But I had no hopes beyond that. | | > _My 'hidden' agenda is this: Because hostility takes a | toll on the recipients (us) ..._ | | Putting aside that I'm not completely on board with the | _hostility_ characterization either, you 're recipients | of it only in the sense that you happened to read it. I | disagree with you about the degree to which Netgate | deserves the criticism of course, but none of the | "hostility" was addressed to you or anyone else in this | thread. | | It shouldn't be taxing. It's pick-me-up to anyone who's | read one too many overly positive comments about the | pfSense Plus shenanigans. | arm wrote: | > " _Because hostility takes a toll on the recipients | (us), I 'm curious if what you're getting in return is | worth it._" | | We aren't the recipients of the _hostility_ ; Netgate is. | I feel no hostility directed towards me when reading | _anfogoat_ 's post. In fact, I thank them for openly | expressing their disdain towards Netgate here, as it | gives others like me more information to look into and | come to our own conclusions on. | Godel_unicode wrote: | I'm not sure that over 10 years later is "as soon as they | could". NetGate has made a huge number of open source | releases, and while they have not held exactly to the | platonic ideal of open source (literally every bit on the | disc comes from an open repo) I think we can all agree that | the vast majority of the existing CE code remains open. I | also think that they get a lot of shade because some of | their developers have been some of the loudest jerks in | open source. | | In my opinion, at the moment we have Schrodinger's open | source: in the box there's a future pfSense CE which is | well-maintained but differentiated from their commercial | offering of pfSense Plus, and there's a pfSense CE which | languishes from a lack of new features and slowly accrues | an ever-larger trail of closed-won't-fix bugs. | | At this time, which future will develop is anyone's guess; | I suspect even NetGate don't really know. Even if they're | planning on effectively abandoning CE in place, a backlash | in the community could cause that to reverse. | mig39 wrote: | I don't think this is completely accurate, nor is it recent. | | Their "community edition" is open source and free: | | https://www.pfsense.org/download/ | | Also, they have https://github.com/pfsense/ | freedom42 wrote: | Then idk what this comment [1] means. Maybe someone could | clarify? | | [1] https://news.ycombinator.com/item?id=25915295 | tw04 wrote: | Community Edition will diverge from Pfsense+ with the 2.6 | release. They have also made no commitments there will be any | releases after that - "it's up to the community". | | They will, however, gatekeep what features the community is | allowed to add. Community Edition is more or less a dead man | walking at this point, they just refuse to come right out and | say that. | | Someone asked if they'd allow one of the REST API projects to | be put into upstream and they gave some ridiculous answer | about how they'd review any commit but alluded to the fact | they won't actually accept it. Because what would they do if | the maintainer left? Their suggestion was to fork it. Which, | ironically, is exactly what OPNsense did and then Jim | Thompson acted like a misbehaving 6 year old and created a | website trying to bash them and didn't even have the spine to | own up to it until there was a court order. | | https://opnsense.org/opnsense-com/ | | I'm not sure why ANYONE would waste any effort on adding | anything to pfsense at this point when they won't actually | commit to accepting features upstream that competes with | PFsense+. | k_roy wrote: | I've been on the wrong end of the Netgate | brigade/shills/apologists before due to a few blog entries, | and it's not fun. | | I'm just glad others are seeing the darker side of them. | WarOnPrivacy wrote: | In my case, I don't readily find hostility toward a group | that has busted tail to provide me tremendous value while I | have contributed very little in return. My interactions | over the years have been - perhaps not exclusively positive | but overwhelmingly so. | | History says one day pfSense will no longer fill my needs. | Okay. I'll raise an imaginary glass move on with gratitude. | frankharv wrote: | Well instead of pfSense no longer fulfilling your needs | than maybe its time to beam up to the mothership. FreeBSD | can do everything pfSense does without a web interface. | k_roy wrote: | Except it's not. The source that is provided doesn't actually | build pfSense as shipped. Plus there are binaries that no | source is provided for that "you don't need to worry about" ___________________________________________________________________ (page generated 2021-03-16 23:00 UTC)