[HN Gopher] In-kernel WireGuard is on its way to FreeBSD and the...
___________________________________________________________________
In-kernel WireGuard is on its way to FreeBSD and the pfSense router
Author : xoa
Score : 269 points
Date : 2021-03-16 11:53 UTC (11 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| SigmundA wrote:
| Scott Long from Netgate's response:
| https://www.netgate.com/blog/painful-lessons-learned-in-secu...
|
| "Unfortunately, the public discussion has also veered into vague
| claims and slanderous attacks. This is where the lack of
| transparency, the lack of respect, and the inflation of ego is
| damaging and unproductive. We had hoped for a better
| collaboration than this, and it makes me doubt the motives of the
| attackers. And yes, I make deliberate use of the word "attacker"
| here, because that's what this is, an attack on Netgate and on
| the FreeBSD and pfSense communities. Beware of anyone who says
| that they have all the answers. I also worry about the integrity
| of those who make vague statements and blanket, over-the-top
| accusations."
| tptacek wrote:
| I think this... pretty much speaks for itself. Wow.
| intellirogue wrote:
| Wow. I'm a complete outsider to this, not using FreeBSD or
| pfSense or Wireguard - but this blog post makes Netgate seem
| incredibly unprofessional. Especially to anyone who actually
| read the mailing list exchanges.
| tptacek wrote:
| It is not great.
|
| I think this is all pretty much over now, right? FreeBSD is
| pulling back from a kernel WireGuard I think everyone agrees
| wasn't ready for prime time in mainline FreeBSD, and
| everyone's working getting it ready for a future release.
|
| I don't really understand what pfSense had to gain from a
| post like this, but, it's their blog.
| lambda_obrien wrote:
| I'll have to take a look at freebsd, does anyone have a good
| reference to the differences in a bsd versus Linux?
| tachion wrote:
| https://docs.freebsd.org/en/articles/explaining-bsd/comparin...
| annoyingnoob wrote:
| If it helps, OSX is based on BSD. I've had great success with
| pfSense.
|
| I found great tuning advice here: https://calomel.org
|
| Edit: Not sure why I'm getting down votes for trying to provide
| info. I didn't down vote anything in this thread.
| WarOnPrivacy wrote:
| I can't find any logic in downvoting a declaration like this
| (and the parent Q). It really seems like lashing out at good-
| faith.
| Datagenerator wrote:
| BSD adheres the POLA principle and is serving many PB of
| data in production at work. Rock solid and no sudden
| changes. The manual pages are to me of higher quality when
| compared to Linux.
|
| POLA Principle Of Least Astonishment
| WarOnPrivacy wrote:
| I can't argue with any of that.
| anoki wrote:
| I didn't downvote but it could be you got some downvotes
| because calomel has a bad reputation among BSD people. They
| have put bad and dangerous advice in their tuning and
| performance posts. People who follow this advice and shoot
| themselves in the foot sometimes come to the mailing lists
| looking for help, and it turns out their problems were caused
| by copy pasting from an unofficial source instead of reading
| and understanding the documentation.
| sgt wrote:
| OSX changed its name 5 years ago to macOS. For what it's
| worth, I've also had great success with pfSense. Ran it for
| years at our company. Recently we've migrated to Mikrotik,
| but to be honest I fail to see any major advantage. It's
| perhaps easier to train people in learning to use Mikrotik.
| aborsy wrote:
| If true, this calls into question the security of the rest of
| pfsense as well (not just the WG piece).
| andrius4669 wrote:
| Link to relevant announcement email:
| https://lists.zx2c4.com/pipermail/wireguard/2021-March/00649...
|
| There's also Jason's reply to apparently not-nice feedback of
| someone from NetGate:
| https://lists.zx2c4.com/pipermail/wireguard/2021-March/00649...
| Arnavion wrote:
| Damage control: https://www.netgate.com/blog/painful-lessons-
| learned-in-secu...
| Jonnax wrote:
| Wow. Netgate come off as incredibly unprofessional.
|
| According to the article linked and the info here in that email
| you linked this is my conclusion:
|
| * Netgate tried to ship flawed code that has multiple security
| issues.
|
| * Jason Donenfeld, one of the lead Wireguard developers, went
| out of his way to work on rewriting it to be better in time for
| the 13.0 release of FreeBSD
|
| * This Netgate employee is angry that they weren't able to ship
| their bad code and starts throwing accusations of a smear
| campaign.
|
| Am I understanding what happened correctly? Because it really
| makes this Firewall/Router look really bad.
| stonogo wrote:
| NetGate spends a lot on FreeBSD development, which is great,
| but they also spend a lot of time running smear campaigns
| against people who offend them, which is ridiculous. They
| even started /r/opnsense on Reddit just to post shit-talking
| memes, and camp on the namespace to this day.
| kbenson wrote:
| That was my impression too, then I went back a couple prior
| messages, and looked at the earlier announcement. Wihle
| Netgate looks to have overreacted (at least from the info we
| have), I can understand why they would be upset. This was in
| the original announcement:
|
| _The first step was assessing the current state of the code
| the previous developer had dumped into the tree. It was not
| pretty. I imagined strange Internet voices jeering, "this is
| what gives C a bad name!" There were random sleeps added to
| "fix" race conditions, validation functions that just
| returned true, catastrophic cryptographic vulnerabilities,
| whole parts of the protocol unimplemented, kernel panics,
| security bypasses, overflows, random printf statements deep
| in crypto code, the most spectacular buffer overflows, and
| the whole litany of awful things that go wrong when people
| aren't careful when they write C. Or, more simply, it seems
| typical of what happens when code ships that wasn't meant to.
| It was essentially an incomplete half-baked implementation -
| nothing close to something anybody would want on a production
| machine. Matt had to talk me out of just insisting they pull
| the code entirely, and rework it more slowly and carefully
| for the next release cycle._
|
| I can understand being upset if that's how you're portrayed
| publicly.
| 1vuio0pswjnm7 wrote:
| Reminded me of the type of statements he made last year on
| another mailing list:
|
| https://news.ycombinator.com/item?id=24430424
|
| https://mail-index.netbsd.org/tech-
| net/2020/08/22/msg007842....
|
| https://mail-index.NetBSD.org/current-
| users/2020/08/22/msg03...
|
| https://mail-index.NetBSD.org/tech-
| kern/2020/08/23/msg026693...
| tomxor wrote:
| I duno, if true about the code I find it very difficult to
| empathize with Netgate
|
| From what has been said it's not like they found and fixed
| a subtle and cryptic vulnerability in an otherwise
| reasonable implementation and then failed to disclose it
| properly. It's more like they turned over a rock and found
| a murder victim. The guy from Netgate is also coming across
| as very inward looking and seems to assume everyone else's
| motivations are also purely selfish (referring to his
| comment implying a "shower of contracts" they might receive
| for the publicity). His focus should be on how to prevent
| this mistake from happening in future.
| tw04 wrote:
| Keep in mind, back in February of 2020 when Kip Macy first
| announced that Netgate had hired him to port Wireguard,
| Jason offered to help. First Kip declines the offer, then
| seems to warm slightly to it, but ultimately appears to
| have not actually engaged Jason.
|
| If I'm Jason and I offer my help (for free), they don't
| take me up on my offer, then try to release code that would
| make my baby look quite ugly, I would probably also have a
| pretty severe reaction.
|
| Could Jason have been slightly more professional?
| Absolutely. But we're all human and I can't entirely blame
| him, I'm sure he was frustrated that he offered to help
| multiple times and they both didn't take him up on the
| offer, and tried to release a hatchet job with his name
| (indirectly) attached to it.
| CameronNemo wrote:
| Sounds like Jason should trademark Wireguard (the name).
| Or build an alternative brand. That way Netgate's
| actions, or the actions of other wireguard
| implementations, will not reflect on the reputation of
| his project/product/technology.
| tw04 wrote:
| He did trademark the name. I don't think Jason is going
| to tell the FreeBSD project that they can't use the name
| "wireguard" for their implementation of "wireguard" just
| because Netgate put out shoddy code. It's not the FreeBSD
| project's fault.
|
| https://www.wireguard.com/trademark-policy/
| Reventlov wrote:
| "Kip Macy" don't you mean Matt Macy ?
| tw04 wrote:
| There's not a good way for me to respond to that without
| going off-topic. The following is assuming that wasn't a
| rhetorical question, if it was rhetorical I guess we may
| just agree to disagree:
|
| Until he issues a public apology for his actions, I'll
| refer to him as Kip. Changing your name to run from the
| google searches is completely understandable, and I
| support second chances, but you need to show a bit of
| remorse IMO.
|
| https://abcnews.go.com/US/exclusive-landlord-hell-
| defends-te...
| jimbob45 wrote:
| Damn that link was an adventure from start to end.
| generalizations wrote:
| I don't really think that the 'online mob' has the right
| to hold someone's past actions over their head, and
| expect some public appeasement before it relents.
| kbenson wrote:
| > Could Jason have been slightly more professional?
| Absolutely. But we're all human and I can't entirely
| blame him
|
| Oh, I don't entirely blame him. I just partially blame
| him for not seeing the obvious way this _could_ devolve
| into a problem, even if it would (justifiably) seem
| unlikely to go to this level so fast. That is, he shouldn
| 't be surprised there was a problem with what he said,
| although the scope of the problem is a bit more than I
| think most would expect.
|
| Professionalism isn't just about making others feel good,
| it's about optimizing for useful outcomes, which includes
| covering yourself. Not taking care with your words is
| just like not taking care with your code. Sometimes
| there's a weird interaction and things go boom.
| Jonnax wrote:
| Well if it's true, then they were trying to put flawed code
| into freebsd which they would then ship to customers in
| their security product.
|
| They're not some random person but are representing their
| company with their code.
|
| If there was a security exploit with their Wireguard
| implementation, would Netgate get blamed or Wireguard?
| [deleted]
| ksec wrote:
| Similar reaction here. My first impression was Netgate
| being an arse. But then when you read the announcement I
| kind of understand why Scott is angry. Because while the
| post may have been in "good faith" in an Open Development
| and Open Source world, it surely isn't in a professional
| and business world especially when the work is sponsored (
| being paid ).
|
| Jason should have informed Netgate the quality of the code
| is shit in private and FreeBSD dev should have told Netgate
| will not be shipping any of it in Rel 13.
|
| It is then up to Netgate to decide What to do with their
| Rel 2.5
| tptacek wrote:
| WireGuard is an open-source project, and an important
| one. It seems to me that if you want to push to create
| the authoritative WireGuard implementation for a major
| open source OS, the commercial norms need to take a back
| seat.
| tw04 wrote:
| > it surely isn't in a professional and business world
| especially when the work is sponsored ( being paid ).
|
| To play devil's advocate: Netgate isn't paying Jason, and
| they're taking his open source code to create a
| proprietary commercial project. I'd say Jason owes them
| exactly nothing in the way of courtesy or consideration.
| Could he have been more polite for the sake of being
| polite and community goodwill? Probably.
| ksec wrote:
| >and they're taking his open source code to create a
| proprietary commercial project.
|
| I am not sure if that is the case. Netgate seems to have
| used their old crappy sponsored work for their Pfsense.
|
| That is judging from the two pieces of information here.
| Jason doesn't need to be of consideration for Netgate.
| There could be other communication we dont know about. I
| can certainly understand why Scott is frustrated.
| tw04 wrote:
| >I am not sure if that is the case. Netgate seems to have
| used their old crappy sponsored work for their Pfsense.
|
| Their sponsored work was based off of the Linux and
| OpenBSD code that Jason and others wrote. And even if it
| didn't utilize that code, you literally can't write a
| wireguard client without building on Jason's work.
| axaxs wrote:
| Yeah, same.
|
| Even if all of the above is true, it reads like an
| elaborate insult. And that's fine if that what the author
| set out to do for some reason. Pretending it wasn't after
| the fact isn't being honest, in my opinion.
|
| A more professional and neutral announcement could just
| talk about code that needs to be refactored due to some
| incompleteness and vulnerabilities.
| tptacek wrote:
| It's not an elaborate insult.
|
| To a much greater extent than in other security
| protocols, implementation security is a goal of
| WireGuard. The protocol itself was designed to support
| secure kernel implementations; for instance, it's
| designed in such a way as to not require on-demand
| dynamic memory allocation.
|
| It's part of the premise of the security model of
| WireGuard that it has secure kernel implementations. If
| you're building a kernel WireGuard implementation for a
| major open source OS without taking advantage of the
| WireGuard implementation design concepts, you're not
| really building WireGuard; you're building a compatible
| fork and calling it "WireGuard".
|
| The "ask" here from Jason was for everyone to slow their
| roll, take the flawed WireGuard implementation out of the
| tree, and give everyone a chance to make it more
| resilient. Considering the amount of work Jason had to go
| through to get WireGuard into the Linux tree, that seems
| like a very reasonable request.
|
| Instead, the WireGuard project seems to have been put
| into a position where they had to scramble to fix up an
| implementation that was being pushed into FreeBSD, as
| WireGuard _qua_ WireGuard. I can imagine that being a
| frustrating experience. It certainly didn 't generate the
| most political response ever, but I think you'd be
| reaching to call it a deliberate insult.
| kbenson wrote:
| > It's not an elaborate insult.
|
| My read on it wasn't that it was an elaborate insult, but
| more that it was far more denigrating than it needed to
| be, if he was trying to be professional. That doesn't
| mean it was purposeful, sometimes people just don't
| really associate the statements they make with how it may
| be perceived.
|
| I think it could have been communicated clearly and
| succinctly with something along the lines of: "The first
| step was assessing the current state of the code the
| previous developer had dumped into the tree. We noticed
| some quality problems, some unimplemented protocol
| sections and more concerning, security issues with the
| code. Given these issues, we considered asking they
| remove the code, but instead Matt convinced me that we
| should rework it slowly and carefully for the next
| release cycle."
|
| Notably, I think omission of the following inflammatory
| statements would have prevented a lot of problems:
|
| - "It was not pretty."
|
| - "I imagined strange Internet voices jeering, "this is
| what gives C a bad name!""
|
| - "the most spectacular buffer overflows"
|
| - "the whole litany of awful things that go wrong when
| people aren't careful when they write C."
|
| Whether those entirely subjective statements are
| accurate, they are not the things you say about someone
| else's work output when you expect a useful dialogue with
| them, which is exactly why they are considered
| unprofessional.
|
| I'm not defending Netgate's code here, or even the
| vehemence of their reaction and how they went about it,
| but merely noting that not only can I see how it devolved
| into this, I would go so far as to say it's _obvious_
| that this is why that type of language is avoided by most
| people trying to work professionally. Jason wrote some
| very unkind things, and Netgate blew up about it. There
| 's enough blame here that they can both share some.
|
| > The "ask" here from Jason was for everyone to slow
| their roll, take the flawed WireGuard implementation out
| of the tree, and give everyone a chance to make it more
| resilient. Considering the amount of work Jason had to go
| through to get WireGuard into the Linux tree, that seems
| like a very reasonable request.
|
| Err, wasn't that actually not the ask, because he thought
| they wouldn't do so, so instead they worked it over in a
| short time-frame, only for it _then_ to be removed when
| this argument broke out and it came to light?
| zx2c4 wrote:
| I get your point about perceptions, but there's also
| another aspect of why I found it important and necessary
| to describe just how poor the code was:
|
| When you're talking about replacing and rewriting the
| implementation on the eve of release, you better have a
| good reason for doing so. Stuffing a rewrite of security
| critical code into the kernel at the last minute is a big
| red flag. The main question that _immediately_ comes up
| in that context is, "how is it possible that having a
| last minute rewrite would be better than the code that
| was there before? You've only looked at this for a week."
| And that's a really good and important question.
|
| That much code churn is not something I wanted when I set
| out to get started with this, but it's ultimately where
| things wound up. Why? For exactly the reasons I described
| in my email. The idea wasn't to be _insulting_, but
| rather to accurately and vividly describe the state of
| the code, as a motivating factor for the rewrite. I see
| how perceptions could view that instead as denigrating,
| but that wasn't really the motivation. And it's not as
| though anybody really is rushing to defend that code
| either; it doesn't take a lot to look at that and make up
| your mind that it was probably unfinished stuff, not
| coded with much love, that was committed prematurely.
|
| It also had the, I think, positive effect of leading to
| more scrutiny of the review process. A few people have
| piped up and mentioned to me that their concerns during
| that review weren't addressed. And as a consequence of
| everything, all of the code, including the rewrite, is
| being removed from FreeBSD until it can be carefully
| examined and completed, which is really the best of
| conclusions.
| jamal-kumar wrote:
| You did good, Jason. Honestly after this streissand
| effect from them taking technical criticism personally
| and threatening you, I'm probably just going to avoid
| anything using code they might have written... that's on
| them. Responding to a perceived non-professionalism by
| talking like that to you -- from their COMPANY EMAIL at
| that? If I were their boss I'd definitely start making
| some considerations.
| kbenson wrote:
| > The idea wasn't to be _insulting_
|
| Sure, I didn't really interpret it as you attempting to
| be insulting, more that you were accidentally insulting
| through your explanation of what you found.
|
| > but rather to accurately and vividly describe the state
| of the code, as a motivating factor for the rewrite
|
| Sure, but is any of that really needed beyond "there were
| numerous security problems we had to address"? When
| talking about shipping crypto, I think most involved
| would agree not shipping it is better than shipping
| something possibly exploitable.
|
| I think the core of what I was trying to express is that
| words should be crafted with care when expected to be
| read in a public forum like this, just like any code
| expected to be used by many should be crafted with care.
| For the same reason it's useful to remove quadratic
| algorithms from places where the input is somewhat not
| entirely vetted, it's useful to take care with words to
| reduce the chance of misinterpretation.
|
| That doesn't mean scour your statements for the smallest
| possible misinterpretation, but there's a lot of room to
| improve things like "I imagined strange Internet voices
| jeering, "this is what gives C a bad name!"" while still
| expressing your point constructively. The low hanging
| fruit is easy to pick, so you might as well pick it.
|
| To be clear, I feel for you with regards to this
| situation. Nobody really expects weird accusations like
| you got from simple emails, and that's on Netgate, but a
| less extreme response that also publicly notes the soured
| relationship would also be a negative outcome from this
| in my opinion, if one of lower magnitude.
| tptacek wrote:
| Sure, but it's easy to clinically examine any
| communication and refine it with the benefit of both
| hindsight and low cortisol levels. My read of this
| situation is that everyone involved was stuck in a shitty
| situation; it got _very briefly_ heated, and ended up
| where it should have: with another dev cycle to iterate
| on FreeBSD WireGuard.
| kbenson wrote:
| I agree on both counts, but I think (constructive)
| criticism is warranted in a mistake. To absolve Jason of
| all responsibility would be to possibly not provide that
| useful feedback of why not to do this the same way next
| time.
|
| Hopefully I accurately expressed that as what I was
| trying to convey. I don't think Jason is close to even
| half the problem in this case, just the small spark that
| allowed it to continue and explode (continue because is
| started with a substandard implementation to begin with).
| At the same time, he's also the one easier to critique
| constructively because the other party is hard to relate
| to (I'm not one to jump to conspiracy theories about
| implicit efforts to defame).
| 1vuio0pswjnm7 wrote:
| The patch, showing the fixes made:
|
| https://cgit.freebsd.org/src/commit/?id=74ae3f3e33b810248da1...
| seany wrote:
| Netgate is weirdly hostile to a lot of opensource stuff, which
| should be strange given what all their tech is built on top of.
| This has been going on for years. (see opnsense etc)
| cperciva wrote:
| Netgate funds a lot of FreeBSD work, and employs FreeBSD
| committers. I certainly wouldn't describe them as hostile to
| open source.
| WarOnPrivacy wrote:
| I didn't know that. That's kind of awesome.
| tedunangst wrote:
| They can be a touch snotty towards developers who aren't
| freebsd committees.
| cperciva wrote:
| I think every project has people like that. I can think
| of some open source projects which are _led_ by people
| with attitude problems.
| tptacek wrote:
| Real subtle, Colin.
| cperciva wrote:
| I mean, Linus has openly acknowledged that he has behaved
| unprofessionally in the emails he sends to people who are
| trying to contribute. There isn't anything secret here.
| Crontab wrote:
| LOL, my first thought was that you were talking about
| Theo.
| tptacek wrote:
| I think he was. :)
| droopyEyelids wrote:
| It seems clear to me this is a case of passionate coders
| with different personalities struggling with the difficult
| work of human communication in a world with limited
| resources and time.
|
| No one has to be the bad guy here or end up hostile to open
| source.
| tomxor wrote:
| Perhaps entitled is the right word then.
| cperciva wrote:
| Maybe. It's not necessarily without reason -- if you make
| a lot of contributions and they are generally very well
| received, it's quite sensible to anticipate that further
| contributions will be equally well received and to be
| surprised if they're not.
|
| This was made worse by the unfortunate timing -- the
| final release candidate is just 3 days away. Any other
| time, we would have gone slower, had more discussion, et
| cetera; unfortunately this turned into an emergency.
| m463 wrote:
| I was about to buy a netgate router when I read the
| background of everything here on HN.
|
| Basically, all the opensource claims don't amount to a hill
| of beans, because you cannot compile pfsense yourself, even
| for their hardware.
|
| (I'm sure someone could come up with the link)
|
| The firewall should be the ONE place where this would be
| critical. You have to run their binary.
|
| I also think it phones home.
| colordrops wrote:
| They've recently forked their open and closed source
| products, so a lot of people have been migrating to OPNSense.
| I've been using it for a couple months now and recommend it.
| bjustin wrote:
| Jason's reply is an impressive display of de-escalation. The
| NetGate person's message has a lot of hostility and Jason
| really doesn't return any of it. Hope NetGate comes around to
| working with the WireGuard maintainers more in the future.
| megous wrote:
| Good read, I saved crypto.{c,h} for later use. Nice and tidy
| crypto code.
| sschueller wrote:
| Im confused, pfsense 2.5 is out and has wireguard support. Is
| that version full holes I should be aware off?
| jandrese wrote:
| It's a userland implementation. This is for the in-kernel
| implementation. It should be faster. Also, there are some
| comments that the userland version is rather hacky and probably
| should be transitioned away from once you can.
| JStanton617 wrote:
| OPNSense (the pfSense fork) is using the userland version.
| pfSense 2.5 is using this kernel code - https://docs.netgate.
| com/pfsense/en/latest/releases/2-5-0.ht...
|
| "pfSense(r) Plus software version 21.02 and pfSense Community
| Edition (CE) software version 2.5.0 include a major OS
| version upgrade, a kernel WireGuard implementation..."
| pimeys wrote:
| The userland version is also from the original author of
| WireGuard and not that bad actually.
|
| I'm currently running it in an OPNsense box to serve our
| internet needs. I have a connection that without VPN can push
| through about 400-800 Mbps, and when I put the VPN on for all
| traffic, I can still push 400-800 Mbps through my connection.
|
| The in-kernel version can do the same with less CPU usage,
| and can probably drive multi-gigabit connections without any
| trouble.
| JStanton617 wrote:
| Yes. The code you're running is described as having "random
| sleeps added to "fix" race conditions, validation functions
| that just returned true, catastrophic cryptographic
| vulnerabilities, whole parts of the protocol unimplemented,
| kernel panics, security bypasses, overflows, random printf
| statements deep in crypto code, the most spectacular buffer
| overflows"
|
| This is a kernel RCE just waiting to happen.
| api wrote:
| > random sleeps added to "fix" race conditions
|
| That's just horrifying. It shows someone who knows next to
| nothing about multithreaded code and is kludging their way
| through. Not someone you want within a hundred feet of
| anything other than maybe front-end web, and even there
| they're going to be the kind of person who blocks the node.js
| event loop (because async coding is like the junior cousin of
| multithreading).
| Godel_unicode wrote:
| Anyone who wants to be able to throw some crypto CVEs on
| their resume could do worse than spending some quality time
| with this code.
| kevans91 wrote:
| Note that there's additional follow-up available here:
| https://lists.freebsd.org/pipermail/freebsd-hackers/2021-Mar...
| darkwater wrote:
| Came here to post that, looks like they are pulling out the
| recent effort
|
| EDIT: removed the "and revert to the original freebsd (broken?)
| implementation"
| cperciva wrote:
| WireGuard is gone from the kernel in 13.0-RELEASE. Given the
| choice between "buggy" and "less than a week old", we're
| going with the third option of "you can ship a kernel module
| via the ports tree".
| zx2c4 wrote:
| Which is really the absolute best outcome:
|
| https://lists.freebsd.org/pipermail/freebsd-
| hackers/2021-Mar...
|
| https://lists.freebsd.org/pipermail/freebsd-
| hackers/2021-Mar...
| beatrobot wrote:
| They are removing both implementations(the new and the broken
| one) in order to put more work and review on the new one, and
| release it properly at a later time.
| WarOnPrivacy wrote:
| I've been waiting for pfSense+Wireguard for a while. OpenVPN has
| been very good to me but I'm psyched to trade up.
| BuildTheRobots wrote:
| The opnsense fork has supported wireguard for a while, and has
| far less restrictive licensing. I highly recommend having a
| look.
| WarOnPrivacy wrote:
| Only if BBCan177 jumps ship. He's my hero.
| Arnavion wrote:
| Assuming you're referring to pfblockerng, you can have DNS
| blocking and IP blocking in OPNsense without the need for
| any plugins.
| LeSaucy wrote:
| OPNsense is criminally underrated. My main routers for my
| office are virtualized OPNsense VM's in high availability
| with CARP, DHCP, DNS, VPN endpoints, inter-vlan routing,
| gateway policies, outbound nat... I could go on. It all works
| extremely well I can't fathom why people still choose pfSense
| with all of the community shenanigans and closed source
| versions.
|
| My only gripe with it over 3 years has been the documentation
| on their API's for programatically updating firewall
| rules/aliases could use some more examples, or just mention
| "use browser's network requests developer mode to see what
| calls you need to make".
| pimeys wrote:
| I did LOTS of research on what firewall/router distro to
| install to my new router a few months ago. See my comment
| history for considering different options.
|
| I have to say choosing OPNsense has been a great choice.
| All the things you said I can agree on, but I have to add
| one more thing:
|
| That quick search bar on the top-right corner where you can
| quickly type where you want to go. That thing is just super
| nice when jumping through places in the router.
|
| Now if I'd need to build a new router, I'd like to try my
| luck with NixOS. Would be great if I could just build a new
| router from a reproducible configuration.
| ulzeraj wrote:
| Same here but I've concluded that there is nothing better
| than a simple install of pure OpenBSD or FreeBSD and
| setting the rules on /etc/pf.conf. Its safer, faster,
| lighter and I could argue that is also easier to admin
| with just SSH and no web code in between.
|
| For example, in the latest version of OpenBSD which has a
| Wireguard kernel implementation, the management tool has
| been basically included in the ifconfig command.
| ifconfig wg0 create wgport 5180 wgkey ...
|
| And then you are set. For persistence you create a
| /etc/hostname.wg0 file containing the commands to bring
| the interface up.
| accountofme wrote:
| Agree. I run openbsd, its simple.
| WarOnPrivacy wrote:
| > OPNsense is criminally underrated.
|
| When I came into FW distros, my practical choices were
| MonoWall, SmoothWall and pfSense. IPfire wasn't even on the
| scene yet. pfSense won me early. I figure there are a lot
| of similar stories of pfSense being there for us when not
| much else was.
| closeparen wrote:
| pfSense has the only friendly admin GUI for OpenVPN that I know
| of, besides the proprietary Access Server. Will they do the
| same for Wireguard?
| sschueller wrote:
| Wireguard is already in the latest version (2.5). UI is ok
| but you need to understand how wireguard works what the
| fields mean.
| [deleted]
| sandGorgon wrote:
| is there any linux equivalent of pfsense+freebsd ?
| bubblethink wrote:
| openwrt works well enough for routing, qos, adblock, vpn, etc.
| josteink wrote:
| So what does people typically use pfSense/OPNsense for which
| OpenWRT can't do, or is a bad fit for?
|
| Asking as a curious OpenWRT devotee.
| fullstop wrote:
| Untangle NG Firewall, perhaps. [1]
|
| 1. https://wiki.untangle.com/index.php/NG_Firewall_Installation
| sandGorgon wrote:
| what about vyos ?
|
| https://vyos.io/products/#vyos-router
| thaumasiotes wrote:
| OpenWrt? I'd be interested to know what the differences are.
| pimeys wrote:
| OpenWrt is more of a replacement for the market routers. It's
| a nice Linux-based router distro with a good/great ui in
| LuCI. The downside of this is that upgrading OpenWRT is a bit
| similar than upgrading a closed-source OS of the consumer
| routers: you flash it and you must reinstall all packages
| after the upgrade. This means an upgrade between major
| versions is maybe a bit too much of work.
|
| OPNsense/pfSense have similar upgrade strategies as FreeBSD
| has: you upgrade the core os to the latest version, then all
| ports. This is usually a really simple and kind of boring
| system, which is something you really value in a computer
| that manages your whole house's internet traffic...
| freedom42 wrote:
| PSA:
|
| pfSense is closed-source [1]. It was discussed last month here on
| HN [2]. OPNsense is the equivalent FOSS alternative [3].
|
| [1] https://github.com/rapi3/pfsense-is-closed-source
|
| [2] https://news.ycombinator.com/item?id=25894420
|
| [3] https://en.wikipedia.org/wiki/OPNsense
| jaytaylor wrote:
| The dramas [0] between PFSense, OPNsense, and IPFire [1] always
| seems to come up.
|
| I ended up going with PFSense and it works fine. It's open
| enough that you can always dive in to figure out what's going
| on. Perhaps philosophically suboptimal, but for all practical
| purposes it's worked great for my home!
|
| [0]
| https://www.reddit.com/r/homelab/comments/dg2wme/opnsense_vs...
|
| [1] https://www.ipfire.org/
| whalesalad wrote:
| Woah, I have been using pfsense for quite a while but never
| knew it was closed source until now.
| WarOnPrivacy wrote:
| The shade I occasionally see thrown toward pfSense is curious
| to me. This isn't push-back at the parent comment but me
| expressing a bit of confusion.
|
| I've used pfSense since 2009 or so. I was skeptical when
| Netgate entered the picture but since I've had no reason to
| complain. It's been a continuous and usually smooth timeline of
| serving me well.
|
| A relevant sidebar is that I've been part of different, stellar
| volunteer efforts - started by a core team that was trying to
| improve or fix something worthwhile. It is inevitable that core
| teams members will eventually run low on time/energy and
| changes must follow. Those changes can be anything and usually
| are.
| anfogoat wrote:
| > _The shade I occasionally see thrown toward pfSense is
| curious to me._
|
| Every last bit of it is deserved. They made a promise to keep
| pfSense open source and they broke it as soon as they could.
| I see them hiding behind _it 's the newly announced pfSense
| Plus that is closed source, not pfSense CE_ and it's pure
| weaseling.
|
| I still use pfSense but I feel bad for ever being excited
| about it and contributing to their popularity.
| WarOnPrivacy wrote:
| However, you are directing your disdain (about pfSense)
| toward us. To what end? What is it you want to achieve?
| anfogoat wrote:
| > _However, you are directing your disdain (about
| pfSense) toward us._
|
| I don't think I am; who's _us_ in that sentence?
|
| > _To what end? What is it you want to achieve?_
|
| I'm scratching an itch. If Netgate can screw the
| community that helped pfSense gain popularity then surely
| it is perfectly acceptable for a member of that community
| to express a little disdain.
| WarOnPrivacy wrote:
| > who's us in that sentence?
|
| Everyone in this thread.
|
| > it is perfectly acceptable for a member of that
| community to express a little disdain.
|
| Okay. I never inferred otherwise. If venting is the total
| of your goal here are you okay we blow that off or is
| there something else you're hoping for?
|
| To be clear, I've no animosity toward your posts. My
| 'hidden' agenda is this: Because hostility takes a toll
| on the recipients (us), I'm curious if what you're
| getting in return is worth it.
|
| No judgment. We all do this.
| anfogoat wrote:
| > _To be clear, I 've no animosity toward your posts._
|
| No worries, no animosity assumed.
|
| > If venting is the total of your goal here are you okay
| we blow that off or is there something else you're hoping
| for?
|
| I don't like _venting_. I said I was scratching an itch
| but _venting_ makes it sound like it had no substance at
| all and suggests what Netgate did was alright. To be
| clear, I think the more Netgate gets criticized and
| called out the better. But I had no hopes beyond that.
|
| > _My 'hidden' agenda is this: Because hostility takes a
| toll on the recipients (us) ..._
|
| Putting aside that I'm not completely on board with the
| _hostility_ characterization either, you 're recipients
| of it only in the sense that you happened to read it. I
| disagree with you about the degree to which Netgate
| deserves the criticism of course, but none of the
| "hostility" was addressed to you or anyone else in this
| thread.
|
| It shouldn't be taxing. It's pick-me-up to anyone who's
| read one too many overly positive comments about the
| pfSense Plus shenanigans.
| arm wrote:
| > " _Because hostility takes a toll on the recipients
| (us), I 'm curious if what you're getting in return is
| worth it._"
|
| We aren't the recipients of the _hostility_ ; Netgate is.
| I feel no hostility directed towards me when reading
| _anfogoat_ 's post. In fact, I thank them for openly
| expressing their disdain towards Netgate here, as it
| gives others like me more information to look into and
| come to our own conclusions on.
| Godel_unicode wrote:
| I'm not sure that over 10 years later is "as soon as they
| could". NetGate has made a huge number of open source
| releases, and while they have not held exactly to the
| platonic ideal of open source (literally every bit on the
| disc comes from an open repo) I think we can all agree that
| the vast majority of the existing CE code remains open. I
| also think that they get a lot of shade because some of
| their developers have been some of the loudest jerks in
| open source.
|
| In my opinion, at the moment we have Schrodinger's open
| source: in the box there's a future pfSense CE which is
| well-maintained but differentiated from their commercial
| offering of pfSense Plus, and there's a pfSense CE which
| languishes from a lack of new features and slowly accrues
| an ever-larger trail of closed-won't-fix bugs.
|
| At this time, which future will develop is anyone's guess;
| I suspect even NetGate don't really know. Even if they're
| planning on effectively abandoning CE in place, a backlash
| in the community could cause that to reverse.
| mig39 wrote:
| I don't think this is completely accurate, nor is it recent.
|
| Their "community edition" is open source and free:
|
| https://www.pfsense.org/download/
|
| Also, they have https://github.com/pfsense/
| freedom42 wrote:
| Then idk what this comment [1] means. Maybe someone could
| clarify?
|
| [1] https://news.ycombinator.com/item?id=25915295
| tw04 wrote:
| Community Edition will diverge from Pfsense+ with the 2.6
| release. They have also made no commitments there will be any
| releases after that - "it's up to the community".
|
| They will, however, gatekeep what features the community is
| allowed to add. Community Edition is more or less a dead man
| walking at this point, they just refuse to come right out and
| say that.
|
| Someone asked if they'd allow one of the REST API projects to
| be put into upstream and they gave some ridiculous answer
| about how they'd review any commit but alluded to the fact
| they won't actually accept it. Because what would they do if
| the maintainer left? Their suggestion was to fork it. Which,
| ironically, is exactly what OPNsense did and then Jim
| Thompson acted like a misbehaving 6 year old and created a
| website trying to bash them and didn't even have the spine to
| own up to it until there was a court order.
|
| https://opnsense.org/opnsense-com/
|
| I'm not sure why ANYONE would waste any effort on adding
| anything to pfsense at this point when they won't actually
| commit to accepting features upstream that competes with
| PFsense+.
| k_roy wrote:
| I've been on the wrong end of the Netgate
| brigade/shills/apologists before due to a few blog entries,
| and it's not fun.
|
| I'm just glad others are seeing the darker side of them.
| WarOnPrivacy wrote:
| In my case, I don't readily find hostility toward a group
| that has busted tail to provide me tremendous value while I
| have contributed very little in return. My interactions
| over the years have been - perhaps not exclusively positive
| but overwhelmingly so.
|
| History says one day pfSense will no longer fill my needs.
| Okay. I'll raise an imaginary glass move on with gratitude.
| frankharv wrote:
| Well instead of pfSense no longer fulfilling your needs
| than maybe its time to beam up to the mothership. FreeBSD
| can do everything pfSense does without a web interface.
| k_roy wrote:
| Except it's not. The source that is provided doesn't actually
| build pfSense as shipped. Plus there are binaries that no
| source is provided for that "you don't need to worry about"
___________________________________________________________________
(page generated 2021-03-16 23:00 UTC)