This week we had a bit of an update from the FreeBSD community and Netgate. Mainly, the integrity of the WireGuard VPN code was called into question. As a result, the feature is effectively being pulled from FreeBSD 13 and pfSense in a major blow to the ecosystem.
pfSense and FreeBSD Pull Back on Kernel WireGuard Support
For those who may recall, with pfSense 2.5 we got WireGuard VPN support. That is if we are being forthright here, one of the biggest new features in pfSense 2.5. The WireGuard VPN implementation was designed as a kernel-mode solution and then was contributed to FreeBSD. Most Linux distributions have supported WireGuard for some time, and OPNsense, as an example, has had userland WireGuard support. Still, at some point, this needs to be a kernel-mode implementation.
The Netgate team hired a developer to add the feature to pfSense and then it was contributed to FreeBSD, set for FreeBSD 13. The flare-up over the past week, in an abridged form, is that even after public comment and review, the code that was integrated into FreeBSD was found to be sub-standard when subjected to post-deployment review. It is not a great solution to find out that, for example, Jumbo frame enablement can cause security vulnerabilities in a VPN solution that is designed to provide security.
Of course, this is effectively an important feature for FreeBSD and pfSense. So the idea that it will be pulled indefinitely makes little sense. At the same time, the current guidance is to not use the FreeBSD 13 nor pfSense 2.5 kernel WireGuard at this point. There is work being done to rectify the solution since the kernel-mode implementation is something that a lot of folks want.
At STH, we have been using pfSense for years. Beyond the politics of open source, pfSense has worked well. At the same time, this is a very good example of where the problem would not exist if pfSense was based on a Linux solution. WireGuard was integrated into the Linux kernel and is trivial to install on most popular distributions. In Ubuntu/ Debian “apt install wireguard” is all one needs to do to get started.
Beyond the immediate impacts of having a re-implementation of the feature, there is a reason other traditional open-source FreeBSD-based projects are moving to Linux. iXsystems started de-emphasizing FreeBSD for its TrueNAS Scale-Out Project. Linux is a bigger ecosystem than FreeBSD. The challenge now is that with one of the larger FreeBSD projects, pfSense, sponsoring a critical feature that fell flat playing catch-up to Linux, it is going to serve as a warning to others. If one chooses FreeBSD and creates a successful project, they have a higher likelihood of having to do something themselves versus having a critical feature mainlined and well tested. This was the first major feature implementation in pfSense in some time and it fell flat.
For now, we recommend our users switch back to IPsec/ OpenVPN. This will be fixed in the future. If you want to keep using WireGuard, ensure you are not changing the MTU to something larger than a MTU of 1420. This is not a great situation by any means since creates challenges for those that have already deployed. We also cannot turn a blind eye to the fact that this situation is out there. There is a userland wireguard-go solution available for FreeBSD and OPNsense, but the kernel version pfSense was using has been moved out of the mainline now, and the fixed version may come back in future updates.