Earlier this week, we discussed progress in integrating an implementation of the WireGuard VPN protocol into the FreeBSD kernel. Two days later, there’s an update: WireGuard in kernel mode has been completely pulled out of FreeBSD 13 development for the time being.
The change only affects WireGuard in kernel mode. WireGuard in user mode has been available in FreeBSD since 2019 and remains untouched. like you
pkg install wireguardyou get WireGuard in user mode, better known as
wireguard-go. Wireguard-go is potentially less performant than kernel-mode, but it’s stable and more than fast enough to keep up with most use cases.
The removal is actually good news for FreeBSD users and WireGuard users. While the new kernel work from WireGuard founder Jason Donenfeld, FreeBSD developer Kyle Evans and OpenBSD developer Matt Dunwoodie marked a clear step forward, it was considered too rushed to go out in a production kernel. This is a decision wholeheartedly endorsed by Donenfeld himself, who favors a more stable development process with more code reviews and consensus.
Donenfeld announced the migration of development from FreeBSD 13-CURRENT to its own
git archive earlier today. The new snapshot no longer relies on
ifconfig extensions to build tunnels; it uses
wg-quick commands similar to Linux, Windows and Android builds instead. While the code works, Donenfeld cautions that it should not be considered production-ready yet:
At this point, this code is new, not vetted, may have bugs, and should be considered “experimental”. It may contain security vulnerabilities. We welcome your testing and bug reports, but please note that this code is new, so some caution is advised when using it in mission-critical environments at this time.
However, in my small tests so far, it seems to “work basically”. And at the very least, those who rely on the code previously in the FreeBSD tree now have some immediate continuity.
In the coming days and weeks, this repository can be expected to improve and grow.
Ultimately, this FreeBSD WireGuard should be available in kernel mode through the FreeBSD port structure. At this point, those interested in testing it should:
git clone it from the WireGuard repos themselves, followed by the BSD style
make load ; make install commands to build from source.
This is an ongoing story and we will continue to follow the events as they develop.