Netgate removes WireGuard from pfSense after FreeBSD implementation bugs
Netgate has extracted the kernel-mode version of WireGuard from its FreeBSD-based router and firewall software pfSense. The move follows a decision not to include the WireGuard module in the 13.0 release of FreeBSD yet due to multiple issues.
Netgate reports to remove WireGuard from pfSense to thoroughly vet the software. If WireGuard does eventually make it into FreeBSD, the company is looking at adding it to a future version of pfSense again. Netgate introduced pfSense Plus version 21.02 and pfSense Community Edition version 2.5.0 in mid-February with a preview kernel implementation for WireGuard.
The development of WireGuard for pfSense was sponsored by NetGate. Development took over a year and in November the port was committed to FreeBSD by developer Matt Macy. It was intended to appear in the kernel of FreeBSD 13.0, a release to be released shortly.
Following Netgate’s announcement of its implementation in the pfSense releases, WireGuard founder Jason Donenfeld announced that he, along with other FreeBSD and OpenBSD developers, had found serious issues with the port and that the version was not ready for release. He talked about kernel panics, buffer overflows and other showstoppers, among other things.
A week of bug fixing by Donenfeld and FreeBSD developers Kyle Evans and Matt Dunwoodie to no avail. “One notable thing to note is that 40,000 lines of optimized crypto implementations have been pulled from the Linux kernel compat module, but not hooked up correctly, and have been irreparably mangled with mazes of Linux-to-FreeBSD ifdefs,” Donenfeld reports. as featured by Ars Technica. Donenfeld complains about the lack of communication by an unnamed popular firewall vendor, who commissioned a developer for a WireGuard implementation without contacting the project.