You don’t want to use Wireguard on pfSense…

File this under “Technical Drama” but if you haven’t heard, Netgate, the developer behind pfSense, sponsored a FreeBSD kernel module for Wireguard which brought it into pfSense 2.5.0 which was released back in February. Netgate committed these changes to FreeBSD and this module was slated to be included in FreeBSD 13.0 set to be released in a few days. But, the creator of Wireguard, Jason Donenfeld, did a code review of the module and… well…

It was not pretty. I imagined strange Internet voices jeering, “this is what gives C a bad name!” There were random sleeps added to “fix” race conditions, validation functions that just returned true, catastrophic cryptographic vulnerabilities, whole parts of the protocol unimplemented, kernel panics, security bypasses, overflows, random printf statements deep in crypto code, the most spectacular buffer overflows, and the whole litany of awful things that go wrong when people aren’t careful when they write C. Or, more simply, it seems typical of what happens when code ships that wasn’t meant to. It was essentially an incomplete half-baked implementation – nothing close to something anybody would want on a production machine.

Added emphasis mine.

This is the creator of Wireguard.

Then on March 18, Netgate, with egg on their face, announced the following:

Given that kernel-mode WireGuard has been removed from FreeBSD, and out of an abundance of caution, we are removing WireGuard from pfSense software pending a thorough review and audit.

Source.

So there you have it. If you’re utilizing Wireguard on pfSense, change over to IPSec or OpenVPN.

Leave a Comment

Your email address will not be published. Required fields are marked *