FreeBSD recently introduced WireGuard support in its kernel, as we recently explained in this article. However, the implemented WireGuard implementation was found to be not as secure as it should be, and the FreeBSD developers decided to temporarily not include it in the latest version. This directly affects the firewall and the router-oriented pfSense operating system, which is based on FreeBSD and already includes WireGuard in its pfSense 2.5.0 release.
pfsense wireguard kernel
netgate pfsense wireguard
pfSense removes WireGuard support
The pfSense development team has released WireGuard in version 2.5.0 in the kernel of both pfSense CE 2.5.0 and pfSense Plus 21.02. As a result of a number of issues that we will explain shortly, there were questions and many concerns about the security of the WireGuard implementation in pfSense, so they decided to discontinue support in the next maintenance release of pfSense 2.5.1. Since Kernel Mode WireGuard was temporarily removed from FreeBSD until all root bugs were fixed, the pfSense development team did the same, removing WireGuard in the next release in order to wait for the full patch. source code, as well as a thorough audit to determine if there are security flaws.PfSense operating system to end support for WireGuard.
The pfSense team stated that once FreeBSD introduces WireGuard kernel mode to the operating system, they will reconsider enabling this popular VPN again. That is, right now, in version 2.5.0, we have WireGuard available for use, but soon in version 2.5.1 it will be removed, as FreeBSD did.
What happened to the WireGuard source code for FreeBSD?
Netgate, behind the pfSense project, commissioned a developer to implement WireGuard for FreeBSD in kernel mode to ensure the best possible performance since we currently have WireGuard in kernel mode with Linux . It seems that this developer's implementation is not as good as it should be, and other developers looked at the source code to fix all issues prior to the release of FreeBSD 13.0, but decided to wait and look more slowly. instead of releasing it to the world with possible implementation and / or security flaws.
The FreeBSD 13.0 development team decided not to enable WireGuard and wait until all the code has been properly tested. As they commented, they will include it in the next version of FreeBSD 13.1, and we will have compatibility with version 13.0 and FreeBSD 12.X. For this reason, in pfSense they are going to revoke WireGuard support from their firewall for security reasons, to thoroughly check all the code and wait until it is also included in FreeBSD 13.1.
If you are using WireGuard in pfSense, they commented not to use Jumbo Frames, that is, do not modify WireGuard MTU 1420 for security reasons, there are currently no vulnerabilities found in the implementation such as remote vulnerability or privilege escalation for pfSense users. It is true that they found low severity issues, and it is unlikely that they could be exploited unless an attacker has already compromised the system.
If you are currently using WireGuard in pfSense, once you upgrade to version 2.5.1 you stop using it, we recommend that you stop using WireGuard from now on until a verified version is released, no bugs or some sort of. If you decide not to include it in FreeBSD 13.0 and to end support in a future version of pfSense, it is because it should not be used yet.
When it becomes available again, we recommend that you visit our complete WireGuard VPN Server Setup tutorial on pfSense. You can visit the official Netgate blog for all the explanations on this case.
See also :
