Config for the wireguard service kernel module based

bigov · Jan 13, 2024

Hi all!
Is it possible to load the wg-interface configuration through a setting in rc.conf without using the devd hook?
On FreeBSD v.14 my wireguard service run under that config:

Bash:

# cat /boot/loader.conf | grep wg
if_wg_load="YES"
#
# cat /etc/rc.conf | grep wg
cloned_interfaces="wg"
ifconfig_wg0="inet 192.168.68.1 netmask 255.255.255.240"
#
# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ****************************************=
ListenPort = 45045

[Peer]
# HomeDesktop
PublicKey = *****************************************=
AllowedIPs = 192.168.68.2/32

[Peer]
# HomePad
PublicKey = ...

For load wireguard config file, I was need to create ``devd`` hook file:

Bash:

# cat /etc/devd/wireguard.conf
notify 0 {
    match "system"    "IFNET";
    match "type"      "LINK_UP";
    media-type        "unknown";
    action ". /etc/rc.subr
            . /etc/network.subr
            load_rc_config network
            if autoif $subsystem && [ -r /etc/wireguard/$subsystem.conf ]
            then
                    grep -vE '^[[:space:]]*(Address|DNS|MTU|Table|PreUp|PostUp|PreDown|PostDown)[[:space:]]*=' /etc/wireguard/$subsystem.conf |
                            wg setconf $subsystem /dev/stdin
            fi";
};

Question: is it possible to load the interface configuration through a setting in rc.conf without using the devd hook?

R. Esner · Jan 17, 2024

I don't run Wireguard servers on FreeBSD, but does the wireguard service not function correctly for this?

bigov · Jan 17, 2024

Wireguard does, bat it deemed insecure, deprecated and no longer supported. Recommended to using kernel module and driver 'wg'.

R. Esner · Jan 17, 2024

bigov said:
Wireguard does, bat it deemed insecure, deprecated and no longer supported. Recommended to using kernel module and driver 'wg'.

I am referring to the init scripted installed by net/wireguard-tools, which, as far as I know, is not deprecated, nor insecure.

/etc/rc.conf

...
wireguard_enable="YES"
wireguard_interfaces="wg0"
...

wireguard_interfaces can take multiple arguments, creating multiple Wireguard interfaces and the names correspond to the files in /etc/wireguard with '.conf' appended.

Try just this and see how it works.

bigov · Jan 18, 2024

You're right! It seemed to me that the wireguard-tool were included in a common dependent package wireguard and could not be installed separately. Thanks for the idea, I'll check it out.

Bash:

# cat /etc/rc.conf | grep "wg\|wire"
#cloned_interfaces="wg"
#ifconfig_wg0="inet 192.168.68.1 netmask 255.255.255.240"
wireguard_enable="YES"
wireguard_interfaces="wg0"

With the config on location ``/etc/wireguard/wg0.conf`` all works as expected, with a small change - a line indicating the IP-address has been added to the configuration file ``wg0.conf``

R. Esner · Jan 18, 2024

bigov said:
It seemed to me that the wireguard-tool were included in a common dependent package wireguard and could not be installed separately.

net/wireguard is a meta-package that installs net/wireguard-kmod, wireguard-tools, and ~~net/wireguard-go~~ (I think that's all). The package is not the old Wireguard implementation, which I think you may be talking about.

I just now learned:
According to this thread, only net/wireguard-tools is needed, just for the init script. I guess you can only install that if it matters.

R. Esner · Jan 18, 2024

bigov said:
With the config on location ``/etc/wireguard/wg0.conf`` all works as expected, with a small change - a line indicating the IP-address has been added to the configuration file ``wg0.conf``

By the way, maybe useful if you're unaware, you can have the configuration files be named anything, thus the interfaces, making management of multiple Wireguard interfaces much easier.

I usually have their names their location or the domain of the system they're hosted on.

R. Esner · Jan 18, 2024

R. Esner said:
net/wireguard is a meta-package that installs net/wireguard-kmod, wireguard-tools, and ~~net/wireguard-go~~ (I think that's all). The package is not the old Wireguard implementation, which I think you may be talking about.

I just now learned:
According to this thread, only net/wireguard-tools is needed, just for the init script. I guess you can only install that if it matters.

Sorry, I was rather incorrect/uninformed.

Don't install the net/wireguard package, only wireguard-tools. The meta port contains the mentioned net/wireguard-kmod, wireguard-tools, and net/wireguard-go, of which -kmod and -go are no longer needed (since FreeBSD 12).

You were correct about net/wireguard installing the old kernel module, my apologies.