Thanks for the shoutout and kind words. Just trying to do my part to make sure the WG implementation on pfSense (and FreeBSD distro in general) can run as smoothly as possible :) I tested for the handshaking issue on 0.1.5_2 and it seems to be resolved with the upstream kernel module fix that was included. Redmine bug report has been updated with my findings. Thanks for keeping on this one, it is really appreciated!
Finally, ZFS out of the box! This will save a step in my process of deploying negate hardware - not having to reflash the appliances to reconfigure with ZFS.
Update 2: WireGuard Package 0.1.5_3 will be built tonight for all branches, including stable CE 2.5.2 and Plus 21.05.2. Update: WireGuard Package 0.1.5_2 is now available. We will let it incubate in devel for a week or so before updating the package in the latest stable branches. As always, let us know if you run into any questions Correction: For those of you running the development snapshots for either pfSense Plus or CE, expect to find an update to the WireGuard package available starting tomorrow (11/5). This update includes a few patches to the kernel module, which will hopefully fix the handshaking issue that I talked about starting at 43:26. The package version to look for is 0.1.5_2 and the kernel module is version 0.0.20210606_2. These are queued up and will be built later tonight as part of our normal build process. This update only impacts the handshake bug.
If I remember right, the WG package used to leave configuration change save points in "Backup and restore" when you bring the interface up. I think it was something to do with the DNS Resolver binding to the WG interface. Will that always have to remain that way as a package? Cheers.
I'm trying to think here... I know at one point I was writing and commiting to the configuration system pretty often, even when those writes could (and should) be batched and committed at once, thus not causing tons of unnecessary config change spew. We tightened that up so it shouldn't be writing nearly as often as it used to. Does that answer your question?
@@ChristianMcDonald Thanks Christan! Kind of. I recall you saying in one of your Project Reports, something to the effect of the config saves being a result of using the DNS resolver on WG interfaces using the package. I don't otherwise get new save points using OpenVPN or the old 2.5.0 implementation, unless I make a deliberate change to my pfSense configuration. Will the package always create new save points? If so what generates them?
I'm a small fry. Use pfsense with wireguard for my vpn.ac connection for my home on an old spare pc with nice nics. Pc is so old that I gotta replace the cmos battery next time I schedule downtime. I may not understand the underlying code but love that you explain it so that I can follow along! Great vid. Appreciate the tree gui thingy. Kudos
It’d be good if you say something about bugs reported and bugs fixed. In particular we discussed the annoying issue that WG blocked all network on iPhones after some time in use. Was it reproduced or fixed? Thx
Oh for sure, the issue you are referring to might be addressed in an update to the kernel module. Check out the update if you're running development snapshots
That is something that would need support down in the kernel module code. It is something being discussed, but nothing we can do easily in the frontend pfSense code to facilitate this. Depending on your use-case, you can create a static route in pfSense to send traffic to your remote WireGuard peer endpoint out a particular gateway. Just create a static route with /32 or /128 route. That's the best we can do at this point.
Christian, Hi. There are tons of improvements are needed in pfSense starting with UI optimization. Menu's all across needs to be classified logically. Web filtering needs to be improved a lot. Currently you can not make aliases based on mac addresses [ where as opnsense can do this. ] . You can not create policies [ Similar to Sophos ] . kvm-guest-tools package is not available [ requires for virtulisation ] . Hope you will look into long required features / issues. But I must admit pfSense is THE best.
The new/improved widgets are slick. There are many places in the UI that can benefit from a streamlined implementation of treegrid. I also suspect the monitoring page is due for review. 22.01 is shaping up to be a golden release! Regarding the video in general, I sit through all of the rambling, but I would certainly welcome less of it lol. Regardless, thanks for continuing the progress videos.
Probably appropriate for deep dive branch series and a shorter "TL:DR" series, or I just need to get back on a regular cadence so there isn't an hour's worth of backlog material to talk about next time ha
Thank you for taking the time to make this video - it helped me out a lot.
Thanks for the shoutout and kind words. Just trying to do my part to make sure the WG implementation on pfSense (and FreeBSD distro in general) can run as smoothly as possible :)
I tested for the handshaking issue on 0.1.5_2 and it seems to be resolved with the upstream kernel module fix that was included. Redmine bug report has been updated with my findings. Thanks for keeping on this one, it is really appreciated!
I listened for the hour. Thanks for all the great info
Ha dedication right here! Thanks!
This is golden, landed here from Lawrence systems video on wireguard
Welcome!
Finally, ZFS out of the box! This will save a step in my process of deploying negate hardware - not having to reflash the appliances to reconfigure with ZFS.
Thanks for the update ... Great stuff! :)
Update 2: WireGuard Package 0.1.5_3 will be built tonight for all branches, including stable CE 2.5.2 and Plus 21.05.2.
Update: WireGuard Package 0.1.5_2 is now available. We will let it incubate in devel for a week or so before updating the package in the latest stable branches. As always, let us know if you run into any questions
Correction: For those of you running the development snapshots for either pfSense Plus or CE, expect to find an update to the WireGuard package available starting tomorrow (11/5). This update includes a few patches to the kernel module, which will hopefully fix the handshaking issue that I talked about starting at 43:26. The package version to look for is 0.1.5_2 and the kernel module is version 0.0.20210606_2. These are queued up and will be built later tonight as part of our normal build process. This update only impacts the handshake bug.
Very valuable information! Thank Christian
If I remember right, the WG package used to leave configuration change save points in "Backup and restore" when you bring the interface up. I think it was something to do with the DNS Resolver binding to the WG interface. Will that always have to remain that way as a package? Cheers.
I'm trying to think here... I know at one point I was writing and commiting to the configuration system pretty often, even when those writes could (and should) be batched and committed at once, thus not causing tons of unnecessary config change spew. We tightened that up so it shouldn't be writing nearly as often as it used to. Does that answer your question?
@@ChristianMcDonald Thanks Christan! Kind of. I recall you saying in one of your Project Reports, something to the effect of the config saves being a result of using the DNS resolver on WG interfaces using the package. I don't otherwise get new save points using OpenVPN or the old 2.5.0 implementation, unless I make a deliberate change to my pfSense configuration. Will the package always create new save points? If so what generates them?
I'm a small fry. Use pfsense with wireguard for my vpn.ac connection for my home on an old spare pc with nice nics. Pc is so old that I gotta replace the cmos battery next time I schedule downtime. I may not understand the underlying code but love that you explain it so that I can follow along! Great vid. Appreciate the tree gui thingy. Kudos
Great information!
It’d be good if you say something about bugs reported and bugs fixed. In particular we discussed the annoying issue that WG blocked all network on iPhones after some time in use. Was it reproduced or fixed? Thx
Those finer details will be included in the release notes with the next release
@@ChristianMcDonald imho just as a suggestion if you do 1h update it’d be good to talk about it 😉
Oh for sure, the issue you are referring to might be addressed in an update to the kernel module. Check out the update if you're running development snapshots
Will there be an option to select outbound interface like OpenVPN when multiple WANs (WAN interface or LB interface) are available?
That is something that would need support down in the kernel module code. It is something being discussed, but nothing we can do easily in the frontend pfSense code to facilitate this. Depending on your use-case, you can create a static route in pfSense to send traffic to your remote WireGuard peer endpoint out a particular gateway. Just create a static route with /32 or /128 route. That's the best we can do at this point.
Thank you, Christian!
Good video! I was wondering if pfsense is stil working on a central management tool for multiple devices.
Christian, Hi. There are tons of improvements are needed in pfSense starting with UI optimization. Menu's all across needs to be classified logically. Web filtering needs to be improved a lot. Currently you can not make aliases based on mac addresses [ where as opnsense can do this. ] . You can not create policies [ Similar to Sophos ] . kvm-guest-tools package is not available [ requires for virtulisation ] . Hope you will look into long required features / issues.
But I must admit pfSense is THE best.
Dysbord?
👍👍
The new/improved widgets are slick. There are many places in the UI that can benefit from a streamlined implementation of treegrid. I also suspect the monitoring page is due for review. 22.01 is shaping up to be a golden release! Regarding the video in general, I sit through all of the rambling, but I would certainly welcome less of it lol. Regardless, thanks for continuing the progress videos.
Probably appropriate for deep dive branch series and a shorter "TL:DR" series, or I just need to get back on a regular cadence so there isn't an hour's worth of backlog material to talk about next time ha