The FreeBSD source tree has been modified with a new VPN WireGuard implementation based on kernel module code jointly prepared by the core FreeBSD and WireGuard development teams with input from Jason A. Donenfeld, author of VPN WireGuard, and John H. Baldwin ), a well-known developer of GDB and FreeBSD, who implemented SMP and NUMA support in the FreeBSD kernel in the early 2000s. Once a driver is accepted into FreeBSD (sys/dev/wg), it will be developed and maintained in the FreeBSD repository from now on.
Before the code was accepted, a full review of the changes was conducted with the support of the FreeBSD Foundation, during which the interaction of the driver with the rest of the kernel subsystems was also analyzed and the possibility of using the cryptographic primitives provided by the kernel was evaluated.
To use the cryptographic algorithms required by the driver, the FreeBSD kernel crypto subsystem API was extended, to which a binding was added that allows using algorithms not supported in FreeBSD through the standard crypto API, using the implementation of the necessary algorithms from the libsodium library. Of the algorithms built into the driver, only the code for calculating Blake2 hashes is left, since the implementation of this algorithm provided in FreeBSD is tied to a fixed hash size.
In addition, during the review process, code optimization was carried out, which made it possible to increase the efficiency of load distribution on multi-core CPUs (uniform balancing of the binding of encryption and packet decryption tasks to CPU cores was ensured). As a result, the overhead of processing packets was brought closer to the implementation of the driver for Linux. The code also provides the ability to use the ossl driver to speed up encryption operations.
Unlike the previous attempt to integrate WireGuard into FreeBSD, the new implementation uses the stock wg utility, rather than a modified version of ifconfig, which allowed for a unified configuration between Linux and FreeBSD. The wg utility, as well as the driver, is included in the FreeBSD sources, made possible by a license change to the wg code (the code is now available under MIT and GPL licenses). The last attempt to include WireGuard in FreeBSD was made in 2020, but ended in a scandal, as a result of which already added code was removed due to low quality, careless buffer handling, use of stubs instead of checks, incomplete implementation of the protocol and violation of the GPL license.
Recall that VPN WireGuard is implemented on the basis of modern encryption methods, provides very high performance, is easy to use, devoid of complications and has proven itself in a number of large deployments that process large amounts of traffic. The project has been developing since 2015, passed the audit and formal verification of the encryption methods used. WireGuard uses the concept of encryption key routing, which involves binding a private key to each network interface and using public keys to bind.
The exchange of public keys to establish a connection is similar to SSH. To negotiate keys and connect without running a separate user-space daemon, the Noise_IK mechanism of the Noise Protocol Framework is used, similar to maintaining authorized_keys in SSH. Data transmission is carried out through encapsulation in UDP packets. It supports changing the IP address of the VPN server (roaming) without breaking the connection with automatic client reconfiguration.
Encryption uses the ChaCha20 stream cipher and the Poly1305 message authentication (MAC) algorithm developed by Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. ChaCha20 and Poly1305 are positioned as faster and more secure analogues of AES-256-CTR and HMAC, the software implementation of which allows achieving a fixed execution time without involving special hardware support. To generate a shared secret key, the Elliptic Curve Diffie-Hellman protocol in the Curve25519 implementation, also proposed by Daniel Bernstein, is used. For hashing, the BLAKE2s algorithm (RFC7693) is used.
Source: opennet.ru