We had already pulled it for different reasons, one of our biggest problems with the implementation was a hub and wheel type of deployment where we had multiple sites connected to one site. The wire guard was constantly crashing sometimes it would be stable for a month or so and then other times different sites would crash until we restarted the main device. Hoping they get all their bugs worked out, because it is a wonderful change it was much needed to the industry.
There was a pretty good explanation of what has happened in the 2.5 admins podcast.
Why ? … Also I don't understand why NSD is not available as a authoritative Name Server option on pfsense since is much faster , better coded and a lot more secure than BIND
I think you meant to say "don't use pfsense" … Wireguard is fine, netgate and pfsense is not.
Well, isn't that WireGuards fault? They essentially provided you a pair of shoes without proper laces. No plans to use WireGuard. Will stick with OpenVPN and ECC. There's a saying…better the devil you know than the one you don't. The future still holds promise for them though…we shall see.
this is not a problem with wireguard… this is a problem with the garbage implementation pfsense tried to force into the freebsd kernel… the takeaway isn't "don't use wireguard"… it's "don't trust pfsense"… you can safely use wireguard on linux where it's properly implemented… nice job shilling for pfsense tho and trying to make wireguard look like the bad guy instead of them… ???
Ugh programmers have huge egos. They won't be happy unless they write it themselves – there's a point made on their follow up post – "We at Netgate, and I personally, tried to engage their effort, only to be rebuked by them.
Hey Tom, would love to see you do an updated video on this now that more information has come out. From what I've gathered, this again seems like Netgate's mistake with not dealing with / addressing issues – and then coming out on the attack. (The fact that the code netgate paid for was so terrible is entirely their responsibility. Not even addressing the drama surrounding their choice of developer, the fact that Wireguard's creator went out of his way to reimplement the FreeBSD code after realizing how terrible netgate's code was says way more than all of the blog posts and articles surrounding this drama).
I am only still on pfsense due to your videos (not a network engineer). I've already stopped supporting them financially, but this is the end of the line for me. I'm moving to OPNsense. This is not some tantrum-throwing decision. I don't have any customers that I'm responsible for (home network), so I can take some downtime to get my system up and running. If things break, I can spend time to fix them without having it affect others. And since I have the option, and I'm decidedly uninterested in pfsense, I can take the leap.
While I would love to see you do videos on opnsense, I understand it isn't in your wheelhouse so that is unlikely. I will definitely keep watching your videos, but I just wanted to thank you for the last few years and keeping my network running. Hopefully I've absorbed enough knowledge to get myself off the ground with a new firewall.
All the best.
Because it's still in experimental phase on bsd, I'm not sure why you would ever turn this on at your firewall. Instead I just started running this on a cheapo compute stick running ubuntu behind pfsense in 15 minutes and it is awesome ? yes fun experimenting and wireguard works much better than openvpn for Android on tmobile but until it gets into a real production state on bsd it's an absolute security risk.
I read everything here and came to the conclusion this is a pissing contest started by a guy who is upset he was not allowed to cash in on his creation (which I kind of empathize with)
Stop using PfSense
Weird video, Lawrence seems to have a huge downer on Wireguard, he should really have prefixed at the end that Wireguard shouldn't be used on Pfsense yet. I use it on EdgeRouters and it's absolutely brilliant, the most stable VPN's I've ever used.
O shit, backlash is real. Situation is not good, but i don't think that Tom deserved the feedback that he got under this video.
PLEASE NOTE:- From what I have discovered, it is the Freebsd kernel implementation (which PFsense is based on) that is regarded as unsafe by the original wireguard developer. Thus Netgate (PFsense developer) are advising not to use. Hope that clarifies.
How soon can we get some opnSense first impressions / setup tutorials? There's a fresh demand.
Damn. Just a couple weeks after I had rolled out Wireguard on pfSense in my homelab setup.
Same here. I just upgraded 2 days ago from 2.4.5. I was holding off until some issue was found. Guess I didn't wait long enough. I'm a home user and use wireguard for basic home access. Now I have it working fine on 2.5 at the moment. Not sure what the problem is which caused them to take this action. I was previously using the community based wireguard setup using the package from github and wireguard has been fine for me for the past year. I'm going be remote for the next three months in a few days so can really revert back anymore so I hope it continues to work for me. do we know if there is a functional issue or a security issue in this release?
I literally just downloaded and did a fresh install 4 hours ago. ??♂️ As my stupid employer uses watchguard and they didn't pay the company so they pulled the plug on them. Pfsense has literally saved them. I just haven't worked out how to run 2 different modems as one
I will stop the wireguard now and get open VPN set up for the home workers
What about Untangle?
I'm glad we're using Untangle currently as Wireguard is extremely handy and I've been moving lots of users over to it. It'd suck to have to tell them to stop using it now.
Hopefully they can get this fixed.
Why you are bashing wireguard constantly and not just wireguard implementation in pfsense? That kind of dishonesty while looks like in line with pfsense team behaviour makes me wonder about your honesty in other subjects.
What do you mean don't use WireGuard? You should say don't use pfsense, it was netgate that hired a shitty programmer to port it and ended up with trash code… Wireguard devs tried to fix it. This entirely on netgate and pfsense for trying to push preschool code to production, not WireGuard who did what they could to prevent that shit code from tarnishing their applications image. 2.5 admins podcast did a great breakdown of this, I suggest you listen to it. The code was absolute dogshit. DO NOT USE PFSENSE! They obviously have a shit code review process. You really should correct your inaccurate, click bait thumbnail. Your take is wrong and I'm done with your videos if this goes uncorrected.
I assume a lot of us are wondering if you will still continue to deploy pfsense in the field going forward? There so much drama going around that blog post and so many people "ditching" pfsense for opnsense or even untangle which is paid
think "solarwinds and intern".
You gotta love when people give a thumbs down because they don't like the news that's being delivered.
Why do you say "Don't use wireguard. […] Turn of ANY implementation of it" this issues are only related to freebsd/pfsense right? So openbsd, linux implementations etc are not affected by this?
Does this affect all variants of Wireguard, like the one for edge routers, or is this only the implementation in pfSense?
am i missing something the last updated added wireguard to our pfsense? we did not have it till 2.5 update from 2.4
Thank you for an intelligent and concise alert.
considering the problems with unbound and the "closing the source" announcement…netgate is….concerning. I set up actual dual pfsense failover…but that does fuck all when only unbound DNS dies.
I am totally addicted to wiregaurd. I am using it in Untangle. Is that ok?
Just don't use pfSense. Simples. Nothing wrong with user mode Wire Guard except less performance. Other projects including one whose name starts with O use it successfully and will move to kernel mode when it reaches the kernel.
Netgate is so immature and stupid and I'm glad I went with OPNsense. OPNsense (and pfSense should've done this too…) uses the wireguard-go implementation which has been available since 2019 for FreeBSD and is table. It just runs in userspace instead of at the kernel level, so will not be as efficient but at least it isn't steaming hot garbage.
I think you should've been more clear in the video that this only impacts the BSD implementation of Wireguard. From what I understand, the Linux implementation, or the userspace version has non of these issues.
Lawrence … Could you and BBCan( pfblocker dev ) fork pfsense and take over ? pfblocker is the main package for pfsense … He has got a patreon channel … U have a patreon channel …
Get a patreon channel for pfsense or just get donations / subscriptions …
We need to read all these warning signs and fork pfsense ?
Guys, upvote this if you believe we need to fork pfsense before we get dumped like CentOS …
I just looked at the FreeBSD release schedule. Roughly speaking, a point release from a version x.0 to a version x.1 takes about 10 months (just looking at recent releases, not averaging back to 1.0). So users could be waiting 10 months+ until WireGuard officially makes it into the FreeBSD kernel ? .
pfSense is definitely very solid and a much better firewall than a COTS appliance (including UniFi, some say). But I'm wondering if a Linux router/firewall with native kernel support for WireGuard is the way to go?
Tom, can you say more about why you are devoted to pfSense?
Tom, WireGuard aside, is pfSense really the all-around best choice? Have you reviewed any other free, open source, public license firewalls? I realize that you can do whatever you want and that you are at no obligation to do so. But this might be good time to do some comparisons.
So in the end, this is something that is clear for anyone that saw more than 10 videos of Lawrence Systems. He is married and slave to Pfsense. Now a Well researched OpenSource System, decided to label Netgear and Pfsense as a Noobs that can't clean code. What Lawrence Systems will try to do now is wash their faces telling you to not get Wireguard when the problem is Pfsense. Remember this D'Artagnan lookalike, is Knowledgeable but he wants to make a profit from you, and because he is like the Pfsense Ambassador over the internet (Or at least it seems), he needs to save face.
Why he would recommend to you to use OpnSense if he can profit for all the private links? How he would teach you about "networking security" when he decided to side with a bunch of "security" programmers that decided that the proper way of coding is to not care about their own securities issues.
Is it all out for you to decide. This is the last straw I needed to cross this channel out as a seller instead as an informer. Seems that lobbying for Louis XIII is not a way of living anymore for a musketeer
*don't use wireguard in pfsence
Well, this is not a good news, but I hope they can solve the issues found and Wireguard come back to pfSense, I was planning start using wireguard for some clients in order to have a second alternative instead of OpenVPN. In other hand, thanks for the video and give us a more clear explanation about that!.
What about the wireguard code in OPNsense? AFAIK their wireguard plugin came much earlier than the one in pfSense. Is it the same?
Thanks for the heads up, most appreciated.
I wonder how this maglignancy of "code" made it through review in the first place… It's really casting a dark shadow on pfSense going closed source for parts of it's product.
Oh shit … procrastination pays off as I was meaning to get this set up. Thanks for the update which will save me some wasted time and effort.
Clickbait title, the inability to actually use something and whether or not you should are 2 separate things I think should be note worthy
So to be clear, this is only pfsense? OpenSense and Untangle are fine?
I guess the BSD team didn’t want to use the Linux Kernel implementation?
Official Netgate Blog Post
https://www.netgate.com/blog/wireguard-removed-from-pfsense-ce-and-pfsense-plus-software.html
Wireguard Merge Public Review
https://reviews.freebsd.org/D26137
Jason A. Donenfeld Email
https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html
Just another reason to move to OPNsense…
How about WireGuard on OPNsense?
We had already pulled it for different reasons, one of our biggest problems with the implementation was a hub and wheel type of deployment where we had multiple sites connected to one site. The wire guard was constantly crashing sometimes it would be stable for a month or so and then other times different sites would crash until we restarted the main device. Hoping they get all their bugs worked out, because it is a wonderful change it was much needed to the industry.
There was a pretty good explanation of what has happened in the 2.5 admins podcast.
Why ? … Also I don't understand why NSD is not available as a authoritative Name Server option on pfsense since is much faster , better coded and a lot more secure than BIND
I think you meant to say "don't use pfsense" … Wireguard is fine, netgate and pfsense is not.
Well, isn't that WireGuards fault? They essentially provided you a pair of shoes without proper laces. No plans to use WireGuard. Will stick with OpenVPN and ECC. There's a saying…better the devil you know than the one you don't. The future still holds promise for them though…we shall see.
this is not a problem with wireguard… this is a problem with the garbage implementation pfsense tried to force into the freebsd kernel… the takeaway isn't "don't use wireguard"… it's "don't trust pfsense"… you can safely use wireguard on linux where it's properly implemented… nice job shilling for pfsense tho and trying to make wireguard look like the bad guy instead of them… ???
Ugh programmers have huge egos. They won't be happy unless they write it themselves – there's a point made on their follow up post – "We at Netgate, and I personally, tried to engage their effort, only to be rebuked by them.
Hey Tom, would love to see you do an updated video on this now that more information has come out. From what I've gathered, this again seems like Netgate's mistake with not dealing with / addressing issues – and then coming out on the attack. (The fact that the code netgate paid for was so terrible is entirely their responsibility. Not even addressing the drama surrounding their choice of developer, the fact that Wireguard's creator went out of his way to reimplement the FreeBSD code after realizing how terrible netgate's code was says way more than all of the blog posts and articles surrounding this drama).
I am only still on pfsense due to your videos (not a network engineer). I've already stopped supporting them financially, but this is the end of the line for me. I'm moving to OPNsense. This is not some tantrum-throwing decision. I don't have any customers that I'm responsible for (home network), so I can take some downtime to get my system up and running. If things break, I can spend time to fix them without having it affect others. And since I have the option, and I'm decidedly uninterested in pfsense, I can take the leap.
While I would love to see you do videos on opnsense, I understand it isn't in your wheelhouse so that is unlikely. I will definitely keep watching your videos, but I just wanted to thank you for the last few years and keeping my network running. Hopefully I've absorbed enough knowledge to get myself off the ground with a new firewall.
All the best.
Because it's still in experimental phase on bsd, I'm not sure why you would ever turn this on at your firewall. Instead I just started running this on a cheapo compute stick running ubuntu behind pfsense in 15 minutes and it is awesome ? yes fun experimenting and wireguard works much better than openvpn for Android on tmobile but until it gets into a real production state on bsd it's an absolute security risk.
I read everything here and came to the conclusion this is a pissing contest started by a guy who is upset he was not allowed to cash in on his creation (which I kind of empathize with)
Stop using PfSense
Weird video, Lawrence seems to have a huge downer on Wireguard, he should really have prefixed at the end that Wireguard shouldn't be used on Pfsense yet. I use it on EdgeRouters and it's absolutely brilliant, the most stable VPN's I've ever used.
O shit, backlash is real. Situation is not good, but i don't think that Tom deserved the feedback that he got under this video.
PLEASE NOTE:- From what I have discovered, it is the Freebsd kernel implementation (which PFsense is based on) that is regarded as unsafe by the original wireguard developer. Thus Netgate (PFsense developer) are advising not to use. Hope that clarifies.
How soon can we get some opnSense first impressions / setup tutorials? There's a fresh demand.
Damn. Just a couple weeks after I had rolled out Wireguard on pfSense in my homelab setup.
Same here. I just upgraded 2 days ago from 2.4.5. I was holding off until some issue was found. Guess I didn't wait long enough.
I'm a home user and use wireguard for basic home access. Now I have it working fine on 2.5 at the moment. Not sure what the problem is which caused them to take this action. I was previously using the community based wireguard setup using the package from github and wireguard has been fine for me for the past year.
I'm going be remote for the next three months in a few days so can really revert back anymore so I hope it continues to work for me. do we know if there is a functional issue or a security issue in this release?
I literally just downloaded and did a fresh install 4 hours ago. ??♂️ As my stupid employer uses watchguard and they didn't pay the company so they pulled the plug on them. Pfsense has literally saved them. I just haven't worked out how to run 2 different modems as one
I will stop the wireguard now and get open VPN set up for the home workers
What about Untangle?
I'm glad we're using Untangle currently as Wireguard is extremely handy and I've been moving lots of users over to it. It'd suck to have to tell them to stop using it now.
Hopefully they can get this fixed.
Why you are bashing wireguard constantly and not just wireguard implementation in pfsense? That kind of dishonesty while looks like in line with pfsense team behaviour makes me wonder about your honesty in other subjects.
What do you mean don't use WireGuard? You should say don't use pfsense, it was netgate that hired a shitty programmer to port it and ended up with trash code… Wireguard devs tried to fix it. This entirely on netgate and pfsense for trying to push preschool code to production, not WireGuard who did what they could to prevent that shit code from tarnishing their applications image. 2.5 admins podcast did a great breakdown of this, I suggest you listen to it. The code was absolute dogshit. DO NOT USE PFSENSE! They obviously have a shit code review process. You really should correct your inaccurate, click bait thumbnail. Your take is wrong and I'm done with your videos if this goes uncorrected.
I assume a lot of us are wondering if you will still continue to deploy pfsense in the field going forward? There so much drama going around that blog post and so many people "ditching" pfsense for opnsense or even untangle which is paid
think "solarwinds and intern".
You gotta love when people give a thumbs down because they don't like the news that's being delivered.
Why do you say "Don't use wireguard. […] Turn of ANY implementation of it" this issues are only related to freebsd/pfsense right? So openbsd, linux implementations etc are not affected by this?
Does this affect all variants of Wireguard, like the one for edge routers, or is this only the implementation in pfSense?
am i missing something the last updated added wireguard to our pfsense? we did not have it till 2.5 update from 2.4
Thank you for an intelligent and concise alert.
considering the problems with unbound and the "closing the source" announcement…netgate is….concerning.
I set up actual dual pfsense failover…but that does fuck all when only unbound DNS dies.
I am totally addicted to wiregaurd. I am using it in Untangle. Is that ok?
Just don't use pfSense. Simples. Nothing wrong with user mode Wire Guard except less performance. Other projects including one whose name starts with O use it successfully and will move to kernel mode when it reaches the kernel.
Netgate is so immature and stupid and I'm glad I went with OPNsense. OPNsense (and pfSense should've done this too…) uses the wireguard-go implementation which has been available since 2019 for FreeBSD and is table. It just runs in userspace instead of at the kernel level, so will not be as efficient but at least it isn't steaming hot garbage.
I think you should've been more clear in the video that this only impacts the BSD implementation of Wireguard. From what I understand, the Linux implementation, or the userspace version has non of these issues.
Lawrence … Could you and BBCan( pfblocker dev ) fork pfsense and take over ?
pfblocker is the main package for pfsense … He has got a patreon channel …
U have a patreon channel …
Get a patreon channel for pfsense or just get donations / subscriptions …
We need to read all these warning signs and fork pfsense ?
Guys, upvote this if you believe we need to fork pfsense before we get dumped like CentOS …
I just looked at the FreeBSD release schedule. Roughly speaking, a point release from a version x.0 to a version x.1 takes about 10 months (just looking at recent releases, not averaging back to 1.0). So users could be waiting 10 months+ until WireGuard officially makes it into the FreeBSD kernel ? .
https://www.freebsd.org/releases/
pfSense is definitely very solid and a much better firewall than a COTS appliance (including UniFi, some say). But I'm wondering if a Linux router/firewall with native kernel support for WireGuard is the way to go?
Tom, can you say more about why you are devoted to pfSense?
Tom, WireGuard aside, is pfSense really the all-around best choice? Have you reviewed any other free, open source, public license firewalls? I realize that you can do whatever you want and that you are at no obligation to do so. But this might be good time to do some comparisons.
So in the end, this is something that is clear for anyone that saw more than 10 videos of Lawrence Systems. He is married and slave to Pfsense.
Now a Well researched OpenSource System, decided to label Netgear and Pfsense as a Noobs that can't clean code.
What Lawrence Systems will try to do now is wash their faces telling you to not get Wireguard when the problem is Pfsense.
Remember this D'Artagnan lookalike, is Knowledgeable but he wants to make a profit from you, and because he is like the Pfsense Ambassador over the internet (Or at least it seems), he needs to save face.
Why he would recommend to you to use OpnSense if he can profit for all the private links? How he would teach you about "networking security" when he decided to side with a bunch of "security" programmers that decided that the proper way of coding is to not care about their own securities issues.
Is it all out for you to decide. This is the last straw I needed to cross this channel out as a seller instead as an informer. Seems that lobbying for Louis XIII
is not a way of living anymore for a musketeer
*don't use wireguard in pfsence
Well, this is not a good news, but I hope they can solve the issues found and Wireguard come back to pfSense, I was planning start using wireguard for some clients in order to have a second alternative instead of OpenVPN. In other hand, thanks for the video and give us a more clear explanation about that!.
What about the wireguard code in OPNsense? AFAIK their wireguard plugin came much earlier than the one in pfSense. Is it the same?
Thanks for the heads up, most appreciated.
I wonder how this maglignancy of "code" made it through review in the first place… It's really casting a dark shadow on pfSense going closed source for parts of it's product.
Oh shit … procrastination pays off as I was meaning to get this set up. Thanks for the update which will save me some wasted time and effort.
Clickbait title, the inability to actually use something and whether or not you should are 2 separate things I think should be note worthy
So to be clear, this is only pfsense? OpenSense and Untangle are fine?
I guess the BSD team didn’t want to use the Linux Kernel implementation?