net/wireguard: use stock rc script, rename server

[mimugmail]

Finally found the time to move to stock rc script. I renamed Server to Local as it confused many users coming from OpenVPN not understanding why configure server when using as client.

Still stack traces with 11.1 and 11.2 HBSD, reported from port maintainer that it's stable in 12.0 :(

[fichtner]

good for an unreleased 12.0 it seems ;) merged, thanks!

[mimugmail]

@fichtner I now also have a report that it works on stock FBSD 11.2, but 19.1b image crashes :/

[fichtner]

dirty programming vs hardening features :>

[fichtner]

cc @lattera

[mimugmail]

This is the stack trace, something with UFS:

Thx to @decke for debugging ..

[lattera]

This will warrant longer debugging. Do you have steps to reproduce?

[mimugmail]

On OPNsense:

opnsense-code plugins
cd /usr/plugins/net/wireguard
make upgrade

Via UI:

VPN -> WireGuard -> Local:

Add a new instance, leave pub and private empty, Tunnel Address 10.10.61.10/24, Save

Go to Endpoints, add an endpoint, give pubkey

T28Qn5VFzT4wiwEPd7DscwcP3Rsmq23QcnjH1N5G/wc=

Shared secret empty, endpoint se1.wg.azirevpn.net, port 51820.

Go back to Local, open your instance and on dropdown Endpoints choose the one and save.

Then go to General and enable WireGuard.

Now when you restart (just hit Apply/Save) for a couple of times you'll get a stacktrace .. sometimes it takes 20 restarts, sometime only 2. Tested with 18.7 and 19.1b.

[mimugmail]

I installed FreeBSD 11.1 with ZFS and bootstrapped to OPNsense .. error seems to be gone but with exactly every second restart of wireguard I get the following (and wireguard doesn't start):

root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:33 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.2BxwrRHk/sh-np.LsW0oP
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 193.180.164.58 -gateway 81.24.66.129
[+] Backgrounding route monitor
root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:36 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.514T1VvR/sh-np.8skRrC
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
cp: /dev/null.bak: Operation not supported
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] rm -f /var/run/wireguard/wg0.sock
root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:39 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.mLONnkfF/sh-np.VFvLL3
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 193.180.164.58 -gateway 81.24.66.129
[+] Backgrounding route monitor
root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:41 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.l81stWjW/sh-np.8psznG
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
cp: /dev/null.bak: Operation not supported
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] rm -f /var/run/wireguard/wg0.sock
root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:43 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.uBL4Lrz7/sh-np.myBSvf
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 193.180.164.58 -gateway 81.24.66.129
[+] Backgrounding route monitor
root@OPNsense:/usr/plugins/net/wireguard # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/12/09 06:44:45 Starting wireguard-go version 0.0.20181018
[#] wg setconf wg0 /tmp/tmp.fdtyQ05s/sh-np.gy5dEf
[#] ifconfig wg0 inet 10.10.9.61/19 10.10.9.61 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
cp: /dev/null.bak: Operation not supported
local_unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[#] rm -f /var/run/wireguard/wg0.sock

[lattera]

Have you tried running Wireguard on stock HardenedBSD? I'm thinking of filing a bug report with Wireguard.

[decke]

@lattera: You probably haven't noticed that wireguard is a pure userland (Golang) implementation. From the stacktrace it seems that removing a pidfile or unix socket ends in a UFS kernel panic. I don't see how filing a wireguard bug would help here.

[mimugmail]

@lattera I just setup stock HardendBSD on UFS and installed WireGuard. Can not reproduce the error.
@fichtner mentioned something with tunefs which might only OPNsense related .. I'll do some more testing when time allowes.

[lattera]

@decke Ah. I don't know anything about Wireguard, other than it's a new VPN tech.

@mimugmail That makes sense. HardenedBSD hasn't made any changes to the filesystems supported by FreeBSD. Thank you for trying to reproduce with stock HardenedBSD.

@fichtner How does OPNsense use tunefs? Perhaps @mimugmail can try running tunefs on his HardenedBSD setup then starting Wireguard. FreeBSD did introduce changes to UFS between 11.1 and 11.2.

[fichtner]

same as FreeBSD simply to enable softdep... need to run a side by side test and isolate the cause... it all revolves around https://github.com/WireGuard/WireGuard/blob/master/src/tools/wg-quick/freebsd.bash IMO

[decke]

We got a bugreport with a stock FreeBSD 11.2 that seems to trigger a similar or the same issue.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233955