1 of 12

WireGuard for NetBSD

ozaki-r@netbsd.org

AsiaBSDCon 2019 NetBSD BoF

21 March 2019

2 of 12

WireGuard

  • Fast, Modern, Secure VPN Tunnel
  • State-of-the-art cryptography
    • x25519 [Curve25519] and HKDF [RFC5869] for ECDH and key derivation.
    • ChaCha20+Poly1305 [RFC7539] for packet authenticated encryption.
    • BLAKE2s [BLAKE2] for hashing.
  • An alternative to OpenVPN and IPsec

3 of 12

Implementations of WireGuard

  • In-kernel implementation
    • For Linux
  • Userspace implementations
    • wireguard-go
      • works on *BSD
    • wireguard-android
    • wireguard-ios
    • wireguard-windows (WIP)

4 of 12

WireGuard for NetBSD

  • In-kernel implementation
  • Import libb2 and libsodium
    • libb2: BLAKE2s
    • libsodium: Curve25519 and ChaCha20+Poly1305
      • HACL* might be better
  • Userland tools
    • wgconfig
    • wg-keygen
  • ATF tests utilizing rump kernels
    • It can be used for interoperability tests with Linux
      • virtif(4) allows to communicate with outside rump kernels via tap

5 of 12

WireGuard for NetBSD (cont.)

  • Userpspace implementation (WIP)
    • with the same source code of in-kernel one
      • thanks to rump kernels (again)
    • wg-userspace for manage an instance

6 of 12

Usage

# Create and setup an interfaceifconfig wg0 create�ifconfig wg0 inet 10.0.0.1/24# Generate a pair of private and pubkey keyswg-keygen > ./privkeycat ./privkey | wg-keygen --pub > ./pubkey# Configure the interface�wgconfig wg0 set private-key ./privkey�wgconfig wg0 set listen-port 52428# Add a peerwgconfig wg0 add peer peer0 "2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" --endpoint=192.168,0.2:52428 --allowed-ips=10.0.0.0/24# Try to send packets to the peerping 10.0.0.2# Delete the peerwgconfig wg0 delete peer peer0

7 of 12

Usage of wg-userpace (WIP)

# Create an instance�wg-userspace 0 create�# Set up interfaces and WireGuard �wg-userspace 0 ifconfig wg0 inet 10.0.0.1/24�wg-userspace 0 wgconfig wg0 set private-key ./privkey�wg-userspace 0 wgconfig wg0 set listen-port 5242�...�# Destroy the instance�wg-userspace 0 destroy

8 of 12

Internals of the in-kernel implementation

IP

UDP

wg0

wm0

WireGuard

port X

User traffic

Handshake

messages

Data

messages

NetBSD kernel

Messages over UDP packets

{Enc,Dec}rypt

9 of 12

Internals of the userspace implementation

IP

UDP

wg0

Handshake & Data

messages

rump kernel (just a process)

NetBSD kernel

tun0

User traffic

port X

libc

(socket)

WireGuard

{Enc,Dec}rypt

User traffic

Sync IP addresses, etc.

Communications over sockets/fd

10 of 12

Current status

  • Implemented basic functionalities
  • Published at github
    • https://github.com/ozaki-r/netbsd-src/tree/wireguard
  • Need some optimizations
    • O(n) operations remain
  • Need code cleanups
  • Need bug fixes
  • Propose to the community at some point
    • Though there are already objections to do ECDH and key derivation in the kernel

11 of 12

Acknowledgements

  • tih@n.o has been dogfooding and found many bugs
  • maxv@n.o audited usages of mbuf

12 of 12

Thanks!