PfSense Operating System Retires WireGuard for Security Reasons

FreeBSD recently introduced WireGuard support in its kernel, as we explained in this article recently. However, it has been found that the WireGuard implementation performed is not as secure as it should be, and the FreeBSD developers have decided not to incorporate it into the latest version temporarily. This directly affects the firewall and router oriented operating system pfSense, which is based on FreeBSD and has already incorporated WireGuard in its version pfSense 2.5.0.

pfSense removes support for WireGuard

The pfSense development team introduced in version 2.5.0 a version of WireGuard in the kernel of the operating system, both in version pfSense CE 2.5.0 and also in version pfSense Plus 21.02. As a result of a series of problems that we will explain shortly, questions and many concerns have arisen about the security of the WireGuard implementation in pfSense, so they have decided to withdraw support in the next pfSense 2.5.1 maintenance release. Since WireGuard in kernel mode has been temporarily removed from FreeBSD until all the root bugs are fixed, the pfSense development team has done the exact same thing, removing WireGuard in the next release, with the goal of waiting for a full patch. of the source code and also a thorough audit to determine if there are security flaws.

PfSense Operating System Retires WireGuard

The team behind pfSense has stated that as soon as FreeBSD introduces WireGuard’s kernel mode into the operating system, they will re-evaluate the possibility of incorporating this popular VPN again. That is, right now in version 2.5.0 we have WireGuard available for use, but soon in version 2.5.1 they will retire it, just like FreeBSD has done.

What happened to the WireGuard source code for FreeBSD?

The Netgate company behind the pfSense project commissioned a developer to implement WireGuard for FreeBSD in kernel mode, in order to provide the best possible performance, as we currently have WireGuard in kernel mode with Linux. It seems that this developer’s implementation is not as good as it should be, and other developers have been looking at the source code to fix all the problems prior to the release of FreeBSD 13.0, but have decided to wait and review everything more slowly. , instead of releasing it to the whole world with possible implementation and / or security flaws.

La VPN WireGuard ya está en Linux

The FreeBSD 13.0 development team decided not to incorporate WireGuard, and to wait until all the code is properly audited. As they have commented, they will incorporate it in the next version FreeBSD 13.1 and we will have compatibility for version 13.0 and FreeBSD 12.X. For this reason, in pfSense they are going to withdraw WireGuard support from their firewall, for security reasons, to thoroughly review all the code, and wait until it is also included in FreeBSD 13.1.

If you use WireGuard in pfSense, they have commented not to use Jumbo Frames, that is, do not modify the WireGuard MTU of 1420 for security reasons, currently no vulnerability has been found in the implementation, such as a remote vulnerability or capable of elevating privileges for pfSense users. It is true that they have discovered low criticality problems, and that it is unlikely that they can be exploited, except if an attacker has already compromised the system.

If you are currently using WireGuard in pfSense, as soon as you update the version to 2.5.1 you will stop using it, our recommendation is that you stop using WireGuard from now on, until an audited version is released, free of bugs of any kind. If you have decided not to incorporate it in FreeBSD 13.0, and to withdraw support in the future version of pfSense, it is because it should not be used yet.

When it becomes available again, we recommend that you visit our complete WireGuard VPN server setup tutorial in pfSense. You can visit the official Netgate blog where you will find all the explanations about this case.