December 16, 2022

When sending out an article, blog post, or newsletter, we at the Foundation, always have a second (or third or fourth) pair of eyes to review it. Is the messaging working as intended? Does the structure make sense? Are we getting the point across? Software development work is no different. More often than not, other developers will come in and review and update work previously done by someone else. That second pair of eyes is invaluable. It allows for a different perspective and many times gets those pesky problems solved more quickly.  The FreeBSD Foundation often funds work in this very vein. We fund developers to take software that is running into issues and update it. Case in point, earlier this year, we funded work to update the FreeBSD Kernel WireGuard Port.

WireGuard’s simplicity makes it an elegant VPN solution. This general-purpose VPN tunnel is fast and lean, and provides a good alternative to existing tools like IPsec and OpenVPN. An updated version for FreeBSD ships out-of-the-box in the next release, thanks to the Foundation’s support. 

“The main advantage of WireGuard over other existing solutions, like IPsec, or something like OpenVPN, is that WireGuard is rather simple to configure and use, especially for the simple point-to-point kind of single client setups. It’s very simple to get started,” says John Baldwin, a long-time project contributor and paid consultant. The FreeBSD Foundation contracted him to complete the integration of the updated driver for FreeBSD.

A few issues led to the removal of the earlier version of the FreeBSD Kernel WireGuard Port  from the tree. However, development work continued on in a separate repository. John picked up the work from there. Baldwin’s task, both self-imposed and supported by the Foundation, was to review the old driver and update it with a goal of bringing it back to the FreeBSD Tree. He found that its use of cryptography and the implementations of different cryptography algorithms that it uses were sound. Further, he could build upon that foundation.

“It also worked on extending the driver a bit more to integrate with the cryptography services that previously ships in its kernel already, and which allowed for more optimized and more performant versions of the cryptography, such as the way it encrypts each packet that goes on the wire, for example,” Baldwin explained.

The updated driver was made available to users as an import prior to the official release as a full integration into the FreeBSD base system. 

WireGuard is uniquely designed to be implemented with a few lines of code that are highly auditable for security vulnerability checks. It works by adding a simple network interface to ordinary network utilities. 

WireGuard combines extremely fast cryptographic primitives and lives inside the kernel. Key features include a light footprint, crypto key routing and built-in roaming. It is also container ready.

The FreeBSD Foundation recognized the importance of this port and elected to fund John’s work to bring the updated version to life faster. The Foundation is a 501(c)(3), US based, non-profit organization that supports and promotes the FreeBSD Project and community worldwide. Funding comes from individual and corporate donations. The Foundation uses the donations to fund and manage projects, fund conferences and developer summits, and provide travel grants to FreeBSD developers.

Funding the development and integration of WireGuard VPN falls under the Foundation’s ongoing efforts to make operating system improvements.

– Contributed by Pam Baker and Anne Dickison