Re: starting off with wireguard

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: starting off with wireguard
From: Brad Spencer <brad%anduin.eldar.org@localhost>
Date: Wed, 18 Mar 2026 20:26:12 -0400

Greg Troxel <gdt%lexort.com@localhost> writes:

> I have been sort of following for a long time, and am now trying to
> configure wg.
>
> I find that "pseudo-device wg" is required in the kernel (no surprise!)
> but am surprised by:
>
>    - it's not available as a module in 10 or 11

% ls -l /stand/amd64/10.0/modules/if_wg/
total 82
-r--r--r--  1 root  wheel  82880 Mar 30  2024 if_wg.kmod

Seem to be there in 10.  However, I do vaguely remember that it might
have some loading problems in some cases....  I have a system that has
IPv6 compiled out and I am not sure that the module would load in that
case.  Maybe something to do with DTRACE too...  been a while and I
don't remember all of the details.

>    - it's not in GENERIC for amd64 in 10 or 11
>    - it's not in GENERIC for evbarm anything in 10 or 11
>
> Is this a clue that?
>
>    - I'm confused.
>    - wg is really not baked (the "EXPERIMENTAL" label) and people
>      believe it is flaky or likely does not provide the confidentiality
>      one expects.
>    - wg is believed fine and many use it but for some good reason people
>      think you should have to build a kernel.
>    - wg is believed fine and nobody has gotten around to adding it.
>
> In my case, I'm more looking for circumvention of clumsy/IT-trendy
> censorship, where they let you connect to anything on 443 and block nerd
> protocols (because proles accessing Facebook is wholesome, apparently).
> So I'm not super concerned about confidentiality.
>
> Related, it seems wg is UDP only, and assuming that's true, what ports
> do people find is most likely to work in semi-censored environments?

I use if_wg all of the time and it interacts just fine with a VPN
provider I use that offers Wireguard on their end.  In fact, it works
very well in that use case for me and I honestly could not be more
pleased.  Someone needs a beer / sake / wine / etc for that work.

I think I understand some of your use case, you can poke me off list for
what I theorically may have done in a simular situation.  If you are
connecting back to a system that is under your control you might find
that OpenVPN works better as you will be able to very much control
exactly which ports are being used for the VPN / tunnel and which
protocol family the tunnel rides in.

-- 
Brad Spencer - brad%anduin.eldar.org@localhost

References:
- starting off with wireguard
  - From: Greg Troxel

Prev by Date: Re: starting off with wireguard
Previous by Thread: Re: starting off with wireguard
Indexes:

Home | Main Index | Thread Index | Old Index