Re: starting off with wireguard

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> From: Greg Troxel <gdt%lexort.com@localhost>
> Date: Wed, 18 Mar 2026 19:30:34 -0400
> 
> I find that "pseudo-device wg" is required in the kernel (no surprise!)
> but am surprised by:
> 
>    - it's not available as a module in 10 or 11
>    - it's not in GENERIC for amd64 in 10 or 11
>    - it's not in GENERIC for evbarm anything in 10 or 11
> 
> Is this a clue that?
> 
>    - I'm confused.
>    - wg is really not baked (the "EXPERIMENTAL" label) and people
>      believe it is flaky or likely does not provide the confidentiality
>      one expects.
>    - wg is believed fine and many use it but for some good reason people
>      think you should have to build a kernel.
>    - wg is believed fine and nobody has gotten around to adding it.

wg(4) is available as a module `if_wg' on all ports that have modules.

As experimental new code, it was originally intentionally not enabled
in any GENERIC kernel by default, and it was supposed to require an
explicit step to `modload if_wg' or put if_wg in /etc/modules.conf
(except for the part where I forgot that module autoloading is a thing
and never got around to blocking module autoload of if_wg.kmod).

The remaining issues are mainly:

1. the state machine is underspecified in the protocol, and has race
   conditions that lead it to get stuck sometimes (PR 56252)

2. our implementation of the state machine may have other issues that
   lead it to get stuck sometimes, even aside from the race conditions
   arising from underspecified protocol (PR 58559, PR 58560, PR 58938,
   PR 58996, PR 59376; likely some overlap in those)

3. the DoS-prevention implementation is suboptimal, partly because the
   spec is unclear, partly because neither I nor ozaki-r have gotten
   around to fixing it

4. some quirky route and address configuration issues (PR 58016,
   PR 59097, PR 59133)

5. the crypto code doesn't have satisfactory self-tests (PR 58468,
   PR 58501, PR 58851)

6. minor issues (PR 58023, PR 58024, PR 58477, PR 58499, PR 58500)

None of the known issues affect authentication or confidentiality.

I've been using wg(4) daily for years, and the main issue I hit is
that it gets stuck once every few weeks or months requiring taking the
interface down and back up again, usually when changing networks.
Haven't gotten around to digging further into it.

> In my case, I'm more looking for circumvention of clumsy/IT-trendy
> censorship, where they let you connect to anything on 443 and block nerd
> protocols (because proles accessing Facebook is wholesome, apparently).
> So I'm not super concerned about confidentiality.
> 
> Related, it seems wg is UDP only, and assuming that's true, what ports
> do people find is most likely to work in semi-censored environments?

I use port 51820 and I have sometimes been surprised that it is let
through on some otherwise restricted networks (e.g., blocking ssh) but
this anecdote, not data.