Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Member
Posts: 125
Registered: ‎06-18-2013
Kudos: 82
Solutions: 2

Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair and I have ported WireGuard to the EdgeRouter and produced a Vyatta configuration module for it.

 

You can download a release .deb from here: https://github.com/Lochnair/vyatta-wireguard/releases

 

It should be fairly straightforward to install:

 

$ sudo dpkg -i ./wireguard-{VERSION}.deb

 

After this you'll be able to manage and use WireGuard interfaces on the EdgeRouter using the ordinary commands. WireGuard integrates tightly within the EdgeMax configuration system.

 

interfaces {
    wireguard wg0 {
        private-key "iO3YxEZM5KNmdST1XYtv1xQ8AM3y12+/K+QFKY7rflw="
        address "192.168.33.1/24"
        listen-port 51820

        peer "aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4=" {
            allowed-ips "192.168.33.101/32"
            endpoint "example1.example.net:51820"
        }
        peer "GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc=" {
            allowed-ips "192.168.33.102/32,192.168.33.103/32"
            endpoint "anotherexample.example.org:29922"
        }
    }
}

 

@Lochnair will be handling maintenance and updating of this package, though of course I'm happy to address any upstream concerns that EdgeRouter users might have, so feel free to pose any questions here, join the WireGuard mailing list, or come into #wireguard on Freenode.

 

Disclaimer: this is currently snapshot/experimental software and is provided as-is with no warranty of any kind.

Established Member
Posts: 1,671
Registered: ‎02-17-2015
Kudos: 420
Solutions: 44

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@zx2c4 => I suppose this is for now fully CPU based, and CHACHA and POLY are really CPU efficient normally, but did you do any load test, for a simple site to site connection to compare with the current offloaded IPsec ?

 

 

Note: this is just for me, not to say it's a bad idea, it's actually a really good idea ;-)

Member
Posts: 125
Registered: ‎06-18-2013
Kudos: 82
Solutions: 2

Re: Release: WireGuard for EdgeRouter

I haven't even begun optimizing for the EdgeRouter's architecture. I'll need to write MIPS64 primitives and maybe even figure out how to utilize the offloading chip. The EdgeRouter kernel does not have CONFIG_PADATA, which means we're stuck to one CPU per flow, instead of nicely parallelizing encryption across all CPUs. I'll be able to get that aspect sorted eventually though. Completely unoptimized on my ERL3, I get around 80 mb/s, which isn't bad for a first run. But it's nowhere near the performance it should be getting and eventually will be getting. This benchmark will only get faster, of course.

Ubiquiti Employee
Posts: 2,971
Registered: ‎08-08-2016
Kudos: 2715
Solutions: 229

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Good stuff, thanks much for your efforts @zx2c4. PMed you to see if I can get you any additional hardware to assist. 

 

I'm not sure offhand if there is a reason for not having CONFIG_PADATA, but will find out. That seems like it would be an alternative to the Cavium hardware crypto offload though, any chance this could utilize the crypto offload? Seems that might be the best way to get the most performance out of it, though admittedly I have no idea about WireGuard internals at this point. 

 

This is definitely something I want to see get into EdgeRouter and USG. I'll try it out as soon as time permits. 

Established Member
Posts: 1,671
Registered: ‎02-17-2015
Kudos: 420
Solutions: 44

Re: Release: WireGuard for EdgeRouter

@zx2c4 => it's already great result, when you see non accelerated VPN on the Edgerouter (lite/POE) or the USG having a plateau at 20 Mbps !

I did checked a little on the encryption side of wireguard, using mostly Chacha20 and Poly1305 which are great for CPU, but didn't find any references for hardware accelerated (only a simple remark on one SDK/platform compatible to Cavium Octeon and supporting  the latest RFC 7905 but nothing conclusive.

 

It's already a great step, I'll do some test on my Edgerouters to see what to expect, but it's awesome already for testing, Thanks a lot

 

 

New Member
Posts: 25
Registered: ‎12-24-2015
Kudos: 10

Re: Release: WireGuard for EdgeRouter

Thank you for your work! Can you please release the source and describe your build process?

I am not allowed to install binary-only packages on my client's setup.

Established Member
Posts: 1,135
Registered: ‎08-06-2015
Kudos: 449
Solutions: 58

Re: Release: WireGuard for EdgeRouter

@syso - Check the WireGuard link in the first post.  On the left side you'll see a link for 'Source Code' which identifies the Git Repository

 

 

New Member
Posts: 25
Registered: ‎12-24-2015
Kudos: 10

Re: Release: WireGuard for EdgeRouter

But how did you cross-compile without the Cavium SDK?

New Member
Posts: 3
Registered: ‎12-07-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Incidentally, parallelisation is a limiting factor that I have found in software that I have also ported to EdgeOS - cjdns and quicktun. When stressed, both will max out a single core of the CPU and bottleneck there. Neither cjdns nor quicktun are really multithreaded. 

 

I need to also do some investigation as to whether anyone has made any particular libsodium optimisations for MIPS, or whether there's anything else that can be done to improve performance. Crypto offload sounds like a great place to start, but I only have the single mips32r2 ER-X and no access to any mips64 EdgeRouters.

 

Certainly would be interested to hear about any progress you make.

 

https://github.com/neilalexander/vyatta-cjdns

https://github.com/neilalexander/vyatta-quicktun

Member
Posts: 125
Registered: ‎06-18-2013
Kudos: 82
Solutions: 2

Re: Release: WireGuard for EdgeRouter

@UBNT-cmb There's no reason not to have CONFIG_PADATA enabled. However, it's not an option you can directly enable in 3.10. Instead just enable CONFIG_CRYPTO_PCRYPT, which will then select CONFIG_PADATA.

 

Indeed, I'd like to utilize the crypto offload. I'll check out the kernel sources for what you guys do for the existing offload stuff. Do you have much documentation on what the offloading is capable of? Or is that all NDA'd?

 

Another thing you could do to improve performance is update to a newer kernel. I had to perform some unholy voodoo to get WireGuard running on 3.10, and such incantations come with some overhead.

 

If you'd like to coordinate anything privately, feel free to email me directly -- jason @ {myusername} .com

 

=====

 

@syso I'm using the Cavium SDK for the compiler in the build. However, I've also had success using gcc 6.3 from Gentoo's crossdev tool. The newer compiler actually produces much faster code, but who knows what the deal is with ancient parts, so I did the prebuilt binaries with the Cavium one. Maybe somebody else can play around with this a bit. The process was fairly basic for compiling the kernel module this way -- the various guides you'll find googling suffice. For the userspace wg(8) utility, I chose to compile it statically against musl libc, because EdgeOS's libc is ancient and weird and 32-bit. Super important: I made sure to set `-mabi=64` in my CFLAGS for compiling libc, libmnl, and the wg(8) utility. The result is a statically linked 64-bit MIPS binary, which is what I ship. Again, this isn't very hard to do, and the thing you need to note is being sure to use `mabi=64`. As for the source, that's all online anyway. Click the links already provided and you should be able to find it easily.

 

=====

 

@neilalexander WireGuard is meant to be multithreaded; Ubiquiti just lacks the option for it in their kernel. By the way, looks like you've played the Vyatta game quite a bit. Want to co-maintain the package with @Lochnair? Can give you access to the repo.

New Member
Posts: 3
Registered: ‎12-07-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

@zx2c4 Certainly willing to lend a hand if I can - I'm neilalexander@freenode.

Member
Posts: 111
Registered: ‎11-01-2015
Kudos: 49
Solutions: 4

Re: Release: WireGuard for EdgeRouter

@syso If you want to avoid using the Cavium SDK when compiling kernel modules, check out this post. He's building a toolchain based on the sources of the GPL archive.

New Member
Posts: 14
Registered: ‎02-12-2015

Re: Release: WireGuard for EdgeRouter

Hi!

 

I would like to ask your help on testing wireguard on EdgeRouter Lite v1.8.5.

I have acted according to suggested scenario: installed package, but when I modify config and commit it, the router hangs.

 

Could you please advise?

 

Thanks in advance.

Member
Posts: 125
Registered: ‎06-18-2013
Kudos: 82
Solutions: 2

Re: Release: WireGuard for EdgeRouter

The latest firmware for the EdgeRouter Lite is 1.9.1. You must use the latest firmware, since I'm not going to produce builds for every historical version.

New Member
Posts: 22
Registered: ‎10-17-2013
Kudos: 3
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Anyone tried it out yet?

What kind of performance do you get on a ER-X SFP?

New Member
Posts: 14
Registered: ‎02-12-2015

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Hi!

 

I have ERL and 40Megabits connection. WG get's me arround 2Megabyte with scp speed test. iperf test bring somewhat slower results.

 

Have a nice day!

Member
Posts: 111
Registered: ‎11-01-2015
Kudos: 49
Solutions: 4

Re: Release: WireGuard for EdgeRouter

The post confirming that the binaries for the ER-X indeed work and some benchmarks with WireGuard on the ER-X, seems to have been lost in the forum migration mess.

 

Anyway, I've updated the latest release on GitHub with a Debian package for the ER-X (wireguard-ralink-0.0.20170421-2.deb). Looking forward to seeing how it works for you Smiley Happy

Emerging Member
Posts: 98
Registered: ‎07-31-2016
Kudos: 14
Solutions: 2

Re: Release: WireGuard for EdgeRouter

root@rt-01:~# dpkg -i wireguard-octeon-0.0.20170421-2.deb
dpkg-deb: error: `wireguard-octeon-0.0.20170421-2.deb' is not a debian format archive
dpkg: error processing wireguard-octeon-0.0.20170421-2.deb (--install):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 wireguard-octeon-0.0.20170421-2.deb

Getting this following on my ER-PoE device.

 

Downloaded from GitHub releases using curl -O.  Thoughts?

Member
Posts: 111
Registered: ‎11-01-2015
Kudos: 49
Solutions: 4

Re: Release: WireGuard for EdgeRouter

[ Edited ]

MindTooth wrote:
root@rt-01:~# dpkg -i wireguard-octeon-0.0.20170421-2.deb
dpkg-deb: error: `wireguard-octeon-0.0.20170421-2.deb' is not a debian format archive
dpkg: error processing wireguard-octeon-0.0.20170421-2.deb (--install):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 wireguard-octeon-0.0.20170421-2.deb

Getting this following on my ER-PoE device.

 

Downloaded from GitHub releases using curl -O.  Thoughts?


@MindTooth, you need to use curl -L -O. GitHub uses redirects which cURL doesn't follow by default, so you need to specify the parameter to enable it. If you open the file with vi you'll see a redirection message instead of an archive.

Emerging Member
Posts: 98
Registered: ‎07-31-2016
Kudos: 14
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

You're the man :-D Thank you. I learned something new today.

 

Ed1t: Removed it, as no official macOS.  Eagerly awaits support.

Reply