Release: WireGuard for EdgeRouter

@zx2c4 => I suppose this is for now fully CPU based, and CHACHA and POLY are really CPU efficient normally, but did you do any load test, for a simple site to site connection to compare with the current offloaded IPsec ?

Note: this is just for me, not to say it's a bad idea, it's actually a really good idea ;-)

I haven't even begun optimizing for the EdgeRouter's architecture. I'll need to write MIPS64 primitives and maybe even figure out how to utilize the offloading chip. The EdgeRouter kernel does not have CONFIG_PADATA, which means we're stuck to one CPU per flow, instead of nicely parallelizing encryption across all CPUs. I'll be able to get that aspect sorted eventually though. Completely unoptimized on my ERL3, I get around 80 mb/s, which isn't bad for a first run. But it's nowhere near the performance it should be getting and eventually will be getting. This benchmark will only get faster, of course.

Good stuff, thanks much for your efforts @zx2c4. PMed you to see if I can get you any additional hardware to assist. 

I'm not sure offhand if there is a reason for not having CONFIG_PADATA, but will find out. That seems like it would be an alternative to the Cavium hardware crypto offload though, any chance this could utilize the crypto offload? Seems that might be the best way to get the most performance out of it, though admittedly I have no idea about WireGuard internals at this point. 

This is definitely something I want to see get into EdgeRouter and USG. I'll try it out as soon as time permits. 

@zx2c4 => it's already great result, when you see non accelerated VPN on the Edgerouter (lite/POE) or the USG having a plateau at 20 Mbps !

I did checked a little on the encryption side of wireguard, using mostly Chacha20 and Poly1305 which are great for CPU, but didn't find any references for hardware accelerated (only a simple remark on one SDK/platform compatible to Cavium Octeon and supporting  the latest RFC 7905 but nothing conclusive.

It's already a great step, I'll do some test on my Edgerouters to see what to expect, but it's awesome already for testing, Thanks a lot

Thank you for your work! Can you please release the source and describe your build process?

I am not allowed to install binary-only packages on my client's setup.

@syso - Check the WireGuard link in the first post.  On the left side you'll see a link for 'Source Code' which identifies the Git Repository

But how did you cross-compile without the Cavium SDK?

Incidentally, parallelisation is a limiting factor that I have found in software that I have also ported to EdgeOS - cjdns and quicktun. When stressed, both will max out a single core of the CPU and bottleneck there. Neither cjdns nor quicktun are really multithreaded. 

I need to also do some investigation as to whether anyone has made any particular libsodium optimisations for MIPS, or whether there's anything else that can be done to improve performance. Crypto offload sounds like a great place to start, but I only have the single mips32r2 ER-X and no access to any mips64 EdgeRouters.

Certainly would be interested to hear about any progress you make.

https://github.com/neilalexander/vyatta-cjdns

https://github.com/neilalexander/vyatta-quicktun

@UBNT-cmb There's no reason not to have CONFIG_PADATA enabled. However, it's not an option you can directly enable in 3.10. Instead just enable CONFIG_CRYPTO_PCRYPT, which will then select CONFIG_PADATA.

Indeed, I'd like to utilize the crypto offload. I'll check out the kernel sources for what you guys do for the existing offload stuff. Do you have much documentation on what the offloading is capable of? Or is that all NDA'd?

Another thing you could do to improve performance is update to a newer kernel. I had to perform some unholy voodoo to get WireGuard running on 3.10, and such incantations come with some overhead.

If you'd like to coordinate anything privately, feel free to email me directly -- jason @ {myusername} .com

=====

@syso I'm using the Cavium SDK for the compiler in the build. However, I've also had success using gcc 6.3 from Gentoo's crossdev tool. The newer compiler actually produces much faster code, but who knows what the deal is with ancient parts, so I did the prebuilt binaries with the Cavium one. Maybe somebody else can play around with this a bit. The process was fairly basic for compiling the kernel module this way -- the various guides you'll find googling suffice. For the userspace wg(8) utility, I chose to compile it statically against musl libc, because EdgeOS's libc is ancient and weird and 32-bit. Super important: I made sure to set `-mabi=64` in my CFLAGS for compiling libc, libmnl, and the wg(8) utility. The result is a statically linked 64-bit MIPS binary, which is what I ship. Again, this isn't very hard to do, and the thing you need to note is being sure to use `mabi=64`. As for the source, that's all online anyway. Click the links already provided and you should be able to find it easily.

=====

@neilalexander WireGuard is meant to be multithreaded; Ubiquiti just lacks the option for it in their kernel. By the way, looks like you've played the Vyatta game quite a bit. Want to co-maintain the package with @Lochnair? Can give you access to the repo.

@zx2c4 Certainly willing to lend a hand if I can - I'm neilalexander@freenode.

@syso If you want to avoid using the Cavium SDK when compiling kernel modules, check out this post. He's building a toolchain based on the sources of the GPL archive.

Hi!

I would like to ask your help on testing wireguard on EdgeRouter Lite v1.8.5.

I have acted according to suggested scenario: installed package, but when I modify config and commit it, the router hangs.

Could you please advise?

Thanks in advance.

The latest firmware for the EdgeRouter Lite is 1.9.1. You must use the latest firmware, since I'm not going to produce builds for every historical version.

Anyone tried it out yet?

What kind of performance do you get on a ER-X SFP?

Hi!

I have ERL and 40Megabits connection. WG get's me arround 2Megabyte with scp speed test. iperf test bring somewhat slower results.

Have a nice day!

The post confirming that the binaries for the ER-X indeed work and some benchmarks with WireGuard on the ER-X, seems to have been lost in the forum migration mess.

Anyway, I've updated the latest release on GitHub with a Debian package for the ER-X (wireguard-ralink-0.0.20170421-2.deb). Looking forward to seeing how it works for you 

root@rt-01:~# dpkg -i wireguard-octeon-0.0.20170421-2.deb
dpkg-deb: error: `wireguard-octeon-0.0.20170421-2.deb' is not a debian format archive
dpkg: error processing wireguard-octeon-0.0.20170421-2.deb (--install):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 wireguard-octeon-0.0.20170421-2.deb

Getting this following on my ER-PoE device.

Downloaded from GitHub releases using curl -O.  Thoughts?

---

MindTooth wrote:

root@rt-01:~# dpkg -i wireguard-octeon-0.0.20170421-2.deb
dpkg-deb: error: `wireguard-octeon-0.0.20170421-2.deb' is not a debian format archive
dpkg: error processing wireguard-octeon-0.0.20170421-2.deb (--install):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 wireguard-octeon-0.0.20170421-2.deb

Getting this following on my ER-PoE device.

 

Downloaded from GitHub releases using curl -O.  Thoughts?

---

@MindTooth, you need to use curl -L -O. GitHub uses redirects which cURL doesn't follow by default, so you need to specify the parameter to enable it. If you open the file with vi you'll see a redirection message instead of an archive.

You're the man :-D Thank you. I learned something new today.

Ed1t: Removed it, as no official macOS.  Eagerly awaits support.