Release: WireGuard for EdgeRouter


  • Beta Testers

    and I have ported WireGuard to the EdgeRouter and produced a Vyatta configuration module for it.

    You can download a release <u>.deb</u> from here: https://github.com/Lochnair/vyatta-wireguard/releases

    It should be fairly straightforward to install:

    $ sudo dpkg -i ./wireguard-{VERSION}.deb
    

    After this you'll be able to manage and use WireGuard interfaces on the EdgeRouter using the ordinary commands. WireGuard integrates tightly within the EdgeMax configuration system.

    interfaces {
        wireguard wg0 {
            private-key "iO3YxEZM5KNmdST1XYtv1xQ8AM3y12+/K+QFKY7rflw="
            address "192.168.33.1/24"
            listen-port 51820
    
            peer "aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4=" {
                allowed-ips "192.168.33.101/32"
                endpoint "example1.example.net:51820"
            }
            peer "GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc=" {
                allowed-ips "192.168.33.102/32,192.168.33.103/32"
                endpoint "anotherexample.example.org:29922"
            }
        }
    }
    

    will be handling maintenance and updating of this package, though of course I'm happy to address any upstream concerns that EdgeRouter users might have, so feel free to pose any questions here, join the WireGuard mailing list, or come into #wireguard on Freenode.

    Disclaimer: this is currently snapshot/experimental software and is provided as-is with no warranty of any kind.


  • D
    Beta Testers

    => I suppose this is for now fully CPU based, and CHACHA and POLY are really CPU efficient normally, but did you do any load test, for a simple site to site connection to compare with the current offloaded IPsec ?

    Note: this is just for me, not to say it's a bad idea, it's actually a really good idea ;-)


  • Beta Testers

    I haven't even begun optimizing for the EdgeRouter's architecture. I'll need to write MIPS64 primitives and maybe even figure out how to utilize the offloading chip. The EdgeRouter kernel does not have CONFIG_PADATA, which means we're stuck to one CPU per flow, instead of nicely parallelizing encryption across all CPUs. I'll be able to get that aspect sorted eventually though. Completely unoptimized on my ERL3, I get around 80 mb/s, which isn't bad for a first run. But it's nowhere near the performance it should be getting and eventually will be getting. This benchmark will only get faster, of course.


  • U
    administrators

    Good stuff, thanks much for your efforts . PMed you to see if I can get you any additional hardware to assist.

    I'm not sure offhand if there is a reason for not having CONFIG_PADATA, but will find out. That seems like it would be an alternative to the Cavium hardware crypto offload though, any chance this could utilize the crypto offload? Seems that might be the best way to get the most performance out of it, though admittedly I have no idea about WireGuard internals at this point.

    This is definitely something I want to see get into EdgeRouter and USG. I'll try it out as soon as time permits.


  • D
    Beta Testers

    => it's already great result, when you see non accelerated VPN on the Edgerouter (lite/POE) or the USG having a plateau at 20 Mbps !

    I did checked a little on the encryption side of wireguard, using mostly Chacha20 and Poly1305 which are great for CPU, but didn't find any references for hardware accelerated (only a simple remark on one SDK/platform compatible to Cavium Octeon and supporting  the latest RFC 7905 but nothing conclusive.

    It's already a great step, I'll do some test on my Edgerouters to see what to expect, but it's awesome already for testing, Thanks a lot


  • S
    Beta Testers

    Thank you for your work! Can you please release the source and describe your build process?

    I am not allowed to install binary-only packages on my client's setup.


  • W
    Beta Testers

    - Check the WireGuard link in the first post.  On the left side you'll see a link for 'Source Code' which identifies the Git Repository


  • S
    Beta Testers

    But how did you cross-compile without the Cavium SDK?


  • N
    Beta Testers

    Incidentally, parallelisation is a limiting factor that I have found in software that I have also ported to EdgeOS - cjdns and quicktun. When stressed, both will max out a single core of the CPU and bottleneck there. Neither cjdns nor quicktun are really multithreaded.

    I need to also do some investigation as to whether anyone has made any particular libsodium optimisations for MIPS, or whether there's anything else that can be done to improve performance. Crypto offload sounds like a great place to start, but I only have the single mips32r2 ER-X and no access to any mips64 EdgeRouters.

    Certainly would be interested to hear about any progress you make.

    https://github.com/neilalexander/vyatta-cjdns

    https://github.com/neilalexander/vyatta-quicktun


  • Beta Testers

    There's no reason not to have CONFIG_PADATA enabled. However, it's not an option you can directly enable in 3.10. Instead just enable CONFIG_CRYPTO_PCRYPT, which will then select CONFIG_PADATA.

    Indeed, I'd like to utilize the crypto offload. I'll check out the kernel sources for what you guys do for the existing offload stuff. Do you have much documentation on what the offloading is capable of? Or is that all NDA'd?

    Another thing you could do to improve performance is update to a newer kernel. I had to perform some unholy voodoo to get WireGuard running on 3.10, and such incantations come with some overhead.

    If you'd like to coordinate anything privately, feel free to email me directly – jason @ {myusername} .com

    =====

    I'm using the Cavium SDK for the compiler in the build. However, I've also had success using gcc 6.3 from Gentoo's crossdev tool. The newer compiler actually produces much faster code, but who knows what the deal is with ancient parts, so I did the prebuilt binaries with the Cavium one. Maybe somebody else can play around with this a bit. The process was fairly basic for compiling the kernel module this way -- the various guides you'll find googling suffice. For the userspace wg(8) utility, I chose to compile it statically against musl libc, because EdgeOS's libc is ancient and weird and 32-bit. Super important: I made sure to set -mabi=64 in my CFLAGS for compiling libc, libmnl, and the wg(8) utility. The result is a statically linked 64-bit MIPS binary, which is what I ship. Again, this isn't very hard to do, and the thing you need to note is being sure to use mabi=64. As for the source, that's all online anyway. Click the links already provided and you should be able to find it easily.

    =====

    WireGuard is meant to be multithreaded; Ubiquiti just lacks the option for it in their kernel. By the way, looks like you've played the Vyatta game quite a bit. Want to co-maintain the package with ? Can give you access to the repo.


  • N
    Beta Testers

    Certainly willing to lend a hand if I can - I'm neilalexander@freenode.


  • L
    Beta Testers

    If you want to avoid using the Cavium SDK when compiling kernel modules, check out this post. He's building a toolchain based on the sources of the GPL archive.


  • R
    Beta Testers

    Hi!

    I would like to ask your help on testing wireguard on EdgeRouter Lite v1.8.5.

    I have acted according to suggested scenario: installed package, but when I modify config and commit it, the router hangs.

    Could you please advise?

    Thanks in advance.


  • Beta Testers

    The latest firmware for the EdgeRouter Lite is 1.9.1. You must use the latest firmware, since I'm not going to produce builds for every historical version.


wireguard2 Posts 14Views 36
Log in to reply

Looks like your connection to Ubiquiti Networks Community was lost, please wait while we try to reconnect.