107 replies to this topic

[athoik]

It's about speed

 

The kernel module is really fast.

 

The userspace implementation is not considered so fast, that's why Cloudflare created BoringTUN, using rust.

 

Clearly we thought, only one of those fits the bill, and that is wireguard-go.

However, benchmarks quickly showed that wireguard-go falls very short of the performance offered by the kernel module.

This is because while the Go language is very good for writing servers, it is not so good for raw packet processing, which a VPN essentially does.

 

We can always create the userspace (once we move to zeus) and provide the kernel for supported machines as well.

[Erik Slagter]

Indeed if the only serious advantage is speed, the user space implementation won't be that interesting compared to OpenVPN.

[cmatte]

Attempting WG install on vuduo4k on 7.3, gets stuck at the instructions:

ip link add dev wg0 type wireguard
ip: RTNETLINK answers: Operation not supported

Attempting to install linux-libc-headers-dev as required, the link doesn't work - is there something we can do?

wget: server returned error: HTTP/1.1 404 Not Found
Collected errors: * opkg_download_backend: Failed to download http://downloads.openpli.org/feeds/openpli-7-release/armv7ahf-neon/linux-libc-headers-dev_4.10-r0.2_armv7ahf-neon.ipk, wget returned 1. * opkg_install_pkg: Failed to download linux-libc-headers-dev. Perhaps you need to run 'opkg update'?
Installing linux-libc-headers-dev (4.10) on root
Downloading http://downloads.openpli.org/feeds/openpli-7-release/armv7ahf-neon/linux-libc-headers-dev_4.10-r0.2_armv7ahf-neon.ipk.

Edited by cmatte, 24 October 2020 - 22:28.

[WanWizard]

https://www.ivpn.net...-supported.html ?

[cmatte]

Good to try. Many other answers point towards installing your kernel headers, so tried but the link seems dead on the OpenPLI feed.

modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Unknown symbol in module, or unknown parameter (see dmesg)

dmesg

[ 5432.403153] wireguard: Unknown symbol udp_sock_create4 (err 0)
[ 5432.409019] wireguard: Unknown symbol udp_tunnel6_xmit_skb (err 0)
[ 5432.415348] wireguard: Unknown symbol udp_tunnel_sock_release (err 0)
[ 5432.421812] wireguard: Unknown symbol setup_udp_tunnel_sock (err 0)
[ 5432.428090] wireguard: Unknown symbol udp_sock_create6 (err 0)
[ 5432.433976] wireguard: Unknown symbol udp_tunnel_xmit_skb (err 0)

Edited by cmatte, 24 October 2020 - 23:38.

[WanWizard]

It looks like it is dependent on other modules that aren't loaded.

 

What does

modinfo wireguard

say?

 

On my Duo 4K

root@vuduo4k:/proc/stb# modinfo wireguard
filename:       /lib/modules/4.1.45-1.17/kernel/wireguard/wireguard.ko
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.20200413
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     244479A3BBFD73C5413F2F5
depends:        ipv6
vermagic:       4.1.45-1.17 SMP mod_unload ARMv7 p2v8 

it depends only on ipv6, which is loaded:

root@vuduo4k:/proc/stb# lsmod
Module                  Size  Used by
bthid                   2977  0
btusb                  51979  1
bluetooth             389128  4
ipv6                  288680  71
brcmfb                  1467  2
dvb_bcm7278          2013332  39 brcmfb
dvb_base             5867819  5 dvb_bcm7278
bcm_event               2899  5 dvb_bcm7278
procmk                  2104  2 dvb_bcm7278,bcm_event
dhd                   179617  0

[cmatte]

Same results for both, ipv6 dependency, ipv6 is loaded indeed, are you getting anything different from a:

modprobe wireguard

or the 

ip link add dev wg0 type wireguard

?

[WanWizard]

Same problem here:

root@vuduo4k:~# modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Unknown symbol in module, or unknown parameter (see dmesg)

I've checked, "udp_sock_create4" is a method introduced in Kernel v4.2, and my Duo4K runs 4.1.45. So there is an issue with the out-of-tree build of wirehguard.

[Erik Slagter]

Is it still not in the kernel, or added after 4.2?

 

Having out-of-kernel modules is always a PITA, I hate it.

[WanWizard]

It is in the kernel for 5.8+, it is added out-of-tree for earlier kernels (by Athoik), but appearently that doesn't work, at least not on kernels < 4.2.

[athoik]

I suggest first to enable CONFIG_NET_UDP_TUNNEL and try again.

[WanWizard]

That would require a BSP change, so we need to check all defconfig's ?

[athoik]

Hi,

It seems that UDP tunnel as module (=m) is enough on osmio4k with kernel 5.5.16.

...

[/code]There are 70 boxes that need CONFIG_NET_UDP_TUNNEL=m, few already have it.

grep -r "CONFIG_NET_UDP_TUNNEL is not set" meta-* | wc -l
70

Yes, there are many boxes without udp tunnel.

Better to check on a custom build, if building above module will fix issue on VU+ as well.

[WanWizard]

Changed it to

CONFIG_NET_UDP_TUNNEL=y

build a new kernel, and flashed the box.

 

No difference:

[  284.512010] wireguard: Unknown symbol udp_sock_create4 (err 0)
[  284.517873] wireguard: Unknown symbol udp_tunnel6_xmit_skb (err 0)
[  284.524238] wireguard: Unknown symbol udp_tunnel_sock_release (err 0)
[  284.530706] wireguard: Unknown symbol setup_udp_tunnel_sock (err 0)
[  284.536988] wireguard: Unknown symbol udp_sock_create6 (err 0)
[  284.542872] wireguard: Unknown symbol udp_tunnel_xmit_skb (err 0)

[WanWizard]

Hmm, I expected a module "udp_tunnel" on the box, but lsmod doesn't show it.

 

edit: according to https://cateee.net/l...UDP_TUNNEL.html, it should work. I see it's only available from v3.18 onwards, so we should update the kernel check too (now builds from 3.14).

[WanWizard]

I've cleaned the kernel, changed the kernel defconfig to

CONFIG_NET_UDP_TUNNEL=m

but no kernel module is created?

 

edit: Required files are present in the kernel source:

$ find . -name "*udp_tunnel*"
./net/ipv4/udp_tunnel.c
./net/ipv6/ip6_udp_tunnel.c

[rantanplan]

https://www.wireguard.com/compilation/

 

 

Building Directly In Tree

Probably the easiest way to patch it in general

[WanWizard]

Yeah, saw that too, we'll have to do that conditionally though, only for kernels > 3.18 and < 5.8.

 

In the meantime I've found that the kernel build tree contains a .config and .config.old file. The old file is my original defconfig, the .config file is modified somewhere:

714c709
< CONFIG_NET_UDP_TUNNEL=m
---
> # CONFIG_NET_UDP_TUNNEL is not set
2611a2599
> CONFIG_MEDIA_TUNER_TDA18250=m
2614d2601
< CONFIG_MEDIA_TUNER_TDA18250=y

so WTF is changing my defconfig?

[WanWizard]

Found it, it also requires

CONFIG_GENEVE=m

and that fixes it:

root@vuduo4k:~# modprobe udp_tunnel
root@vuduo4k:~# modproble wireguard
root@vuduo4k:~# 

next step: see how to get all the BSP's updated...
 

[Erik Slagter]

Maybe something for 8.1?