It has been quite sometime since I posted anything to this blog mostly because I
did not get to work with anything new. I was mostly beating around the bush
(figuratively), the areas of an OS Kernel is way to vast for my little mind to
fathom.
It was not until a mutual friend of mine and cherry@’s introduced us to the
WireGuard[1] project that I had a reason to focus again.
Wireguard - What is it?
According to the website.
WireGuard is an extremely simple yet fast and modern VPN that utilizes
state-of-the-art cryptography.
And they are not wrong, it is quite compact roughly ~5000 lines of code. Has a
mosh(1) like behavior, where in one can roam around and it would seem that the
VPN connectivity is restored automatically after a disconnect.
As of writing this blog post Wireguard is Linux only and that is where I come
in.
But can it blend run in BSD?
Again as of writing this post this piece of information[2] from the pfSense
people who use FreeBSD it may not be an easy thing to do, since there is way too
much “Linuxisms” in it for it to directly run in BSD.
cherry@ was quite impressed by Wireguard and motivated me to look into the fact
that if it is possible to port it to NetBSD. Which got me to look into
Wireguard.
Background preparation
As of writing this blog post, I still lack the skills to just glance at
something and have the entire picture in my mind. So the first thing I did was
go through was the whitepaper[3].
An advice from cherry@ was “Do not go down the rabbit hole.”, which over here
means that I should not get hung up on the mathematics of cryptography or the
mechanics of crypto algorithms. Not to say that they are irrelevant or being
ignorant about them will help, but I should not go down that figurative “rabbit
hole”. Skimming the surface just to get an understand of what it means so that
the terminology does not spook me like a kitten jumping around when it gets
excited.
The aim of reading the paper was to get to understand the protocol and how it
works. And using that knowledge to write up a proposal to the NetBSD foundation.
Writing up the proposal
After multiple reads of the paper, grepping through the code base and
understanding the terminology used. I began to write up my observations and
ideas on how to make Wireguard work in NetBSD.
You can read the full proposal here[4] if you wish. I shall provde a TL; DR
version for the rest
- Re-write the Linux kernel module parts with the equivalent in NetBSD
- Import the various crypto libraries used by Wireguard into NetBSD
Challenges
It would be nice to do the development in a TDD fashion, but I am not sure how
hard of a task this would be.
Conclusion
One of the things that constantly kept going through my mind is should I be
doing a direct port of the Linux code or should I be doing a clean room
implementation (cherry@ has been pushing me to do a clean room
implementation). In due course of time I hope I can take a stance on this.
I hope that the proposal gets accepted.
References
- Wireguard Hompeage - https://www.wireguard.com/
- pfSense’s opinion on porting Wireguard - https://twitter.com/pfsense/status/828300945847152641
- Wireguard Whitepaper - https://www.wireguard.com/papers/wireguard.pdf
- Wireguard Proposal - http://fraggerfox.port0.org/bsd-blog/files/wg-bsd-proposal