For those of you using pfsense + WG...

Avalon · 16 Mar 2021 at 11:28

So, if you are still onboard the pfsense bandwagon after 2.5 happened and using Wireguard, you should probably thank them for the ‘great work’ they are responsible for, I mean it’s not like you expect them to secure your network, right?

https://arstechnica.com/gadgets/202...on-its-way-to-freebsd-and-the-pfsense-router/

This little gem seems to have been overlooked:
https://lists.zx2c4.com/pipermail/wireguard/2021-March/006499.html

I can’t wait till they take this closed source with Plus and we just have to blindly trust the quality of code in use.

Rainmaker · 16 Mar 2021 at 12:16

It's a bit of a mash up, isn't it? From experience, Jason is great to work with but regardless of WireGuard being FOSS he does like to keep an arm around his 'baby', even in other projects. He expressed similar frustration with Cloudflare when they eventually branched off and created boringtun. As for Netgate, Jim seems a very strong headed character and the direction of the project is raising questions atm. They're talking about making pfSense+ available for free to the community across any hardware 'soon', and they say CE will remain but will be slower to update. They're selling that as 'LTS' and 'battle tested', but with TNSR and pfSense+ to handle it may just as easily turn into the 'neglected' version instead. Time will tell.

It's a shame WireGuard's kernel module didn't make it for FreeBSD 13, but hopefully Jason's polished version will hit 13.1 as projected. If that man can do nothing else, he can certainly write polished and focused code. I'm happier to wait for 13.1 and have 'his' WireGuard than rush into 13-RELEASE without it...

If Netgate do close source on pfSense that'll be a shame, but the BSD license allows for it and it is what it is. There can be no complaints there, albeit it's a shame and leaves you to wonder and only able to blindly 'trust' what's going on under the hood. There's always plain ole FreeBSD if it goes that way, and that will certainly remain open. I'll stick to OpenBSD for now, which already has a good kernel implementation of WG. Hopefully Free catches up soon, and pfSense to follow. We have to remember that Netgate at least sponsored the work, and it may not have been done at all without that original impetus. TBF it sounds like Jason would have been willing to help get it written regardless, but we'll never know. I stopped following Free so closely when all the CoC nonsense crept in and they had a lot of politics rattling around. It's still one of the best optimised releases for networking though, I don't think there's any arguing that.

Rainmaker · 16 Mar 2021 at 12:36

BTW, for anyone who didn't know, Netgate's attack against OPNSense was not only in poor taste and unprofessional, but it was also enough to make me lose all respect for them as a project. It took a court order for them to remove it.

Edit: Wow. I just got around to reading the post on the WG mailing list from Jason/ScottL@Netgate. What a **** show. Up to their old tricks it seems. It's a shame because Free itself is such a great networking OS (mostly thanks to Netflix rather than Netgate afaik). I was planning on spinning up pfSense 2.5 on my trusty Dell Optiplex (currently collecting dust), but alas it seems OpenBSD really is hanging around a while longer... Maybe I'll give Sophos XG a play instead.

Avalon · 17 Mar 2021 at 06:32

Tempted to mis-attribute a (not) Sun Tzu quote, but the OPN team must be seeing the funny side right about now. XG uses (or used, it may have changed) a horribly outdated OpenVPN implementation. Untangle want $150/yr to enable Wireguard support, along with everything else that used to cost $50/yr - which is now exactly the price difference between Untangle and a VMUG sub. I have to spin up an ESXi or Proxmox remote at some point this week and set-up site to site, so I suspect it’s time to re-visit OPN, heck even smoothwall was briefly on the table and that used to be the drama magnet of firewalls when Dick/Lawrence fell out and IPCop forked - what is it with firewall developers and drama?

WJA96 · 17 Mar 2021 at 14:47

Avalon said:
Untangle want $150/yr to enable Wireguard support, along with everything else that used to cost $50/yr - which is now exactly the price difference between Untangle and a VMUG sub.

That's not quite how I see it. Untangle Home Protect Basic still costs $50 per year and it gets you pretty much everything except Threat Protection (IDS/IPS), full BitDefender AntiVirus and WireGuard. Everything else is there and fully working - even BitDefender Lite.

Then you can spend the extra $100 for Home Protect Plus and that gets you the full version of BitDefender, which is $30 from them, you get the IPS/IDS with Untangle's own lists as Suricata's are often less than fabulous and you get WireGuard VPN. But the $50 version is still there and works great for most people. You have OpenVPN, IPSec VPN as well as most of the commercial ones all baked in and ready to go. Literally just type your credentials in and they work.

Untangle is a great product. Not cheap, but I don't consider it to be expensive for what you get.

Rainmaker · 17 Mar 2021 at 15:01

That's all very well @WJA96 but paying $150 for WireGuard, a free and open source piece of software available freely online, including in the very Linux kernel Untangle are using? It doesn't breach the GPL or BSD licenses to charge for it, but I wouldn't ever consider paying someone $150 for something free, and already present, that they've intentionally blocked access to. Why, when you can run *insert Linux or BSD here* for free and do the same things?

Caged · 17 Mar 2021 at 15:30

Because one option requires you to do the integration yourself, and the other is packaged and tested to survive update cycles on the base platform, while exposing interfaces for configuration via a UI and API.

I get it that home users might be weighing up the options (despite some people seemingly willing to spend £300 every two years on a 'gaming router' which then promptly stops receiving vendor support) but if this is in any way linked to time that has to be paid for, $150 to a client for the license is cheaper than having someone spend a couple of hours on the problem.

If you have the time to spend on it, or you already have the skills where you're comfortable supporting it all yourself then by all means avoid the license and DIY it.

WJA96 · 17 Mar 2021 at 15:33

Rainmaker said:
That's all very well @WJA96 but paying $150 for WireGuard, a free and open source piece of software available freely online, including in the very Linux kernel Untangle are using? It doesn't breach the GPL or BSD licenses to charge for it, but I wouldn't ever consider paying someone $150 for something free, and already present, that they've intentionally blocked access to. Why, when you can run *insert Linux or BSD here* for free and do the same things?

Simply because they’ve prettified and simplified the front end so it ‘just works’. There are people who don’t mind not having a GUI, or having to shell out and type SUDO .... but those people are in the minority. The rest of people pay a few pounds a month and get something more user friendly.

If you feel you don’t need that luxury, great and likewise, don’t concern yourself if others feel the desire to pay the money for the simplification.

Avalon · 18 Mar 2021 at 22:13

WJA96 said:
That's not quite how I see it. Untangle Home Protect Basic still costs $50 per year and it gets you pretty much everything except Threat Protection (IDS/IPS), full BitDefender AntiVirus and WireGuard. Everything else is there and fully working - even BitDefender Lite.

Then you can spend the extra $100 for Home Protect Plus and that gets you the full version of BitDefender, which is $30 from them, you get the IPS/IDS with Untangle's own lists as Suricata's are often less than fabulous and you get WireGuard VPN. But the $50 version is still there and works great for most people. You have OpenVPN, IPSec VPN as well as most of the commercial ones all baked in and ready to go. Literally just type your credentials in and they work.

Untangle is a great product. Not cheap, but I don't consider it to be expensive for what you get.

Context is everything, and the answer will be different for different people with different needs, nothing at all wrong with that. Would I miss $150/yr? Not really, I donate several times that each year to developers who make useful (free) software as if it saves me time and makes my life easier, it’s worth my money.

Am I OK with Untangle charging me $50/yr to save me a bit of time/agro? Yea sure, it’s a decent product with a nice feature set and easy to use. Do I object to additional premium features having an additional price? Not really. Unfortunately here’s where I go from being happy to subscribe at $50/yr to looking at other options: I don’t personally feel that IDS/IPS or full AV in this form is a must have for home users. It’s a nice box to tick for the full UTM experience, but it’s not a requirement or massively useful in my usage/opinion. Realistically the only reason I would be upgrading is Wg, and who is going to knowingly pay $100 to enable something they can spin up a docker image for in seconds for free? OK the management isn’t the same, but I can live with that, it’s OK if others can’t, your money, your choice, other options exist and let’s be honest, I probably have way more free time than most.

Going back to pfsense, I noticed someone posted this on Reddit.

https://www.theregister.com/2008/04/24/kip_macy_arrest/

https://abcnews.go.com/US/exclusive...rrorizing-apartment-tenants/story?id=20875476

So yes, Netgate (who want us to trust them and intend to take Plus to closed source so no peer review is possible) found the best developer for the job and paid him to bring Wg to BSD. However it wasn’t just the standard of coding that was apparently criminal. Even ignoring the convictions, jail time, bail jumping, intentionally costing his mother $500K or the fact that he refers to an employee as ‘the Mexican’ and shows little or no remorse while seeking to blame his wife, this is who Netgate chose to represent them on behalf of its users. Even if he had done a decent job, this seems like a highly questionable hire. The last time I wanted to swerve a company/product this hard was when PIA hired Mark Karpeles as CTO.

WJA96 · 19 Mar 2021 at 06:30

Avalon said:
Context is everything, and the answer will be different for different people with different needs, nothing at all wrong with that. Would I miss $150/yr? Not really, I donate several times that each year to developers who make useful (free) software as if it saves me time and makes my life easier, it’s worth my money.

Am I OK with Untangle charging me $50/yr to save me a bit of time/agro? Yea sure, it’s a decent product with a nice feature set and easy to use. Do I object to additional premium features having an additional price? Not really. Unfortunately here’s where I go from being happy to subscribe at $50/yr to looking at other options: I don’t personally feel that IDS/IPS or full AV in this form is a must have for home users. It’s a nice box to tick for the full UTM experience, but it’s not a requirement or massively useful in my usage/opinion. Realistically the only reason I would be upgrading is Wg, and who is going to knowingly pay $100 to enable something they can spin up a docker image for in seconds for free? OK the management isn’t the same, but I can live with that, it’s OK if others can’t, your money, your choice, other options exist and let’s be honest, I probably have way more free time than most.

As in most cases, I completely agree with you. And the question I would ask is exactly how many people can spin up a docker image for Wireguard in a few seconds? Very few I would imagine. And even if they had the knowledge, I doubt most home users realistically have the hardware required to do it.

Take a quick scan through the questions asked in this sub-forum and the Enterprise and Servers sub-forum and things like docker and Wireguard are pretty specialist things. And the people who post on OcUK by and large are very tech savvy. So you widen that out to the general public and most of them wouldn’t even be able to tell you what VPN stands for let alone what to do with it.

My 92-year old father and 77-year old mother can use Untangle but they couldn’t install it on the QNAP Guardian it’s running on, even if I gave them a USB key with the ISO loaded on it. Given time they’d use the internet to work it out, but they’d rather sit in the warm kitchen, drinking tea and “researching” gardening on the internet. My company literally has triple-digit numbers of customers who not only pay us to install Untangle for them, but they pay us a monthly fee to administer it for them. Not because they’re not smart and capable people, but they just don’t want the hassle of dealing with it. Wireguard costs nothing, it’s true. And to get it for free you have to be an @Avalon or equivalent. And there are darn few of those about.