Aargh, have been pulling my hair for days (don't worry, I'm bald) getting a jail on a different vlan, till I found out I'm dealing with a bug (or feature :-) ), described in 240106. No question here, just sharing my frustration

Afterglow I am truly co-frustrated with you

I had to realize years ago that jails really do live up to their name :D it frustrated me too. but it also gives me a bit of confidence that my data is safe in the jail... halfway...

I personally think that jails are godsend, and definitely proof that god exists (proof denies faith, so therefore he doesn't exist) for separating several functions of my server

how do you include a custom .dtb for a uboot port?

Short question. I started looking into wireguard again and saw that there's a /usr/bin/wg on my system. I've read that there was some back and forth on FreeBSD adding the kernel support. Now I'm wondering if kernel support is currently available or not. I can't find anything in the handbook so I'm wondering what the current state of the implementation is :-)

man 4 wg

ring0_starr: i guess you need to change dtb source files (.dts, .dtsi) while building uboot

[tj]: okay, so it's implemented again. Wasn't sure because the news articles were kinda fuzzy for me.

that's what I'm confused about

are you reading news articles from 5 years ago?

how do I do that exactly? make fetch and then find the .dts used? what is the chain of makefiles that the uboot ports use?

for some reason, make fetch doesn't work for sysutils/u-boot-master

I set up wireguard on freebsd like 2 years ago. wg-quick told me it was using the Go port

in other words the kernel support was still semi-broken

?

the last two lines were @ Liaf

nothing is broken guys, it works as intended

if it had been fixed, it had to've been recently

you have to update your system

I was just confused as I remembered the back and forth 4-5 years ago and when I searched for it I couldn't find anything that just said "everything is fine". Maybe I was just not understanding it correctly hence I thought I ask here. Thank you :-)

i don't think it is, pkg search wireguard shows that wireguard-kmod is absent

i don't think "everything is fine"* to be more clear

the problem was that some commiter just pushed a rushed implementation without approval to get it into 13.0 release, that was noticed fast enought, so that the rushed implementation didn't make it in, later in 13.2 and 14.0 an implementation with review and approval made it into the release as the release notes tell you

nimaje: thank you for the clarification :-)

is there a vnc multiplex I can stick in front of bhyve so my viewer session won't go away on reboots?

this is tedious

so this one is confusing me. zroot/usr has snapshots (confirmed by "zfs list snapshot zroot/usr"). but % cd /usr/.zfs -> cd: no such file or directory: /usr/.zfs

Well, zroot/usr is not mounted

Solved, I'm over in /.zfs/snapshot/autosnap_2025-03-10_13:00:00_hourly/usr/local/etc/radvd.conf.d now

^ discovered by checking 'zfs get mounted zroot/usr'

ok, interesting. so i'm on a local network ipv4, outside hosts are sometimes reporting back ipv6. isn't there a way to make those reachable thru my ipv4 gateway w/o adding lots of ipv6 internally?

sure, you can add proxy for them

mzar: back on OpenVPN and going to try `dev ovpn0`

hello dvl

mzar: ovpn0 exists, and I've updated the openvpn config. However, I'm getting blocked by: Cannot open TUN/TAP dev /dev/ovpn0: No such file or directory (errno=2) - yes, there is no such device.

it will not work this way, it gets renamed into tun

oh does it?

you have to run it as root if you want to use DCO

I'm Ok with that

and only UDP transport is supported AFAIR

That's what I use

but it improves performance and saves CPU cycles a lot

My existing config used tun2 - I destroyed it already. I'll recreate.

mzar: So how does one tell OpenVPN to use DCO? I have both tun2 and opvn0

I

I've been searching for docs, or examples, and what I have found is not clear.

does anyone use fsck_y_enable in rc.conf? Any ideas why this isn't on by default?

pstef: i use it on UFS VMs, i suspect it's not enabled by default because it could cause data loss (although in that case you've probably lost the data anyway, so...)

pstef: i do, because a number of those systems don't have convenient consoles

thanks, that sounds reasonable

pstef, it's not enabled by default because the default is to do a background fsck if the inital preen is okay-ish.

(I faithfully set it everywhere though - call me a distrustful luddite.)

that's not what I'm seeing on current. I have a machine that's gotten stuck on interactive fsck once in the past and it's again not responding after a reboot

It's a VM/cloud instance?

it's a physical machine

Will it boot to singler user?

I'll know when I go there (no remote access to serial)

Does it have fsck_y_enable set?

not yet

Is it one giant / volume, or is it properly partitioned & sliced like a proper system should be?

it's one microscopic / UFS partition which orbits a larger ZFS pool

Then I would guess it's sitting with a filesystem error on the console.

that's my guess, as well

But yeah - huge fan of:

fsck_y_enable="YES" # Set to YES to do fsck -y if the initial preen fails.

background_fsck="NO" # Attempt to run fsck in the background where possible.

clear_tmp_enable="YES" # Clear /tmp at startup.

are you sure background_fsck="NO" matches the comment?

it may've been changed to NO from YES, which sounds like it'd match the comment

That's straight out of:

YES is the default, per /etc/defaults/rc.conf

I tend to grep things out of that file and append to my rc.conf

dvl: you can only tell OpenVPN not to use DCO

mzar: Yes, via --disable-dco - so what I'm trying to do is get /dev/ovpn - so far, no device.

kernel module has to be loaded, network topologu set to subnet, compression disabled, openv process run as root and you will have it

if you are using VPN for bulk transmission then DCO will make it faster

the interface will be renamed to tun, like here:

# ifconfig -g openvpn ->tun10

mzar: I don't know about this. I went from 71Mbit/sec to 114Mbit/sec ... I

I

I'm just not sure. ;) bin.langille.org/?5566cfefbf8efe22#…1NNovPWPVW33GxupFd2TLMtkFDvU9aHHvTV

try few parallel transmissions with ipferf, like -P 4

mzar: 133 Mbits/sec

mzar: also, this is over wifi.....

OpenVPN guys take care of us, one of the devs runs FreeBSD as his favourite OS, but kernel DCO module was written by kp@

Yeah, this is wonderful.

135 Mbits/sec with -p8

143 Mbits/sec with -P12 holy crap

so FreeBSD is definitely not neglected by OpenVPN guys, we had kernel DCO module earlier then Linux (taking about -RELEASEs available to wider audience)

Pretty fantastic.

umm, 160 Mbits/sec

kp@ did nice job

This blog post will point that out.

135 Mb/s feels slow, unless that's limited by the network?

ivy: I'm on wifi..?

ah

I can fix that...

I feel I must do this over wired for a proper test. One of the individual streams got to 181 Mbits/sec

one important thing it so set "tun-mtu 1400" on server side

it will be pushed to clients

if both, client and server use DCO, then mssfix will not work

in my case reducint MTU for the tunnel device additionaly increased network performance

but it was required to make tunnel with DCO working fine over IPv6 transport

probably IPv6 MTU discovery is broken between my home and work networks

First test after setting tun-mtu 1400 - same results as before: about 160 Mbits/sec. I'm about to move over to a wired connection next.

please let us know, in my case, over IPv6 transport it's: 100Mbps (without DCO) vs 400Mbs (DCO on server only) vs 800Mbps (DCO on both ends)

out of curiosity, what kind of transfer would you expect in the same situation but with wireguard instead of ovpn?

i get ~800Mbps Wireguard over the internet on fairly modest hardware (over a 1Gbps link)

[ 5] 0.00-10.01 sec 1.69 GBytes 1.45 Gbits/sec 804 sender

not sure what link speed that is, i thought it was 1Gbps but clearly not

pstef: line speed, the same like for OpenVPN + DCO

mzar / ivy: How does 220 Mbits/sec sound?

so I assume people choose ovpn over wireguard for reasons other than performance

dvl: still seems slow but hard to say without knowing more details (also i know very little about openvpn)

pstef: yes, that's true

pstef: openvpn has been around a lot longer, and it can do things like push config to clients (IP addresses etc)

ivy: It's a baby 4 ATOM CPU 1U

dvl: hm... it depends, How it worked without DCO ?

openvpn is also a bit more flexible, like you can run it over TCP if you really want, and i think it can do layer 2 tunneling, while wireguard only does L3

mzar: Well, a single connection test was about 72Mbit/s, with DCO, was 114 Mbits.

when the OpenVPN session was terminated on such hardware, in my case running iperf tests from the machine connected to network behind this ATOM gateway was giving better results than terminating iperf session on the ATOM gateway

mzar: I'm on a 1GB connection I'm sure.

a bit offtopic, but y'all have connections fast enough to justify playing fast car music whenever you log onto the internet

mzar: That is what I'm doing. the iperf server is on a server in the basement, not the openvpn server. And I'm testing from my laptop in the living room

it's a bit fascinating

Why would one use OpenVPN nowadays, when WireGuard is well-tested/proven/secure?

it looks like a decent setup for running tests dvl

The throughput seems to max out at 220 Mbits/sec

i.e. -P 65 and -P 80 were both 220Mb

regis: couple reasons: «it's what i know», functionality Wireguard can't do which OpenVPN can, and if you have customers who demand OVPN.

dvl: it could probably be improved

LXGHTNXNG: «it's what i know» is definitelly not the reason

mzar: with network tuning etc you mean?

LXGHTNXNG: kind question with no hate: what can't one do on WireGuard, and do on OpenVPN? I've worked with both and see no functionality decrease.

dvl: I don't know, I have one 8-core old ATOM, but it also gives me 800Mbps throughput when I terminate VPN session there

I have not thoroughly explored either option.

LXGHTNXNG: you wrote "functionality Wireguard can't do which OpenVPN can"

OpenVPN has come in handy for me in the past, and I've actually never really played with WG.

I suppose that should be interpreted as a hypothetical.

mzar: What is your connection size? At home, I have 300Mbit, but that does not factor into my test.

now if you'll stop hounding me, I have more important things to do, and lots of coffee to drink

dvl: I see, it could be really bottleneck

LXGHTNXNG: I'm not "hounding you" but am simply curious about your statement "functionality Wireguard can't do which OpenVPN can"

lessons from the Internet coal mines: killfile early, killfile often

regis: both OpenVPN and WireGuard are great protocols

mzar: Both are secure, as is the IKEv2+IPSEC setup. But nowadays you go for WireGuard and there's no need to use OpenVPN. I argued above that wg is somehow deficient in comparison.

I regret asking, I was just curious if there was any difference in performance between the two

pstef: kernel module wg is the go-to if you need some crazy efficient network performance. But for a common user, all these solutions work.

I chose wg for myself personally, only because I can't get excited about networking and this was the simplest solution

regis: no worries, OpenVPN is still secure, safe, robust, and the devs are using FreeBSD, they test each commit against FreeBSD so your user experience will be 100% OK

hello

mzar: I don't neglect OpenVPN in any way. I've replaced some shitty VPN protocols at some "VPN company". Introduced IKEv2+IPSEC, left OpenVPN and set up RADIUS for common login/password management. I don't hate OpenVPN. I simply say that it doesn't make sense nowadays :P

hm... sometimes customers require few certain features

I switch from ports to pkg. I pkg upgrade and now if I run pkg autoremove it shows 45 packages to be removed but these packages are needed. Any idea why this happens?

CyberCr33p: it happens from time to time

mzar I used the same ports options

Hi all - buying a few Supermicro servers and was curious if anyone can speak to how mature support for NVMe drives in hot-swap backplanes is in FreeBSD 13 or 14?

no worries, you can autoremove them and then install again

I think those are called "U.2" drives?

CyberCr33p: `autoremove` will uninstall packages which were installed as dependencies. If whatever needed them is removed, then autoremove will remove them too. If you still need something, install it manually.

CyberCr33p: Perhaps the dependency options changed on something you installed from pkg.

it shows for "autoremove" a lot of php extensions. But /var/db/ports/lang_php83-extensions and the same on poudiere ports directory are exacly the same.

dvl I just notice that I had options in /usr/local/etc/poudriere.d/142amd64 instead of /usr/local/etc/poudriere.d/142amd64-options or /usr/local/etc/poudriere.d/options , I will rename the directory and retry.

so they build with the default options

CyberCr33p: good luck!

99% I am sure this will fix the issue

:D