01:05:33 rwp: i found an other pair of bug reports for a problem with FreeBSD dns stub resolver and there hasn't been any change in years despite a patch 01:05:55 the problem is you can use a link-local address as nameserver in resolv.conf 01:06:04 rtsold will correctly install the entry via resolvconf 01:06:44 but the DNS stub resolver will consider it invalid syntax for an ip address and ignore the line 01:07:52 the issue has even been brought up upstream on github by someone else 01:08:02 it happens *sigh* 01:17:19 Do you guys know if there are any differences between the 'wireguard-tools' package and the 'wireguard-go' package, other than one being written in go? 01:27:24 oh wait, it seems I might not even need to install either... I will now go RTFM 03:13:04 crest, It feels strange to be using a link-local address for a resolver when the loopback device is always available and more well used. 03:13:48 That's probably also why that has been languishing. Using a LL address is not really needed. It has a typically used alternative that is always available. 03:20:37 rwp: its kind-ish could have sense if configured per interface basis... but taking on mind some isp routers using fe:: pool for ipv6 only nat64 mode setups for router... linklocal for resolver not sounfs as crazy... 03:33:13 I guess we don't know if that link-local address is an IPv6 fe02::/16 address or an IPv4 169.254.0.0/16 address. But either way it feels strange. Because using DNS to me implies that one is connected to the larger network. 03:34:02 But I could see someone arguing the point that a system could be set up and configured on an isolated LAN without connection to the larger network. And then, strange as that might seem, set up DNS locally. 03:34:35 I am imagining a small cluster on a dogsled radar mapping the land under the ice in Antarctica. 03:36:01 you don't even need to imagine that far. airgapped networks exist for e.g. classified work 03:36:27 as in, airgapped from the broader Internet 03:37:44 Oh sure. I have set up airgapped systems myself. But I always used 10.*/8 networking in that case with everything static because allowing dynamic addressing seemed counter to the security of a private LAN. 03:38:10 the ones I'm talking about still have DNS & DHCP and so forth 03:39:31 There is no problem setting up DNS on a private LAN with say a 10.*/8 network. And DHCP too for that matter but that seems to me to be counter to the philosophy there. But there isn't anything hard about it. 06:39:34 just wanted to drop by and say my recently rebuilt FreeBSD 15.0 desktop is a nice running machine! using a Gnome 47 desktop. Still on Xorg. Seems to be quite good at this moment. 09:47:51 nulltaz: the wireguard-go port is a wireguard userspace implementation in go 09:48:12 it uses a tun device as network interface 09:48:19 that makes it portable, but slow 09:48:35 wireguard-tools is the wg cli tool 09:48:48 the wg command has been imported into freebsd base 09:49:08 and freebsd has its own in kernel implementation 09:52:24 is wireguard possible to get running in a Jail? I've been successful with bhyve VMs, and regular proxmox VMs, etc. but yea... so far no go on a jail fo rme. 09:56:08 what part do you want in the jail? you can create a vnet jail and give it the wg interface for networking (I guess that is what you want to do) 09:57:21 oh, right. if you do it with vnet, yeah, it works. I just didn't want to use vnet - stability issues in the past, and usually need 2 nics to prevent network 'blinking' on the host. 11:48:02 Laidback_01: yes if you use vnet jails 11:48:46 you could also have the host manage the wireguard interface and put alias addresses on it, but thats probably not what you're asking for 11:49:51 woo, just set up vnet jails with one person's method - creating an epair, bridging one end of the epair with another interface, passing other end into jail 11:50:15 epairs were new to me, maybe because I'd never heard of the exact thing from Linux-land 11:54:40 seems like the equivalent in linux would be veth 12:04:05 oh, yeah, that sounds right 13:15:35 Hey quick question. Since WireGuard support is included at the kernel level (wg interfaces), then what is the point of installing the wireguard-tools package? 13:16:20 nulltaz: This supplies the main userspace tooling for using and configuring 13:16:20 WireGuard tunnels, including the wg(8) and wg-quick(8) utilities. 13:17:19 But I’m pretty sure I configured the wg interface and generated the keys without that package 13:17:43 and are you also connect without these? 13:18:01 then you don't need them, for me i couldn't use wg without these tools 13:18:18 esp. wg-quick makes it easier 13:19:46 wg-quick makes it easier if your setup matches what wg-quick assumes you want to do 13:20:34 i see, im not that experienced 13:20:46 I just followed the steps in the “Command-line interface” section of this page on the official WireGuard site (using ifconfig instead of ip for the first two steps) 13:20:48 https://www.wireguard.com/quickstart/ 13:21:37 Seems like there’s barely any config. Generate keys on the client and server, and then set preferences on the wg interface using ‘wg setconf’ 13:21:51 If it’s that simple, there’s no need for wireguard-tools ? 13:22:01 I just can’t figure out what wireguard-tools is for lol 13:24:51 wireguard's included in the kernel? was this a recent change? 13:25:56 <[tj]> 2022? 13:26:53 wireguard's in the kernel? 13:27:10 like by default or you have to add it? 13:27:18 maybe I read https://news.ycombinator.com/item?id=33381949 and it served only to confuse me 13:27:50 i honestly think wireguard is useless since there are other protocols that do better 13:28:03 why'd you re-invent the wheel? 13:28:46 in my usage of it I've quite liked it 13:28:53 nulltaz: well, wg-quick combines those three commands, lets you have the IP in the config file and if you have the VPN for all connections then DNS= in the config sets resolvconf up correctly, if you don't match that expectation then the nameserver set there will be configured as only nameserver for the system, so you would have to work with PostUp/PreDown 13:33:01 nimaje, ah, that makes sense. ty 13:39:26 scottpedia: do you have examples? especially better in the performance goal of wireguard would be interesting 13:39:51 ipsec 13:40:12 how’s that better? 13:40:19 IPsec VTI interface via if_ipsec 13:40:34 SomeVisitor: ipsec can make use of hardware crypto acceleration 13:40:45 libreswan is built into the kernel so there is the performance increase 13:40:48 e.g. AES-GCM via AESNI and PMUL instructions 13:40:53 scottpedia: nope 13:41:02 ??? 13:41:03 so does wirguard, or am I wrong, crest? 13:41:16 the ipsec kernel code isn't part of libreswan (at least on FreeBSD) 13:41:49 the interface between the IKE daemon (strongswan, libreswan, iked, whatever) and the kernel happens via PFKEYv2 on FreeBSD 13:42:11 maybe I used the wrong terminology but I think it's loaded into the kernel? or what? 13:42:13 SomeVisitor: no because wireguard uses a single ciphersuite that hardcoded into the protocol 13:42:18 enlighten me then 13:42:39 for wireguard traffic encryption that's chacha20 + poly1305 13:42:49 chacha20 is a fast cipher for software crypto 13:42:51 cause I once asked if libreswan can be statically linked and compiled 13:43:01 and isn't terribly slow anywhere 13:43:16 they say it's possible but'd lose all performance bonus due to being out of the kernel 13:43:32 I pretty much max out my network speeds with wireguard without much cpu load 13:43:34 where as AES-GCM can't that fast in pure software if you want to protect against timing sidechannels 13:44:06 but on any x86 cpu released in the last ~15 years there are special instructions to make AES and GCM faster 13:44:47 ipsec because of its flexibility can make use of the exact cipher combination accelerated by common hardware features 13:44:49 ipsec is widely used across the industry 13:44:59 the crypto isn't specific to ipsec 13:45:14 often in peering between campus networks 13:45:38 most things are widely used before they become superseded ;) 13:45:41 the aesni + pmul instructions can be used for other protocols that use the same ciphers e.g. TLS oder SSH 13:46:10 but wireguard has a single cipher written into the specification so it can't take advantage of these hardware features 13:46:47 if you use IPsec on FreeBSD there is a kernel datapath for it which daemons like strongswan can configure 13:46:50 it works like this 13:46:59 the daemon configures a policy 13:47:09 the kernel matches traffic against the policy 13:47:11 it’s easy to configure without the chance to shot into foot. So it has it place, even if other software is more flexible I think 13:47:20 on a match the kernel checks if it has a session key to use 13:47:46 if not it buffers the packet and give the daemon a chance to establish a new session 13:47:53 crest: i'd be great if you can walk me through this in detail. I couldn't seem to figure it out myself for a long time now. 13:48:12 the general idea is spelled out in the PFKEYv2 RFC 13:48:48 IPsec has a lot of really annoying historical baggage that you can't hide from if you use it 13:49:27 it was designed by a committee in 90s 13:50:00 so everyone brought their own ideas an instead of selecting only the good ones they agreed to optionally put in a whole lot of duplicated crap 13:50:18 also back than many operating systems had fairly primitive network stacks 13:50:48 so the designers (ab-)used IPsec to force certain features into any network stack that wanted to call itself IPsec capable 13:51:33 e.g. the whole IPsec transport vs tunnel (vs virtual interface) mess 13:52:16 also they didn't really knew how IPsec would be used 13:52:40 there was this confused notion of (opportunistic) traffic encryption 13:52:41 crest: any study resources to recommend? 13:53:08 »IPsec was a great disappointment to us.« (Ferguson, Schneier) [scnr] 13:53:21 good question. i don't have a single handy source to give you. 13:53:41 how'd you know so much? crest 13:53:41 some of it is in old mailing list archives, other spread over a dozen books etc. 13:54:05 scottpedia: i had to make ipsec work when the only alternative was openvpn 13:54:14 okay? 13:54:16 and by make work i mean between different implementations 13:54:26 that sounds like how you deal with AWS VPC 13:54:36 which I worked with in peering 13:54:43 kind of hard to deal with 13:54:54 that's easy because you have a single well known peer configuration 1000s of people used before you 13:55:15 okay 13:55:19 also the still actively used stuff is just a small subset of the crap that used to exist in the wild 13:55:38 wat you think of libreswan? 13:55:53 if i have to use ipsec on freebsd i normally use strongswan 13:56:12 what's the main difference 13:56:15 and before that i used racoon *shudder* 13:56:39 i can't tell you because i never had reason do give libreswan a chance 13:56:47 iirc one is a fork of the other 13:56:56 okay alright 13:57:16 'd be great if I can consult you in the future regarding any ipsec-related questions crest 13:57:29 you seem to be extra-knowledgeable 13:58:17 scottpedia: you can try, but my recommendation for new deployments would be to use WireGuard unless you know why you need IPsec 13:59:02 ok thx for the advice 13:59:08 it's duly noted 13:59:31 and if you need something with easy to manage clients maybe give openvpn a chance, because they have added data channel offloading on FreeBSD 14 and recent Linux versions 13:59:59 which does what the name implies: offload the traffic into the kernel for supported configurations 14:00:10 okay. i always used openvpn to connect to VPS's subnet for raw console access 14:00:19 it does not change the traffic so the peer doesn't know the difference 14:00:25 it seems to be more widely adopted by the industry lately 14:00:49 iirc OpenVPN DCO only supports uncompressed Layer 3 client-server mode 14:01:07 okay 14:01:35 but for stuff like IPMI access WireGuard is more than fast enough 14:01:48 okay 14:02:00 it feels like a new player so i had to be cautious 14:02:12 a product of the 2020s 14:02:22 it's fairly new, but it took advantage of decades of other peoples mistakes 14:02:44 to learn what a vpn needs to be and only add what is easy to add 14:02:56 okay that sounds reassuring 14:03:29 anyways gotta go. it's great talking to you. 14:03:40 e.g. a formally verified handshake protocol instead of hacking some custom crypto 14:04:04 the slightly slower crypto is also one that is fast enough on every imaginable CPU 14:04:16 so it doesn't depend on special hardware to get good performance 14:04:40 at the cost of not getting the very best performance if you have special hardware available 14:05:05 the real uservisible difference is how many fewer settings there are 14:05:18 a wireguard configuration is normally ~10 lines 14:05:43 while ipsec configuration can easily grow to 100 lines 14:06:31 plus dealing with a X.509 PKI to solve problems >98% of the users won't have 14:07:01 with users defined as the poor bloke that has to make it work 14:30:58 as we are on the topic of vpns, I try to configure openvpn to start a jail with the tun device it creates and manage it via scripts (that part works), but on the server side (which I don't control) are multiple servers that push me stuff like IP, gateway and DNS configuration, my problem is that on reconnects sometimes openvpn decides that it has to destroy the tun device for some reason (my guess 14:31:00 is the pushed IP Address changed), I already set persist-tun ifconfig-noexec and route-noexec, but they don't seem to help, any ideas how to fix that? 14:45:43 hm, maybe I can use another script around openvpn with --mktun and --rmtun to workaround, but I still have no idea why openvpn thinks it has to recreate the tun device 15:00:45 ls 16:10:03 . .. 16:30:39 ls .. 16:39:13 . .. 21:44:02 I have a somewhat dated rhat8 box. . . and I need unison installed it, for which there does seem to be a package. 21:44:31 So I downloaded the latest tarball, un-tar'd it and ran make. 21:46:41 First it bitched because there was no ocaml installed. . . so I installed the ocaml.x86_64 v4.07.0-3.el8 package and re-ran make: https://bpa.st/P7TQ 21:46:51 Any ideas on how to proceed? 22:10:51 FreeBSD 15... typing "pkg" can't find a suitable version to install the pkg program on the system...? 23:06:24 good day #freebsd 23:06:29 !inspire 23:06:31 The mind that turns ever outward Will have no end to craving. Only the mind turned inward Will find a still-point of peace. -Ming-Dao Deng [https://zenquotes.io/] 23:07:10 is there a supported method to create 13.x compatible zpools in freebsd 14.x and 15.x? 23:24:43 zerotime: Yes. Look at the -o compatibility= options. 23:25:02 zerotime: In particular look in /usr/share/zfs/compatibility.d/ 23:25:46 I use, for instance, openzfs-2.2 as it covers all my systems here, FreeBSD and Linux. I'll nudge it up when possible. 23:34:07 so whats the requirements for a poudriere build jail 23:34:12 which is created by poudriere 23:34:34 say if I make installworld to create a jail from src, how does this differ from poudriere? 23:35:39 i assume /usr/ports is a requirement within the poudriere jail too