config: add amnezia-kmod, amnezia-tools, amneziawg-go to packages#504
config: add amnezia-kmod, amnezia-tools, amneziawg-go to packages#504phprus wants to merge 1 commit intoopnsense:masterfrom
Conversation
|
At first glance as already mentioned in the forum we don’t need another one alongside netbird and tailscale. Someone asked to build a plugin for xray-core lately too. I’m also not enthusiastic about another kernel level solution. Cheers, |
|
Thank you for your reply! Tailscale and NetBird use WireGuard, which is successfully blocked by DPI. Xray is already included in OPNsense, but Amnezia, unfortunately, is not included. |
|
I see the benefit of it and we’ve been welcome to such things in the past such as v2ray/xray, openvpn xor, softether, etc. All of which had their problems from inclusion and adoption and long term maintenance. WireGuard made the scene much more complicated for mostly the right reasons, but now all descendent projects with the best intentions need to drag a behemoth through each OS and distribution stack which makes plugins work even more complicated than it ever was and at the same time being a commercial driver for whoever started such a project. Perhaps we should make a survey in the forum about inclusion and tie some conditions to it, but I’m also not very interested in reviewing another large PR for a new VPN plugin. The biggest issue is that we can’t take things back easily after realising this wasn’t the best thing to do. Cheers, |
New plugin or new packages from ports? Plugins for Amnezia, xray, etc may be in separate repositories outside of opnsense/plugins. I would suggest only adding packages from FreeBSD ports.
Before creating this PR, I spent several days attempting to automate the build of the above ports using poudriere, but I encountered difficulties creating jails. The archives and the manually created src.txz seem insufficient, as they lack the opnsense code itself and its repository settings. Poudriere also rebuilds dependencies that are already exists in the OPNSense repository. Furthermore, even the existing archives don't contain the latest version, which can complicate the build. Having a jail archive for poudriere for current OPNsense versions would make it easier to build additional ports independently. Then this (and similar) PRs would be unnecessary. |
|
Is there a known way to create a full-featured jail for poudriere? The instructions at https://forum.opnsense.org/index.php?topic=21739.0 use archives that do not contain OPNsense repository settings. |
I think the reverse is true. You’re also asking to provide this to the OPNsense packages for the foreseeable future, including complications and expertise getting it to compile, distributing through mirror maintainers. I just think it’s a lot to ask. Mind you this is not a 10000 lines of code no dependency plugin that builds in 10 seconds and distributes as a 2 kb package file. Cheers, |
|
I apologize for my bad English.
Building the plugin, not writing it code. Building the plugin package is simple: But building FreeBSD port with dependencies into packages is not simple process. I am not asking you to distribute plugins through the OPNsense infrastructure. I don't ask them to review or add to This can also be difficult for OPNsense, and that's why I'm asking for help in creating an environment in which third-party developers can do all this themselves. Help in creating poudriere jail for OPNsense. |
|
It would be better to wrap wireguard inside something that is independant from it, like wstunnel. https://github.com/erebe/wstunnel Everything that alters and ships wireguard directly is very inflexible and technical debt once DPIs got a hang of it too. (static targets are prone to fingerprinting) The more widespread and mainstream such an obfuscation technique becomes the more likely it will be blocked as well in time. Better to be able to change the technique independantly from the tunneling protocol in the long run. Also, wstunnel seems sponsored by an NL company. |
|
|
|
Wstunnel is not a VPN protocol, is a proxy. |
|
wstunnel is a dedicated obfuscation tool with multiple ways to mask your traffic. It can wrap around any vpn protocol. Your point is moot. Amneziawg also needs both sides supporting it, just like any proxy and obfuscation tool. What you probably wanted to say is "I want the simplest most streamlined setup with the least work for me in the future." Who is expected to carry the long-term cost? Decoupling layers has always been better in the long term. |
|
Additionally I would give this a read: https://reviews.freebsd.org/D51239?id=158287 Jason (the author of WireGuard) essentially says the same thing, transport and obfuscation belongs on a different, faster moving layer than the kernel. Essentially all the proxies that exist are the correct layer for this, and welding something onto a vpn protocol has not the velocity or flexibility to avoid DPI detection long term. |
|
wstunnel is a great solution, but it uses TCP. |
I haven't used wstunnel yet but the GitHub page shows how to use UDP. |
|
|
5 participants
OPNsense currently has a
xray-core(#378) package for traffic obfuscation, but without a plugin for the web interface.I propose to add support for the Amnezia VPN ( https://docs.amnezia.org/documentation/amnezia-wg/ ) protocol in OPNsense.
There are two open source plugins for managing Amnezia connections for OPNsense:
Adding
net/amnezia-kmod,net/amnezia-tools,net/amneziawg-gopackages to the OPNsense repository will make it easier to use these plugins.amnezia-kmod- kernel module for Amnezia protocol (version 1.0 and 1.5, and partial support of 2.0).amnezia-tools- userspace tooling for using and configuring Amnezia tunnels.amneziawg-go- userspace protocol implementation from Amnezia team (https://github.com/amnezia-vpn/amneziawg-go/).@fichtner, Please review this PR, thank you.