Switching to the new in-kernel WireGuard module was easy (on Fedora 31)

May 20, 2020

One of the quietly exciting bits of recent kernel news for me is that WireGuard is now built in to the Linux kernel from kernel 5.6 onward. I've been using a private WireGuard tunnel on my Fedora machines for several years now, but it's been through the additional COPR repository with an additional DKMS based kernel module package, wireguard-dkms. Among other things, this contributed to my multi-step process fo updating Fedora kernels.

When I first updated to a Fedora 5.6 kernel, I wondered if I was going to have to manually use DKMS to remove the DKMS installed WireGuard module in favour of the one from the kernel itself. As it turned out, I didn't have to do anything; current versions of the COPR wireguard-dkms package have a dkms.conf that tells DKMS not to build the module on 5.6+ kernels. Updating to a 5.6 kernel got me a warning from DKMS that the WireGuard DKMS couldn't build on this kernel, but that was actually good news. After a reboot, my WireGuard tunnel was back up just like normal. As far as I can tell there is no difference in operation between the DKMS WireGuard version and the now in-kernel version except that I have one fewer DKMS module to rebuild on kernel updates.

(The one precaution I took with the COPR wireguard-dkms package was to not install any further updates to it once I'd updated to a 5.6 kernel, because that was the easiest way to keep a WireGuard module in my last 5.5 kernel in case I wanted to fall back.)

After I'd gone through enough 5.6.x Fedora kernel updates to be sure that I wasn't going back to a 5.5 kernel that would need a WireGuard DKMS, I removed the WireGuard DKMS package with 'dnf remove wireguard-dkms'. Then I let things sit until today, when I did two more cleanup steps; I disabled the WireGuard COPR repository and switched over to the official Fedora package for WireGuard tools with 'dnf distro-sync wireguard-tools'. Somewhat to my surprise, this actually installed an updated version (going from 1.0.20200102 to 1.0.20200319).

(I believe that dnf hadn't previously recognized this as an upgrade because of a difference in RPM epoch number between the two package sources. This may be deliberate so that COPR packages override regular Fedora packages at all times.)

PS: Now that WireGuard is an official part of the Fedora kernel, I feel that I should do something to set up a WireGuard VPN on my work laptop. Unfortunately this really needs a WireGuard VPN server (or touchdown point) of some sort at work. We don't currently have one and the state of the world makes it unlikely we'll deploy one in the near future, even for private sysadmin use.

Written on 20 May 2020.
« Reading the POSIX standard for Unix functions is not straightforward
How I work on Python 2 and Python 3 with the Python Language Server (in GNU Emacs) »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed May 20 00:30:30 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.